Drupal Release: 10.0.2

TL;DR

Drupal 10.0.2 Release: Critical Security Update

This release addresses a critical security vulnerability (SA-CORE-2023-001) affecting Drupal core. It's a security-focused maintenance release with no new features or functionality changes. All Drupal 10 site owners should update immediately to mitigate potential security risks.

Highlight of the Release

• Critical security fix addressing vulnerability detailed in SA-CORE-2023-001
• Coordinated security release by multiple core contributors
• Maintenance release focused solely on security with no feature changes

Migration Guide

No specific migration steps are required for this security update. This is a direct update from Drupal 10.0.1 to 10.0.2 that can be applied using standard Drupal update procedures:

1. Back up your database and site files before updating
2. Update Drupal core using Composer (recommended):

   composer update drupal/core-recommended --with-dependencies
   

3. Run the database update script by visiting /update.php in your browser or using Drush:

   drush updatedb
   

4. Clear caches:

   drush cache:rebuild
   

No configuration changes or special procedures are needed for this security update.

Upgrade Recommendations

Immediate Update Strongly Recommended

This security update addresses a critical vulnerability and should be applied immediately to all Drupal 10.0.x sites. The security issue is significant enough to warrant a dedicated release with multiple core contributors involved in the fix.

• Priority: Critical
• Timing: Update as soon as possible
• Preparation: Perform a full site backup before updating
• Testing: While this is a security-only release with minimal risk of functionality regression, testing in a staging environment is still recommended if possible, but should not significantly delay deployment to production

If you cannot update immediately, consider temporarily taking your site offline or implementing additional security measures at the server level until the update can be applied.

Bug Fixes

This release primarily addresses a critical security vulnerability identified as SA-CORE-2023-001. The specific details of the vulnerability are not fully disclosed in the commit messages to prevent exploitation, which is standard practice for security releases.

The security issue was collaboratively addressed by multiple core contributors including danflanagan8, larowlan, xjm, seanB, Berdir, benjifisher, longwave, jenlampton, and lauriii.

New Features

This release does not contain any new features as it is focused exclusively on addressing a critical security vulnerability. Drupal 10.0.2 is a security-focused maintenance release.

Security Updates

Critical Security Fix: SA-CORE-2023-001

This release addresses a critical security vulnerability identified as SA-CORE-2023-001. While specific details are intentionally limited to prevent exploitation, this appears to be a significant security issue warranting immediate attention.

The security advisory was collaboratively addressed by a team of core contributors including danflanagan8, larowlan, xjm, seanB, Berdir, benjifisher, longwave, jenlampton, and lauriii, indicating the importance and complexity of the fix.

Site administrators should update immediately to mitigate potential security risks. For more details on the specific vulnerability, refer to the official Drupal Security Advisory.

Performance Improvements

No specific performance improvements are mentioned in this security-focused release. The changes are targeted at addressing the security vulnerability rather than enhancing performance.

Impact Summary

This release addresses a critical security vulnerability (SA-CORE-2023-001) in Drupal core. While specific details about the vulnerability are limited to prevent exploitation, the involvement of multiple core contributors suggests this is a significant security issue.

The update contains 99 changes across 8 files, with 84 additions and 15 deletions, focused entirely on security fixes. There are no new features, performance improvements, or other changes included.

All Drupal 10.0.x site owners should update immediately to mitigate security risks. This is a maintenance release that should not affect site functionality but is essential for security.