Drupal Release: 8.9.1

TL;DR

Drupal 8.9.1 is a security release that addresses multiple critical vulnerabilities (SA-CORE-2020-004, SA-CORE-2020-005, SA-CORE-2020-006). This update is crucial for all Drupal 8.9.0 sites as it patches security issues that could potentially be exploited. The release contains no new features but focuses entirely on security fixes that protect sites from various attack vectors.

Highlight of the Release

• Addresses three security advisories: SA-CORE-2020-004, SA-CORE-2020-005, and SA-CORE-2020-006
• Critical security fixes that protect Drupal sites from potential exploits
• Collaborative security fixes from multiple core contributors

Migration Guide

No migration steps are required for this update. This is a direct security update from Drupal 8.9.0 to 8.9.1 with no database schema changes or other migration concerns.

Standard update procedures apply:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core files
4. Run the database update script (update.php)
5. Take the site out of maintenance mode

Upgrade Recommendations

Immediate Update Strongly Recommended

All sites running Drupal 8.9.0 should update to 8.9.1 immediately. This is a critical security release addressing multiple vulnerabilities that could potentially be exploited.

The update process follows the standard Drupal core update procedure:

• Back up your database and site files before updating
• Follow the standard update instructions at /admin/reports/status/update or via Drush/Composer
• Test your site thoroughly after the update

If you cannot update immediately, consider temporarily taking your site offline until you can apply the security patches.

Bug Fixes

This release primarily addresses security bugs rather than functional bugs. The specific details of the security issues fixed are outlined in the security advisories:

• SA-CORE-2020-004: Fixed vulnerabilities that could potentially expose sensitive information or allow unauthorized actions
• SA-CORE-2020-005: Patched security issues that might have allowed malicious users to exploit the system
• SA-CORE-2020-006: Resolved security vulnerabilities related to specific Drupal core components

Note: As is standard practice with security releases, detailed information about the specific vulnerabilities is limited to prevent exploitation on unpatched sites.

New Features

No new features were added in this security release. Drupal 8.9.1 focuses exclusively on addressing security vulnerabilities present in version 8.9.0.

Security Updates

This release addresses three security advisories:

SA-CORE-2020-004

A collaborative security fix addressing vulnerabilities in Drupal core. This security advisory was worked on by multiple contributors including samuel.mortenson, DorTumarkin, greggles, xjm, larowlan, webchick, pwolanin, dawehner, mcdruid, and alexpott.

SA-CORE-2020-005

Another critical security fix with contributions from lorenzo_gre, jazzy2fives, xjm, samuel.mortenson, pwolanin, larowlan, greggles, cashwilliams, Heine, mcdruid, alexpott, and Gábor Hojtsy.

SA-CORE-2020-006

Security vulnerability fix contributed by BR0kEN, Wim Leers, xjm, and larowlan.

The Drupal security team follows responsible disclosure practices and therefore detailed information about these vulnerabilities is not publicly disclosed until users have had adequate time to update their sites.

Performance Improvements

No specific performance improvements were included in this security-focused release. All changes were directed at addressing critical security vulnerabilities.

Impact Summary

Drupal 8.9.1 is a critical security release that addresses multiple vulnerabilities. The impact of not updating could be severe, potentially allowing attackers to exploit security weaknesses in your Drupal installation.

This release demonstrates the Drupal security team's commitment to quickly addressing security issues and the strength of the community's collaborative approach to security. Multiple contributors worked together to identify, fix, and release patches for these vulnerabilities.

While the release doesn't add new features or performance improvements, it significantly enhances the security posture of Drupal 8.9.x installations. All site owners should prioritize this update to protect their sites and their users' data.