Drupal Release: 9.0.14

TL;DR

Drupal 9.0.14 Release: Critical Security Update

This release addresses a critical security vulnerability identified as SA-CORE-2021-003. It's a security-focused update with no new features or functionality changes. All Drupal 9.0.x sites should upgrade immediately to protect against potential security exploits.

Highlight of the Release

• Critical security update addressing vulnerability SA-CORE-2021-003
• Immediate upgrade recommended for all Drupal 9.0.x sites
• Coordinated security release by the Drupal Security Team

Migration Guide

No migration steps are required for this update. This is a direct update addressing security vulnerabilities and should be applied using standard Drupal update procedures:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core to version 9.0.14
4. Run the database update script if prompted
5. Take the site out of maintenance mode

As always, test the update on a staging environment before applying to production.

Upgrade Recommendations

Immediate Upgrade Strongly Recommended

All sites running Drupal 9.0.x should upgrade to Drupal 9.0.14 immediately. This is a critical security release that addresses vulnerabilities that could be exploited by malicious actors.

For sites unable to update immediately, it's recommended to consult the security advisory for possible mitigation strategies until the update can be applied.

Long-term, consider planning an upgrade path to the latest supported branch of Drupal 9, as the 9.0.x branch will eventually reach end-of-life.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security fixes are outlined in the Security Fixes section.

New Features

No new features were added in this release. Drupal 9.0.14 is strictly a security update addressing the vulnerability identified as SA-CORE-2021-003.

Security Updates

SA-CORE-2021-003 Security Advisory

This release fixes a critical security vulnerability identified as SA-CORE-2021-003. While specific details about the vulnerability are typically limited in security releases to prevent exploitation, the fix was contributed by multiple security team members including securitylight, xjm, greggles, larowlan, and kkrzton.

The Drupal Security Team recommends updating immediately as this vulnerability could potentially allow unauthorized access or other security breaches on affected sites.

For more details, refer to the official security advisory on drupal.org.

Performance Improvements

No specific performance improvements were included in this release. Drupal 9.0.14 focuses exclusively on addressing security vulnerabilities.

Impact Summary

This release addresses a critical security vulnerability that could potentially impact all Drupal 9.0.x sites. The security fix required significant changes (2538 changes across 228 files) but focuses solely on security hardening without adding features or changing functionality.

The coordinated release by multiple security team members indicates the seriousness of the vulnerability being addressed. Sites that delay updating could be at risk of exploitation, potentially leading to unauthorized access, data breaches, or site compromise.

This update maintains compatibility with existing Drupal 9.0.x installations and should not cause any regressions when properly installed.