Drupal Release: 8.9.20

TL;DR

Drupal 8.9.20 Release: Critical Security Update

This release addresses critical security vulnerabilities identified in SA-CORE-2021-011. It's a security-focused update with no new features, focusing entirely on patching security issues. All Drupal 8.9.x site owners should upgrade immediately to protect their sites from potential exploits. This is an essential security maintenance release that requires immediate attention from site administrators.

Highlight of the Release

• Critical security update addressing vulnerabilities detailed in SA-CORE-2021-011
• Coordinated security release by the Drupal security team
• Immediate upgrade recommended for all Drupal 8.9.x installations

Migration Guide

No specific migration steps are required for this security update. Standard Drupal update procedures apply:

1. Back up your database and site files before updating
2. Put your site into maintenance mode
3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
4. Run the database update script (visit /update.php or use Drush)
5. Take your site out of maintenance mode
6. Clear caches

As this is purely a security update, no API changes or other modifications requiring special migration steps are included.

Upgrade Recommendations

Immediate Upgrade Strongly Recommended

Due to the critical nature of the security vulnerabilities addressed in SA-CORE-2021-011, immediate upgrade is strongly recommended for all Drupal 8.9.x sites.

• Priority: Critical - update as soon as possible
• Risk: The risk of not upgrading outweighs any potential update complications
• Compatibility: This security update maintains compatibility with existing Drupal 8.9.x installations
• Testing: While the update focuses on security fixes, standard testing procedures should still be followed in production environments

Site administrators should follow standard Drupal update procedures, ensuring they have a recent backup before proceeding with the update.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the fixed security issues are documented in the security advisory SA-CORE-2021-011. As is standard practice with security releases, detailed information about the specific vulnerabilities is limited to prevent exploitation on unpatched systems.

New Features

No new features were introduced in this release. Drupal 8.9.20 is exclusively a security update focusing on addressing vulnerabilities identified in SA-CORE-2021-011.

Security Updates

Critical Security Fixes in SA-CORE-2021-011

This release addresses critical security vulnerabilities identified in the security advisory SA-CORE-2021-011. While specific details are intentionally limited to prevent exploitation of unpatched sites, the security team (including contributors jbogdanski, Wim Leers, xjm, greggles, lauriii, and tedbow) has coordinated this release to patch these issues.

Site administrators should apply this update immediately to protect their Drupal installations from potential security exploits. The Drupal security team considers these fixes critical for maintaining site security and integrity.

For more details on the specific vulnerabilities addressed, refer to the official security advisory once your site has been updated.

Performance Improvements

No specific performance improvements were included in this release. Drupal 8.9.20 focuses exclusively on security fixes outlined in SA-CORE-2021-011.

Impact Summary

Drupal 8.9.20 is a critical security release addressing vulnerabilities outlined in SA-CORE-2021-011. The impact is primarily security-focused, with no functional changes to site behavior or APIs.

The security fixes protect Drupal sites from potential exploits that could compromise site security. While the specific nature of the vulnerabilities is not detailed to protect unpatched sites, the involvement of multiple security team members (jbogdanski, Wim Leers, xjm, greggles, lauriii, and tedbow) indicates a coordinated effort to address significant security concerns.

This release demonstrates Drupal's commitment to security through its established security release process, providing timely patches for identified vulnerabilities. Site administrators should prioritize this update to maintain the security integrity of their Drupal installations.