Drupal Release: 8.5.9

TL;DR

Drupal 8.5.9 is a security release that addresses critical vulnerabilities. This update includes two security advisories (SA-CORE-2019-001 and SA-CORE-2019-002) that fix important security issues. All Drupal 8.5.x sites should update immediately to this version to protect against potential security exploits.

Highlight of the Release

• Addresses critical security vulnerabilities via SA-CORE-2019-001
• Includes fixes for additional security issues via SA-CORE-2019-002
• Recommended immediate update for all Drupal 8.5.x sites

Migration Guide

No specific migration steps are required for this security update. Standard Drupal update procedures apply:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core files
4. Run the database update script (update.php)
5. Take your site out of maintenance mode

If you're updating from a version earlier than 8.5.8, please review the release notes for intermediate versions as well.

Upgrade Recommendations

URGENT: Immediate upgrade recommended

All sites running Drupal 8.5.x should update to Drupal 8.5.9 immediately. This is a security release that addresses critical vulnerabilities that could potentially be exploited.

If you cannot update immediately, consider temporarily taking your site offline until you can complete the update process. Sites that remain on vulnerable versions may be at risk of compromise.

For sites running Drupal 8.4.x or earlier, you should first update to the latest version of your current release series, then update to 8.5.9 or the latest secure release available for your version.

Bug Fixes

This release primarily addresses security vulnerabilities rather than regular bugs. The specific details of the security fixes are contained in:

• SA-CORE-2019-001: Security fixes implemented by contributors Ayesh, alexpott, larowlan, xjm, michieltcs, and farisv
• SA-CORE-2019-002: Security fixes implemented by contributors greggles, cashwilliams, EclipseGc, larowlan, samuel.mortenson, alexpott, tedbow, effulgentsia, Fabianx, xjm, and mlhess

For security reasons, detailed descriptions of the vulnerabilities are not publicly disclosed until users have had sufficient time to update.

New Features

No new features were added in this security release. This update focuses exclusively on addressing security vulnerabilities.

Security Updates

This release includes fixes for critical security vulnerabilities:

1. SA-CORE-2019-001: A security advisory addressing critical security vulnerabilities. The Drupal security team recommends immediate updates to prevent potential exploits.

2. SA-CORE-2019-002: A second security advisory addressing additional security issues.

The Drupal security team follows responsible disclosure practices, so detailed information about these vulnerabilities is not included in the release notes to protect sites that have not yet been updated. Full details about these security issues can be found in the official security advisories on Drupal.org after sufficient time has passed for users to update their sites.

Performance Improvements

No specific performance improvements were included in this security-focused release.

Impact Summary

This security release addresses critical vulnerabilities in Drupal 8.5.x. The security fixes involve 399 changes across 10 files, with 324 additions and 75 deletions.

The security issues fixed in this release could potentially allow attackers to compromise Drupal sites that have not been updated. The Drupal security team has assigned critical severity ratings to these issues, indicating they should be addressed immediately.

Sites that delay updating may be at risk of exploitation. The Drupal security team and community contributors have worked quickly to provide these fixes, and all site owners should prioritize applying this update as soon as possible.

This release maintains compatibility with previous 8.5.x versions and does not introduce any new features or API changes, focusing exclusively on security fixes.