HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Drupal

>

Releases

>

10.3.4

Drupal Release: 10.3.4

Tag Name: 10.3.4

Release Date: 9/11/2024

View Release
Drupal LogoDrupal

Highly flexible, open-source content management system known for complex, scalable web applications. Preferred by government, educational, and large enterprise websites requiring advanced customization and security features. Robust module ecosystem.

Open SourceDeveloper-FriendlyEnterprise

TL;DR

Drupal 10.3.4 is a security and bug fix release addressing several critical issues including a Twig sandbox bypass vulnerability, caching problems, and various functional improvements. This maintenance release enhances security, fixes cache-related bugs, and improves testing functionality without introducing new features. Site administrators should update immediately to protect their sites from potential security vulnerabilities.

Highlight of the Release

    • Security fix for Twig sandbox bypass vulnerability (CVE not specified)
    • Fixed aggregated asset generation that previously caused uncacheable assets
    • Improved dialog functionality with proper event settings handling
    • Fixed book breadcrumb cacheability issues
    • Enhanced BrowserTestBase tests by using one-time login links

Migration Guide

No specific migration steps are required for this update. This is a standard security and bug fix release that follows the normal Drupal update process:

  1. Back up your database and site files
  2. Put your site into maintenance mode
  3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
  4. Run the database updates
  5. Clear caches
  6. Take your site out of maintenance mode

No API changes or database schema changes are included that would require special migration steps.

Upgrade Recommendations

Priority: High - Security Update

All site owners should update to Drupal 10.3.4 as soon as possible due to the security fix for the Twig sandbox bypass vulnerability. This is a standard security and bug fix release with minimal risk of disruption.

For sites currently running Drupal 10.3.3 or earlier in the 10.3.x branch, this update is straightforward and should be applied immediately following standard update procedures.

Sites running older major versions of Drupal (9.x or earlier) should consider planning a more comprehensive upgrade to Drupal 10, as older versions will eventually reach end-of-life for security support.

Bug Fixes

  • Fixed Dialog Functionality: Resolved an issue where Drupal.dialog.openDialog wasn't properly using event settings (Issue #3471977)

  • Book Module Breadcrumb Fix: Corrected cacheability issues with book breadcrumbs that could lead to incorrect navigation or cache poisoning (Issue #3472592)

  • Asset Aggregation Fix: Resolved an issue where aggregated asset generation was causing uncacheable assets, affecting performance and caching strategies (Issue #3454507)

  • CacheCollector Classes Fix: Fixed handling of null $cid (cache ID) values in CacheCollector classes that could cause errors (Issue #3471741)

  • Legacy Code Cleanup: Removed references to ApcClassLoader which was deprecated and removed in Symfony 4 (Issue #3472092)

New Features

No new features were introduced in this maintenance release. Drupal 10.3.4 focuses on security fixes and bug fixes to improve stability and security of existing functionality.

Security Updates

  • Twig Sandbox Bypass Vulnerability: Fixed a potential security vulnerability in Twig templates that could allow sandbox bypass in versions prior to Twig 3.14.0 (Issue #3473195)

This security fix addresses a vulnerability in the Twig templating engine that could potentially allow attackers to bypass sandbox restrictions. The issue was identified and fixed upstream in the Twig library, and this Drupal release incorporates that fix.

Performance Improvements

  • Asset Caching Enhancement: Fixed issues with aggregated asset generation that previously resulted in uncacheable assets, improving frontend performance and reducing server load (Issue #3454507)

  • Book Breadcrumb Cacheability: Improved caching of book breadcrumbs, ensuring proper cache tags and contexts are set, which enhances performance for sites using the Book module (Issue #3472592)

Impact Summary

Drupal 10.3.4 is primarily a security and bug fix release that addresses several important issues without introducing new features or breaking changes. The most significant impact is the security fix for a Twig sandbox bypass vulnerability, which makes this update urgent for all Drupal site administrators.

The release also resolves several caching-related issues, including problems with asset aggregation and book breadcrumb cacheability, which should improve performance and reliability. Developers will benefit from fixes to dialog functionality, CacheCollector classes, and improved testing capabilities.

Overall, this is a low-risk, high-priority update that enhances security and stability without requiring significant adaptation or workflow changes. The update process follows standard procedures and should be straightforward for most sites.

Statistics:

File Changed24
Line Additions108
Line Deletions68
Line Changes176
Total Commits11

User Affected:

  • Need to update their Drupal installations immediately to address the Twig security vulnerability
  • Will benefit from fixed caching issues that previously caused problems with asset generation
  • Should plan for a standard maintenance update with minimal disruption

Contributors:

longwave