Drupal: Security update

noggin 7.x-1.2

12 hours 56 minutes ago

This release contains no changes to 7.x-1.1, other than those necessary to resolve the security vulnerability SA-CONTRIB-2019-080.

Other changes had previously been made to the 7.x-1.x branch. Those were not yet tested and ready to include in a stable tagged release. So, those other changes have been temporarily rolled back to enable the prompt creation of this security release.

Release type: Security update
JamesOakley

drupal 7.78

2 days 11 hours ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 8.9.13

2 days 11 hours ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Which release do I choose? Security coverage information

No other fixes are included.

  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021. Sites should plan to update to Drupal 9.1 or later soon.
  • Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 9.0.11

2 days 11 hours ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.0.x will receive security coverage until June 16, 2021 when Drupal 9.2.0 is released.
  • Sites on 8.9.x or earlier should update immediately to Drupal 8.9.13 instead.
  • Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 9.1.3

2 days 11 hours ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.1.x will receive security coverage until December 8, 2021 when Drupal 9.3.0 is released.
  • Sites on 9.0.x should update immediately to Drupal 9.0.11 instead.
  • Sites on 8.9.x or earlier should update immediately to Drupal 8.9.13.
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 8.8.12

1 month 3 weeks ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released. You should plan to update to 8.9.x or higher as soon as possible.
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.9.10

1 month 3 weeks ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Which release do I choose? Security coverage information

No other fixes are included.

  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.12 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 9.0.9

1 month 3 weeks ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.0.x will receive security coverage until June 2, 2021 when Drupal 9.2.0 is released.
  • Sites on 8.9.x should update immediately to Drupal 8.9.10 instead.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.12 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecureInsecure
xjm

drupal 7.75

1 month 3 weeks ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.
Release type: Security updateInsecure
mcdruid

drupal 9.1.0-rc3

1 month 3 weeks ago

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.1.x contains new features, and should be the target for new site development. Drupal 9.0.x will continue to have security support until June 2021. Drupal 8.9.x will continue to have security support until November 2021.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 this year so that you can easily update to Drupal 9.2 and later.

Important update information

If you are updating from 9.0.x or earlier, also read:

Security update required!

This release fixes security vulnerabilities. Sites that installed 9.1.0-alpha1 or 9.1.0-beta1 are urged to upgrade immediately after reading the notes below and the security announcement:

Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 as all Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. We recommend updating to 8.9.x, as well as updating all contributed modules, before updating to any Drupal 9 release.

Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Note for users of the Experimental Workspaces module

Existing Drupal 8 sites using the experimental Workspaces module must update to at least Drupal 8.8.2 before updating to Drupal 9. (This is due to a required data integrity fix.) Remember that Workspaces is currently in beta status and is not intended for production.

Upgrading from Drupal 7

Drupal 7 users can continue to migrate to Drupal 8.9, or migrate to 9.0 or 9.1 directly. The upgrade path for multilingual sites is stable in Drupal 8.9, 9.0 and 9.1!

Release type: Security updateInsecure
xjm

drupal 7.74

2 months ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.8.11

2 months ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released. You should plan to update to 8.9.x or higher as soon as possible.
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.9.9

2 months ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Which release do I choose? Security coverage information

No other fixes are included.

  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.11 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 9.0.8

2 months ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.0.x will receive security coverage until June 2, 2021 when Drupal 9.2.0 is released.
  • Sites on 8.9.x should update immediately to Drupal 8.9.9 instead.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.11 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 9.1.0-rc1

2 months ago

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.1.x contains new features, and should be the target for new site development. Drupal 9.0.x will continue to have security support until June 2021. Drupal 8.9.x will continue to have security support until November 2021.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 this year so that you can easily update to Drupal 9.2 and later.

Important update information

If you are updating from 9.0.x or earlier, also read:

Security update required!

This release fixes security vulnerabilities. Sites that installed 9.1.0-alpha1 or 9.1.0-beta1 are urged to upgrade immediately after reading the notes below and the security announcement:

Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 as all Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. We recommend updating to 8.9.x, as well as updating all contributed modules, before updating to any Drupal 9 release.

Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Note for users of the Experimental Workspaces module

Existing Drupal 8 sites using the experimental Workspaces module must update to at least Drupal 8.8.2 before updating to Drupal 9. (This is due to a required data integrity fix.) Remember that Workspaces is currently in beta status and is not intended for production.

Upgrading from Drupal 7

Drupal 7 users can continue to migrate to Drupal 8.9, or migrate to 9.0 or 9.1 directly. The upgrade path for multilingual sites is stable in Drupal 8.9, 9.0 and 9.1!

PHP 8 compatibility

Drupal 9.1 core has made numerous internal changes in order to be compatible with PHP 8.0, which is due to be released before the end of November. However, full compatibility with PHP 8 is currently blocked by one set of upstream dependencies that do not have PHP 8 versions available yet: #3180207: Update laminas-diactoros, laminas-escaper and laminas-feed for PHP 8 compatibility

Official Drupal PHP 8.0 compatibility will therefore not be available until Drupal 9.2.0. However, sites wishing to use PHP 8 should be able to do so safely with either of the following site setups:

  • For Composer sites, Drupal core should run on PHP 8.0 with
    composer install --ignore-platform-requirements.
  • Drupal core sites using a supported 9.1 release tarball (for example, 9.1.0-rc1 or 9.1.0) downloaded from the release page should also run on PHP 8 without any problems.
Composer template changes

The core recommended project templates now explicitly depend on the current minor branch (for example, ^9.1 instead of ^9), in order to make Composer behavior with pre-release milestones more predictable (so that, for example, a site running 9.1.0-beta1 will not be accidentally downgraded to 9.0.x.)

Dependency updates since 9.1.0-beta1
  • typo3/phar-stream-wrapper updated from 3.1.5 to 3.1.6 for PHP 8 compatibility.
  • Popper.js has been updated from 2.0.6 to 2.5.4.
  • Underscore.js has been updated from 1.9.1 to 1.11.0.
Known issues

Search the issue queue for known issues.

All changes since 9.1.0-beta1 Release type: Security updateBug fixesNew featuresInsecure
xjm

examples 3.0.2

2 months ago

Changes in this release:

  • Removed file example due to multiple security flaws. Separate issue will be created to bring it back in a way that follows security recommendations
  • Submodules moved to the "modules" folder
  • Ported theme example
Release type: Security updateNew features
valthebald
Checked
1 hour 27 minutes ago
Subscribe to Drupal: Security update feed