HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Drupal

>

Releases

>

10.2.8

Drupal Release: 10.2.8

Tag Name: 10.2.8

Release Date: 9/11/2024

View Release
Drupal LogoDrupal

Highly flexible, open-source content management system known for complex, scalable web applications. Preferred by government, educational, and large enterprise websites requiring advanced customization and security features. Robust module ecosystem.

Open SourceDeveloper-FriendlyEnterprise

TL;DR

Drupal 10.2.8 is a security release that addresses a critical vulnerability in the Twig template engine. This update patches a possible sandbox bypass in twig/twig versions prior to 3.14.0 (issue #3473195). The release is focused solely on security hardening with no new features or other changes.

Highlight of the Release

    • Fixes a critical security vulnerability in the Twig template engine
    • Addresses a possible sandbox bypass in twig/twig versions prior to 3.14.0
    • Maintains compatibility with existing Drupal 10.2.x installations

Migration Guide

No migration steps are required for this update. This is a direct security patch that should be applied as soon as possible without any special migration procedures.

Upgrade Recommendations

Immediate Update Recommended

Due to the security-critical nature of this release, an immediate update is strongly recommended for all Drupal 10.2.x installations.

Update instructions:

  1. Back up your database and site files
  2. Update using Composer: 
    composer update drupal/core --with-all-dependencies
  3. Run database updates: 
    drush updatedb
  4. Clear caches: 
    drush cache:rebuild

If you're not using Composer, follow the core manual update instructions.

Bug Fixes

This release fixes a critical security issue:

  • Issue #3473195: Fixed a possible sandbox bypass vulnerability in twig/twig library for versions prior to 3.14.0. This vulnerability could potentially allow attackers to bypass Twig's sandbox security restrictions.

New Features

No new features were added in this security-focused release.

Security Updates

Critical Security Fix

This release addresses a critical security vulnerability:

  • Twig Template Engine Sandbox Bypass (Issue #3473195)
    • Affects: twig/twig library versions prior to 3.14.0
    • Impact: Potential sandbox bypass that could allow execution of unauthorized code
    • Resolution: Updated the twig/twig dependency to a patched version
    • Contributors: longwave, catch, jurgenhaas, naveenvalecha, quietone

This vulnerability could potentially allow attackers to bypass security restrictions in Twig's sandbox mode, which is used to restrict what template authors can do in certain contexts.

Performance Improvements

No specific performance improvements were included in this security-focused release.

Impact Summary

This security release addresses a critical vulnerability in the Twig template engine that could potentially allow attackers to bypass sandbox restrictions. The impact is significant for all Drupal 10.2.x sites as it could lead to unauthorized code execution if exploited.

The fix is straightforward and doesn't introduce any breaking changes or require special migration steps. Site administrators should prioritize this update to protect their sites from potential security exploits.

This release demonstrates Drupal's commitment to security and the project's responsiveness to addressing vulnerabilities in dependencies. The quick turnaround time between vulnerability discovery and patch release helps maintain Drupal's reputation as a secure CMS platform.

Statistics:

File Changed9
Line Additions61
Line Deletions32
Line Changes93
Total Commits3

User Affected:

  • Need to update their Drupal installations immediately to protect against potential security exploits
  • Should review their sites for any suspicious activity that might indicate exploitation of the Twig vulnerability

Contributors:

longwave