Drupal Release: 9.0.8

TL;DR

Drupal 9.0.8 Release: Critical Security Update

This release addresses critical security vulnerabilities identified in SA-CORE-2020-012. It's a security-focused update with no new features or functionality changes. All Drupal 9.0.x sites should upgrade immediately to protect against potential security exploits. This is a maintenance release that focuses exclusively on patching security issues while maintaining compatibility with existing Drupal 9 installations.

Highlight of the Release

• Critical security update addressing vulnerabilities identified in SA-CORE-2020-012
• Coordinated security release with contributions from multiple security team members
• Maintains compatibility with existing Drupal 9.0.x installations

Migration Guide

No migration steps are required for this update. This is a standard security update that follows Drupal's minor version update process:

1. Back up your database and site files before updating
2. Update using Composer (recommended):

   composer update drupal/core --with-dependencies
   

3. Or update manually by replacing core files
4. Run the database update script by visiting /update.php or using Drush:

   drush updatedb
   

5. Clear caches:

   drush cache:rebuild
   

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical nature of the security fixes in this release, it is strongly recommended that all Drupal 9.0.x sites be updated to version 9.0.8 immediately.

The security team considers this update to be a high priority, and sites that remain on older versions may be vulnerable to security exploits. Organizations should prioritize this update and implement it as soon as possible, following standard backup and testing procedures.

For sites unable to update immediately, it's advisable to consult the security advisory for any potential mitigation strategies that might be available while preparing for the update.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security issues fixed are documented in the security advisory SA-CORE-2020-012, which should be consulted for complete information about the vulnerabilities that were patched.

New Features

No new features were added in this release. Drupal 9.0.8 is a security-focused update that addresses critical vulnerabilities without introducing new functionality.

Security Updates

Security Advisory SA-CORE-2020-012

This release addresses critical security vulnerabilities identified in the security advisory SA-CORE-2020-012. The advisory was developed through the collaborative efforts of the Drupal security team and community contributors.

While specific details about the vulnerabilities are typically limited in security releases to prevent exploitation of unpatched sites, the security fixes in this release are designed to protect Drupal sites from potential attacks.

The security team recommends updating immediately to mitigate risk to your Drupal installation.

Performance Improvements

No specific performance improvements were included in this release. Drupal 9.0.8 focuses exclusively on security fixes rather than performance enhancements.

Impact Summary

Drupal 9.0.8 is a critical security release that addresses vulnerabilities identified in SA-CORE-2020-012. The impact is primarily focused on security hardening rather than functional changes.

The release represents the collaborative work of many Drupal security team members and contributors, demonstrating the community's commitment to maintaining Drupal as a secure content management system.

Sites running Drupal 9.0.x should update immediately to ensure they are protected against the security vulnerabilities addressed in this release. The update process follows standard minor version procedures and should not introduce compatibility issues with existing functionality.

Organizations should prioritize this update due to its security-critical nature, and hosting providers should be prepared to assist clients with implementing the update promptly.