Drupal Release: 8.9.19

TL;DR

Drupal 8.9.19 is a critical security release addressing five security vulnerabilities (SA-CORE-2021-006 through SA-CORE-2021-010). This release focuses exclusively on security fixes with no new features or non-security bug fixes. It's essential for all Drupal 8.9.x site owners to update immediately to mitigate potential security risks.

Highlight of the Release

• Addresses five critical security vulnerabilities (SA-CORE-2021-006 through SA-CORE-2021-010)
• Security-only release with no new features or non-security bug fixes
• Recommended for immediate installation for all Drupal 8.9.x sites

Migration Guide

No migration steps are required for this security update. Simply update your Drupal core to version 8.9.19 following the standard Drupal update procedure:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
4. Run the database update script
5. Take your site out of maintenance mode
6. Clear caches

Upgrade Recommendations

Immediate Update Recommended

This is a critical security release addressing multiple vulnerabilities. All site owners running Drupal 8.9.x should update to 8.9.19 immediately.

For sites still on earlier versions of Drupal 8, you should first update to the latest version of your current release series, then follow the appropriate update path to 8.9.19.

For long-term planning, note that Drupal 8.9.x will reach end-of-life in November 2021. Site owners should begin planning migration to Drupal 9 if they haven't already started.

Bug Fixes

This release contains security-related bug fixes only. No non-security bug fixes are included in this release.

New Features

This release does not contain any new features as it is focused exclusively on security fixes.

Security Updates

This release addresses five security advisories:

SA-CORE-2021-006

Security vulnerability fixed by contributors azinck, seanB, effulgentsia, marcoscano, larowlan, phenaproxima, xjm, mcdruid, drumm, and briantschu.

SA-CORE-2021-007

Security vulnerability fixed by contributors samuel.mortenson, Wim Leers, greggles, xjm, larowlan, vijaycs85, Heine, effulgentsia, phenaproxima, mcdruid, and nod_.

SA-CORE-2021-008

Security vulnerability fixed by contributors klausi, xjm, larowlan, alexpott, samuel.mortenson, mcdruid, and kim.pepper.

SA-CORE-2021-009

Security vulnerability fixed by contributors illeace, Wim Leers, xjm, effulgentsia, larowlan, pandaski, vijaycs85, phenaproxima, and mcdruid.

SA-CORE-2021-010

Security vulnerability fixed by contributors bradjones1, xjm, bbrala, gabesullice, Wim Leers, and e0ipso.

For detailed information about these security vulnerabilities, please refer to the official Drupal security advisories.

Performance Improvements

No specific performance improvements are included in this security-focused release.

Impact Summary

Drupal 8.9.19 is a security-only release addressing five critical security vulnerabilities. The specific details of these vulnerabilities are typically not disclosed in detail until sufficient time has passed for users to update their sites, following responsible disclosure practices.

The security fixes in this release are crucial for maintaining site security and protecting against potential exploits. The update includes 273 additions and 91 deletions across 23 files, indicating targeted changes focused on security issues rather than feature development.

This release maintains compatibility with existing Drupal 8.9.x installations and doesn't introduce any new features or non-security related changes that might affect site functionality. The primary impact is improved security posture for sites that implement the update.