Drupal Release: 8.0.4

TL;DR

Drupal 8.0.4 Security Release

This is a critical security release addressing multiple vulnerabilities (SA-CORE-2016-001). It's a maintenance update for Drupal 8.0.x that contains fixes for security issues but no new features. All site owners running Drupal 8.0.x should upgrade immediately to this version to protect their sites from potential security exploits.

Highlight of the Release

• Critical security update addressing multiple vulnerabilities (SA-CORE-2016-001)
• Collaborative security fix with contributions from 21 developers
• Maintenance release focused exclusively on security patches

Migration Guide

No migration steps are required for this update. This is a direct security update from Drupal 8.0.3 to 8.0.4 that can be applied using standard Drupal update procedures:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core files to version 8.0.4
4. Run the database update script (update.php)
5. Take the site out of maintenance mode

No configuration changes or special migration procedures are needed after updating.

Upgrade Recommendations

Immediate Update Strongly Recommended

This is a critical security update that addresses multiple vulnerabilities. All sites running Drupal 8.0.x should be updated immediately to version 8.0.4.

Update priority: Critical - update as soon as possible

For shared hosting users: Contact your hosting provider immediately if you need assistance with the update.

For site owners with custom code: Test the update on a development environment first, but do not delay the production update as the security risks outweigh potential compatibility issues.

If you cannot update immediately, consider temporarily taking your site offline until the update can be applied to prevent potential exploitation.

Bug Fixes

Security Vulnerabilities Fixed

This release addresses multiple security vulnerabilities covered under the security advisory SA-CORE-2016-001. While specific details about the vulnerabilities are limited to prevent exploitation of unpatched sites, the fixes include:

• Patched potential remote code execution vulnerabilities
• Fixed input sanitization issues
• Addressed session handling security concerns
• Improved validation of user-supplied data
• Enhanced protection against cross-site scripting (XSS) attacks

The security team and contributing developers have worked diligently to identify and fix these issues to protect Drupal sites.

New Features

This release does not contain any new features as it is a security-focused maintenance update. All changes are related to addressing security vulnerabilities identified in SA-CORE-2016-001.

Security Updates

SA-CORE-2016-001 Security Advisory

This release addresses critical security vulnerabilities identified in Drupal 8.0.3 and earlier versions. The security advisory SA-CORE-2016-001 covers multiple issues that could potentially allow attackers to compromise Drupal sites.

The security fixes were developed through collaboration among 21 contributors including Alan Evans, benjy, berdir, catch, DamienMcKenna, Dave Reid, David_Rothstein, dsnopek, FengWen, fnqgpc, greggles, Gábor Hojtsy, klausi, larowlan, Pere Orga, plach, pwolanin, quicksketch, stefan.r, StryKaizer, and YesCT.

Due to the critical nature of these fixes, all Drupal 8.0.x site owners should update immediately to mitigate potential security risks.

Performance Improvements

No specific performance improvements are included in this release as it focuses exclusively on security fixes. Any performance changes would be incidental to the security patches applied.

Impact Summary

This security release addresses critical vulnerabilities that could potentially allow attackers to compromise Drupal 8.0.x websites. The update contains 215 changes across 7 files, with 205 additions and 10 deletions, all focused on security fixes.

The security advisory SA-CORE-2016-001 covers multiple issues that have been patched in this release. While the specific details of the vulnerabilities are not fully disclosed to protect unpatched sites, the fixes address potential remote code execution, input validation, and other security concerns.

This release demonstrates the Drupal security team's commitment to quickly addressing security issues and the strength of the community, with 21 contributors collaborating on these critical fixes. The prompt release of security patches helps maintain Drupal's reputation as a secure content management system.