Drupal Release: 9.0.6

TL;DR

Drupal 9.0.6: Critical Security Update

This release addresses multiple critical security vulnerabilities (SA-CORE-2020-007 through SA-CORE-2020-011) that could potentially compromise your Drupal site. This is a security-focused maintenance release with no new features, containing fixes for several remote code execution, access bypass, and information disclosure vulnerabilities. All Drupal 9 site owners should update immediately to protect their sites from potential attacks.

Highlight of the Release

• Addresses five critical security advisories (SA-CORE-2020-007 through SA-CORE-2020-011)
• Fixes multiple remote code execution vulnerabilities
• Patches access bypass security issues
• Resolves information disclosure vulnerabilities

Migration Guide

No specific migration steps are required for this security update. This is a standard security release that follows Drupal's minor version update process:

1. Back up your database and site files before updating
2. Update Drupal core using your preferred method (Composer, Drush, or manual update)
3. Run the database update script (update.php) after updating
4. Clear all caches

For detailed instructions on updating Drupal core, refer to the Drupal documentation.

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical nature of the security vulnerabilities addressed in this release, all Drupal 9 site owners should update to version 9.0.6 immediately.

• Priority: Critical
• Update Timeline: As soon as possible
• Risk of Not Updating: High - sites could be compromised through multiple attack vectors

Before updating:

1. Create a complete backup of your site and database
2. Test the update on a staging environment if possible
3. Schedule a brief maintenance window for production sites

After updating:

1. Run the database update script (update.php)
2. Clear all caches
3. Test critical site functionality to ensure everything works as expected

If you cannot update immediately, consider temporarily taking your site offline until the update can be applied, especially for high-profile or sensitive sites.

Bug Fixes

Security Vulnerabilities Fixed

This release addresses five security advisories:

• SA-CORE-2020-007: Fixed a vulnerability that could potentially allow remote code execution.
• SA-CORE-2020-008: Addressed an access bypass vulnerability affecting certain core components.
• SA-CORE-2020-009: Resolved multiple security issues related to information disclosure and input validation.
• SA-CORE-2020-010: Fixed vulnerabilities that could lead to unauthorized access to protected resources.
• SA-CORE-2020-011: Patched several security issues affecting core functionality.

For detailed information about these security fixes, please refer to the Drupal security advisories page.

New Features

This security release does not include any new features. It focuses exclusively on addressing critical security vulnerabilities identified in Drupal core.

Security Updates

Critical Security Fixes

Drupal 9.0.6 addresses five security advisories:

1. SA-CORE-2020-007: Fixes a vulnerability that could allow attackers to execute arbitrary code on the server under certain conditions. This issue was discovered and fixed by samuel.mortenson, nod_, larowlan, dsnopek, catch, effulgentsia, and mcdruid.

2. SA-CORE-2020-008: Resolves an access bypass vulnerability that could allow unauthorized users to access protected content or functionality. Contributors to this fix include amateescu, xjm, catch, larowlan, greggles, and dixon.

3. SA-CORE-2020-009: Addresses multiple vulnerabilities related to information disclosure and input validation. This was a collaborative fix by nzr, markwittens, nathandentzau, marcaddeo, janusman, larowlan, David_Rothstein, Wim Leers, vijaycs85, mcdruid, Heine, pandaski, xjm, and tim.plunkett.

4. SA-CORE-2020-010: Fixes security issues that could potentially expose sensitive information or allow unauthorized actions. Contributors include DorTumarkin, kkrzton, samuel.mortenson, TwoD, Wim Leers, larowlan, and xjm.

5. SA-CORE-2020-011: Resolves several vulnerabilities affecting core functionality. This fix was contributed by David_Rothstein, Chi, elarlang, dokumori, kyk, xjm, mlhess, pwolanin, stefan.r, benjy, fgm, samuel.mortenson, larowlan, and pandaski.

The Drupal security team recommends updating to version 9.0.6 immediately to protect your site from these vulnerabilities.

Performance Improvements

No specific performance improvements are included in this release. The focus of Drupal 9.0.6 is exclusively on addressing critical security vulnerabilities.

Impact Summary

Drupal 9.0.6 is a critical security release that addresses five security advisories (SA-CORE-2020-007 through SA-CORE-2020-011). These fixes patch multiple vulnerabilities including potential remote code execution, access bypass, and information disclosure issues.

The security fixes in this release are essential for maintaining the security integrity of all Drupal 9 sites. Without this update, sites remain vulnerable to several attack vectors that could lead to site compromise, data theft, or unauthorized access.

This release demonstrates the Drupal security team's ongoing commitment to addressing vulnerabilities promptly and transparently. The collaborative nature of these fixes, with contributions from numerous community members, highlights the strength of Drupal's security response process.

While this update doesn't introduce new features or performance improvements, its importance cannot be overstated from a security perspective. All site owners should prioritize this update to protect their sites and their users' data.