Drupal Release: 8.8.11

TL;DR

Drupal 8.8.11 is a security release addressing critical vulnerabilities identified in SA-CORE-2020-012. This update is essential for all Drupal 8.8.x sites to protect against potential security exploits. The release contains security patches with minimal code changes focused specifically on addressing these vulnerabilities.

Highlight of the Release

• Critical security update addressing vulnerabilities detailed in SA-CORE-2020-012
• Collaborative security fix developed by multiple Drupal security team members and contributors
• Minimal code changes focused specifically on security issues

Migration Guide

No migration steps are required for this security update. Standard Drupal update procedures apply:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core to version 8.8.11
4. Run the database update script by visiting /update.php
5. Take the site out of maintenance mode

For detailed instructions, refer to the Drupal core update documentation.

Upgrade Recommendations

Immediate Update Strongly Recommended

This security release addresses critical vulnerabilities and should be applied immediately to all Drupal 8.8.x sites. Sites still running Drupal 8.8.10 or earlier versions are potentially vulnerable to security exploits.

For sites on Drupal 8.8.x, update directly to 8.8.11. For sites on earlier versions of Drupal 8, consider updating to the latest secure version of your branch or planning a migration to Drupal 9.

If you are unable to update immediately, consult the security advisory for potential mitigation strategies until you can complete the update.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security issues fixed are documented in the security advisory SA-CORE-2020-012.

New Features

No new features were introduced in this release as it is focused exclusively on security fixes.

Security Updates

This release addresses critical security vulnerabilities detailed in SA-CORE-2020-012. The security team and numerous contributors collaborated to identify and fix these issues. As is standard practice with security releases, specific details about the vulnerabilities are limited in the release notes to prevent exploitation of sites that have not yet been updated.

The security fixes were contributed by a large team including: ufku, mrf, fgm, samuel.mortenson, dww, Heine, mlhess, David_Rothstein, pwolanin, xjm, stefan.r, dsnopek, rickmanelius, David Strauss, tedbow, alexpott, larowlan, kim.pepper, Wim Leers, quicksketch, mcdruid, Fabianx, effulgentsia, drumm, pandaski, and Mixologic.

Performance Improvements

No specific performance improvements were included in this security-focused release.

Impact Summary

Drupal 8.8.11 is a critical security release that addresses vulnerabilities that could potentially allow unauthorized access or other security breaches on Drupal sites. The security team has coordinated this release with a large number of contributors to ensure the vulnerabilities are properly addressed.

The impact is primarily on security posture rather than functionality, as this release focuses exclusively on security fixes without adding features or changing existing functionality. The code changes are minimal (604 changes across 16 files) and targeted specifically at addressing the security issues.

Sites running previous versions of Drupal 8.8.x should update immediately to protect against potential exploitation. The security advisory SA-CORE-2020-012 provides additional context about the vulnerabilities fixed in this release.