Drupal Release: 10.2.9

TL;DR

Drupal 10.2.9: Security Update Addressing Environment Information Leakage

This minor security release fixes a vulnerability where maintenance pages could leak sensitive environment information. It also resolves an error handler issue that could crash sites during testing. A planned CKEditor 5 update was included but subsequently reverted in this release.

Highlight of the Release

• Fixed security vulnerability where maintenance pages could leak sensitive environment information
• Resolved error handler crash related to undefined DRUPAL_TEST_IN_CHILD_SITE constant
• Attempted CKEditor 5 update to version 43.1.1 was included but later reverted

Migration Guide

No migration steps are required for this update. This is a standard security and bug fix release that can be applied using Drupal's normal update procedures.

Upgrade Recommendations

This release contains an important security fix that addresses information leakage in maintenance pages. All site owners are strongly recommended to update to Drupal 10.2.9 as soon as possible to protect against potential exposure of sensitive environment information.

The update process follows standard Drupal minor version update procedures:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core to version 10.2.9
4. Run database updates if necessary
5. Clear caches
6. Take your site out of maintenance mode

For detailed instructions, refer to Drupal's official documentation on updating core.

Bug Fixes

Error Handler Crash Fix

• Fixed an issue where the error handler would crash with an "Undefined constant DRUPAL_TEST_IN_CHILD_SITE" error (Issue #3478417)
• This improves stability particularly in testing environments

CKEditor Update Attempt

• An update to CKEditor 5 version 43.1.1 was initially included but subsequently reverted in this release
• The reversion suggests potential compatibility issues that will likely be addressed in a future release

New Features

No new features were introduced in this security and bug fix release.

Security Updates

Maintenance Page Information Leakage (Issue #3457781)

• Fixed a vulnerability where maintenance pages could leak sensitive environment information
• This issue was identified and reported through Drupal's security team
• Multiple contributors collaborated on this fix: catch, longwave, senscybersecurity, cmlara, cilefen, poker10, greggles, alexpott, ericgsmith, and xjm
• The fix prevents potential exposure of configuration details that could be exploited by malicious actors

Performance Improvements

No specific performance improvements were included in this release.

Impact Summary

Drupal 10.2.9 is primarily a security release that addresses a vulnerability where maintenance pages could leak sensitive environment information. This is an important security fix as it prevents potential exposure of configuration details that could be exploited by malicious actors.

The release also fixes an error handler crash issue related to an undefined constant during testing, which improves system stability particularly in development environments.

A planned update to CKEditor 5 (version 43.1.1) was initially included but subsequently reverted, suggesting there may have been compatibility issues that will likely be addressed in a future release.

Overall, this is a maintenance release focused on security and stability rather than new features or performance improvements. All Drupal site administrators should prioritize this update to protect their systems from potential information leakage.