Drupal Release: 8.3.7

TL;DR

Drupal 8.3.7: Critical Security Update

This release addresses a critical security vulnerability (SA-CORE-2017-004) that affects multiple Drupal 8 components. All Drupal 8 site owners should update immediately to version 8.3.7 to protect their sites from potential exploitation. This is primarily a security-focused release with minimal changes outside of the security fixes.

Highlight of the Release

• Critical security update addressing vulnerabilities identified in SA-CORE-2017-004
• Collaborative security fix developed by multiple core contributors
• Minimal non-security changes to maintain focus on security remediation

Migration Guide

No specific migration steps are required for this update beyond the standard Drupal update process:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core files to version 8.3.7
4. Run the database update script by visiting /update.php
5. Take your site out of maintenance mode

As this is primarily a security update, no API changes or other migration concerns are expected.

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical nature of the security vulnerabilities addressed in this release, immediate upgrade is strongly recommended for all Drupal 8 sites currently running version 8.3.6 or earlier.

If you cannot update immediately, consider temporarily taking your site offline until the update can be applied to prevent potential exploitation.

Follow standard Drupal update procedures, ensuring you have a complete backup before proceeding with the update.

Bug Fixes

This release primarily addresses security-related bugs as detailed in the security fixes section. No significant non-security bug fixes were included in this release to maintain focus on the critical security patches.

New Features

No new features were introduced in this release. Drupal 8.3.7 is focused exclusively on addressing security vulnerabilities identified in the SA-CORE-2017-004 security advisory.

Security Updates

Critical Security Advisory: SA-CORE-2017-004

This release addresses critical security vulnerabilities identified in the SA-CORE-2017-004 security advisory. The fix was developed collaboratively by multiple core contributors including arshadcn, amateescu, Wim Leers, Berdir, Lendude, dawehner, klausi, pwolanin, xjm, mpdonadio, mlhess, larowlan, and milesw.

While specific details about the vulnerability are limited to prevent exploitation of unpatched sites, the security team recommends immediate updates for all Drupal 8 installations.

For more information, refer to the official security advisory on Drupal.org.

Performance Improvements

No specific performance improvements were included in this release. The focus was entirely on addressing critical security vulnerabilities.

Impact Summary

This release addresses critical security vulnerabilities that could potentially allow attackers to compromise Drupal 8 sites. The security fixes were developed collaboratively by multiple core contributors to ensure comprehensive remediation of the identified issues.

The impact of not updating could be severe, potentially allowing unauthorized access to site data or functionality. All site owners should prioritize this update to maintain the security integrity of their Drupal installations.

With only 279 changes across 12 files (243 additions, 36 deletions), this is a focused security release that should present minimal risk of regressions or compatibility issues when updating from version 8.3.6.