Drupal Release: 8.9.6

TL;DR

Drupal 8.9.6: Critical Security Update

This release addresses five critical security vulnerabilities (SA-CORE-2020-007 through SA-CORE-2020-011) that could potentially compromise your Drupal site. This is a security-focused maintenance release with no new features, focusing entirely on patching security holes that could allow for remote code execution, cross-site scripting, access bypass, and other serious exploits.

Highlight of the Release

• Addresses five critical security advisories (SA-CORE-2020-007 through SA-CORE-2020-011)
• Fixes vulnerabilities that could allow for remote code execution
• Patches cross-site scripting (XSS) vulnerabilities
• Resolves access bypass security issues
• Improves overall site security posture

Migration Guide

No specific migration steps are required for this security update. This is a standard security release that follows Drupal's established update procedures:

1. Back up your database and site files before updating
2. Update Drupal core using your preferred method (Composer, Drush, or manual update)
3. Run the database updates (/update.php or drush updatedb)
4. Clear caches (drush cr or through the admin interface)

If you encounter any issues during the update process, refer to the Drupal update documentation for troubleshooting steps.

Upgrade Recommendations

Urgency: Critical - Update Immediately

Due to the critical nature of the security vulnerabilities addressed in this release, it is strongly recommended to update to Drupal 8.9.6 as soon as possible. Sites running any previous version of Drupal 8.9.x should be updated immediately.

Update Path:

• Direct update from Drupal 8.9.5 to 8.9.6 is straightforward and should not cause any compatibility issues
• Sites on earlier 8.9.x versions can also update directly to 8.9.6
• Sites on Drupal 8.8.x or earlier should first update to the latest version in their branch, then update to 8.9.6

Testing Recommendation: Test the update on a staging environment before applying to production if possible, but do not delay the production update unnecessarily given the critical security nature of this release.

Bug Fixes

Security Bug Fixes

This release addresses five security advisories:

• SA-CORE-2020-007: Fixes a vulnerability that could potentially allow for unauthorized access or code execution.

• SA-CORE-2020-008: Resolves an issue that could lead to information disclosure or site compromise.

• SA-CORE-2020-009: Patches multiple vulnerabilities related to input validation and sanitization.

• SA-CORE-2020-010: Addresses cross-site scripting (XSS) vulnerabilities in core components.

• SA-CORE-2020-011: Fixes access bypass issues that could allow unauthorized users to access protected content or functionality.

Note: Specific details about security vulnerabilities are intentionally limited to prevent exploitation of unpatched sites.

New Features

This release does not introduce any new features as it is focused exclusively on security fixes. Drupal 8.9.6 is a security-only maintenance release that addresses critical vulnerabilities without adding new functionality.

Security Updates

Critical Security Fixes

Drupal 8.9.6 addresses five security advisories:

• SA-CORE-2020-007: Fixes vulnerabilities that could allow attackers to execute arbitrary code on the server under certain conditions. This issue was discovered and patched by samuel.mortenson, nod_, larowlan, dsnopek, catch, effulgentsia, and mcdruid.

• SA-CORE-2020-008: Resolves security issues that could potentially expose sensitive information or allow site compromise. Contributors to this fix include amateescu, xjm, catch, larowlan, greggles, and dixon.

• SA-CORE-2020-009: Addresses multiple vulnerabilities related to input validation and sanitization that could lead to cross-site scripting or other attacks. This was a collaborative fix by nzr, markwittens, nathandentzau, marcaddeo, janusman, larowlan, David_Rothstein, Wim Leers, vijaycs85, mcdruid, Heine, pandaski, xjm, and tim.plunkett.

• SA-CORE-2020-010: Patches cross-site scripting vulnerabilities in core components. Contributors include DorTumarkin, kkrzton, samuel.mortenson, TwoD, Wim Leers, larowlan, and xjm.

• SA-CORE-2020-011: Fixes access bypass issues that could allow unauthorized users to access protected content or functionality. This fix was contributed by David_Rothstein, Chi, elarlang, dokumori, kyk, xjm, mlhess, pwolanin, stefan.r, benjy, fgm, samuel.mortenson, larowlan, and pandaski.

The Drupal security team recommends updating to this version immediately to protect your site from these vulnerabilities.

Performance Improvements

This release does not contain any specific performance improvements as it is focused exclusively on security fixes. Any performance changes would be incidental to the security patches implemented.

Impact Summary

Drupal 8.9.6 is a critical security release that addresses five security advisories (SA-CORE-2020-007 through SA-CORE-2020-011). The impact of not updating could be severe, potentially allowing attackers to execute malicious code, access unauthorized content, or compromise site security.

This release demonstrates the Drupal security team's ongoing commitment to addressing vulnerabilities promptly. The security fixes were contributed by over 30 community members, highlighting the strength of Drupal's collaborative security response process.

While this update doesn't introduce new features or performance improvements, it significantly enhances the security posture of Drupal sites. Site administrators should prioritize this update above regular maintenance tasks due to the critical nature of the vulnerabilities addressed.

The update process follows standard Drupal procedures and should not introduce any backward compatibility issues or require special migration steps. However, as with any update, backing up your site before proceeding is strongly recommended.