Drupal Release: 8.9.13

TL;DR

Drupal 8.9.13 - Critical Security Update

This release addresses a critical security vulnerability (SA-CORE-2021-001) in Drupal 8.9.x. It's a security-focused update with no new features, focusing solely on patching the identified security issue. All Drupal 8.9.x site owners should update immediately to mitigate potential security risks.

Highlight of the Release

• Critical security update addressing vulnerability SA-CORE-2021-001
• Collaborative security fix developed by multiple Drupal security team members
• Minimal code changes focused specifically on security remediation

Migration Guide

No specific migration steps are required for this security update. Site administrators should:

1. Back up their site database and files before updating
2. Update to Drupal 8.9.13 using their standard update process
3. Clear caches after the update
4. Test site functionality to ensure everything works as expected

This is a security-only release and should not impact existing functionality or require any special migration procedures beyond a standard Drupal core update.

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical security nature of this release, immediate upgrade is strongly recommended for all Drupal 8.9.x sites. Security vulnerabilities can potentially expose your site to unauthorized access, data breaches, or other malicious activities.

Update Priority: Critical - Update as soon as possible

Update Process:

1. Back up your site database and files
2. Update to Drupal 8.9.13 using your standard update method (Composer, Drush, or manual update)
3. Run database updates if prompted
4. Clear all caches
5. Test site functionality

If you cannot update immediately, consider temporarily taking your site offline until the update can be applied, especially for high-value or sensitive sites.

Bug Fixes

This release specifically addresses the security vulnerability identified as SA-CORE-2021-001. The exact nature of the vulnerability is not detailed in the commit message, which is standard practice for security releases to prevent exploitation before users have had a chance to update.

The fix involved changes across 5 files with 28 additions and 110 deletions, suggesting a significant security patch that likely removed vulnerable code and replaced it with more secure implementations.

New Features

No new features were introduced in this release. Drupal 8.9.13 is strictly a security update focused on addressing the critical vulnerability identified as SA-CORE-2021-001.

Security Updates

Critical Security Fix: SA-CORE-2021-001

This release addresses a critical security vulnerability identified as SA-CORE-2021-001. The fix was developed collaboratively by multiple Drupal security team members including larowlan, stephenacrossri, siliconmeadow, mcdruid, xjm, vijaycs85, mlhess, and greggles.

While specific details about the vulnerability are intentionally limited (to protect sites that haven't yet updated), the security advisory ID suggests this is an officially recognized security issue that required immediate attention.

The substantial code changes (28 additions and 110 deletions across 5 files) indicate a significant security patch that likely addressed a serious vulnerability in the core system.

Performance Improvements

No specific performance improvements were mentioned in the release information. This update focuses exclusively on addressing the security vulnerability SA-CORE-2021-001.

Impact Summary

Drupal 8.9.13 is a critical security release that addresses vulnerability SA-CORE-2021-001. The impact is primarily security-focused, with no functional changes to the system.

The security fix was substantial, involving 138 code changes across 5 files (28 additions and 110 deletions), suggesting a significant security improvement. The collaborative nature of the fix, involving eight Drupal security team members, indicates the importance and complexity of addressing this vulnerability.

Sites running Drupal 8.9.x that do not update remain vulnerable to potential security exploits. The update itself should not impact site functionality as it focuses solely on security remediation without introducing new features or changing existing behaviors.

Organizations should prioritize this update in their security maintenance schedule and apply it as soon as possible to maintain site security and integrity.