Drupal Release: 8.9.9

TL;DR

Drupal 8.9.9 is a security release that addresses critical vulnerabilities identified in SA-CORE-2020-012. This update is essential for all Drupal 8.9.x sites to protect against potential security exploits. The release contains security patches with minimal code changes focused specifically on addressing the identified vulnerabilities.

Highlight of the Release

• Critical security update addressing vulnerabilities detailed in SA-CORE-2020-012
• Collaborative security fix developed by multiple core contributors
• Minimal code changes focused specifically on security issues

Migration Guide

No migration steps are required for this security update. The update process follows the standard Drupal update procedure:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core to version 8.9.9
4. Run the database update script (update.php)
5. Take the site out of maintenance mode

No configuration changes or special procedures are needed beyond the standard update process.

Upgrade Recommendations

Immediate Update Strongly Recommended

All sites running Drupal 8.9.x should be updated to Drupal 8.9.9 immediately. This is a critical security release addressing vulnerabilities that could potentially be exploited by malicious actors.

The update should be prioritized and scheduled as soon as possible, ideally within hours of the release announcement. Sites that cannot be updated immediately should consider implementing additional security measures or temporarily taking the site offline until the update can be applied.

For sites running older versions of Drupal 8, it is recommended to update to the latest secure version of your branch or consider upgrading to Drupal 8.9.9 if feasible.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security fixes are contained in the security advisory SA-CORE-2020-012, with patches contributed by multiple Drupal security team members and core contributors.

While the exact nature of the vulnerabilities is not detailed in the commit messages (as is standard practice for security issues), the fixes target specific security issues without introducing functional changes to the system.

New Features

No new features were introduced in this release. Drupal 8.9.9 is strictly a security update focused on addressing the vulnerabilities outlined in the security advisory SA-CORE-2020-012.

Security Updates

This release addresses critical security vulnerabilities detailed in the security advisory SA-CORE-2020-012. The security fixes were developed collaboratively by numerous Drupal security team members and core contributors including ufku, mrf, fgm, samuel.mortenson, dww, Heine, mlhess, David_Rothstein, pwolanin, xjm, stefan.r, dsnopek, rickmanelius, David Strauss, tedbow, alexpott, larowlan, kim.pepper, Wim Leers, quicksketch, mcdruid, Fabianx, effulgentsia, drumm, pandaski, and Mixologic.

The specific details of the vulnerabilities are not disclosed in the commit messages to prevent exploitation on unpatched sites, which is standard security practice. Site administrators should consult the official security advisory for more information about the nature of the vulnerabilities and their potential impact.

Performance Improvements

No specific performance improvements were included in this release. Drupal 8.9.9 is focused exclusively on security fixes rather than performance enhancements.

Impact Summary

Drupal 8.9.9 is a critical security release that addresses vulnerabilities outlined in SA-CORE-2020-012. The impact is primarily focused on security hardening rather than functional changes.

The security fixes were developed through a collaborative effort by many Drupal security team members and core contributors, demonstrating the community's commitment to maintaining Drupal's security.

This release contains minimal code changes (504 additions and 101 deletions across 16 files) that are specifically targeted at addressing the identified security vulnerabilities without introducing new features or changing existing functionality.

Sites running Drupal 8.9.x should update immediately to protect against potential security exploits. The update follows the standard Drupal update procedure and should not cause any disruption to site functionality.