Drupal Release: 9.1.0-rc3

TL;DR

Drupal 9.1.0-rc3 is a security-focused release candidate that reverts the previous 9.1.0-rc2 release and includes critical security fixes identified as SA-CORE-2020-013. This release addresses important security vulnerabilities that required immediate attention before the final 9.1.0 release.

Highlight of the Release

• Critical security update addressing vulnerabilities identified in SA-CORE-2020-013
• Complete reversion of the previous 9.1.0-rc2 release
• Collaboration from multiple security team members to address vulnerabilities

Migration Guide

No specific migration guide is needed for this release candidate. This is a direct security update from the previous release candidate. Users should:

1. Back up their site before updating
2. Update to 9.1.0-rc3 using their preferred method (Composer, Drush, etc.)
3. Run database updates if prompted
4. Clear caches
5. Test site functionality thoroughly

Upgrade Recommendations

Immediate Update Recommended

All Drupal 9.1.0-rc2 users should update to 9.1.0-rc3 immediately due to the security fixes included. This is a critical security update that addresses vulnerabilities identified in SA-CORE-2020-013.

For sites still on Drupal 8 or earlier, this release serves as another reminder that planning your upgrade path to Drupal 9 is essential, as Drupal 8 will reach end-of-life in November 2021.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the fixes are contained in the security advisory SA-CORE-2020-013, with contributions from multiple security team members including luke.stewart, xjm, larowlan, mcdruid, drumm, and mlhess.

New Features

No new features were introduced in this release. This is strictly a security-focused release candidate that reverts the previous RC and implements critical security fixes.

Security Updates

This release includes critical security fixes identified as SA-CORE-2020-013. The security advisory was worked on by multiple team members (luke.stewart, xjm, larowlan, mcdruid, drumm, mlhess).

For detailed information about the specific vulnerabilities addressed, users should refer to the official security advisory at https://www.drupal.org/sa-core-2020-013.

Performance Improvements

No specific performance improvements were mentioned in the release information. This release focuses on security fixes rather than performance enhancements.

Impact Summary

This release candidate represents an important security update in the Drupal 9.1.0 release cycle. By reverting the previous release candidate and implementing critical security fixes, the Drupal security team has demonstrated their commitment to addressing vulnerabilities promptly before the final release.

The security fixes in SA-CORE-2020-013 are significant enough to warrant a new release candidate, indicating their importance for site security. While the specific technical details of the vulnerabilities are not disclosed in the commit messages (following responsible security disclosure practices), the involvement of multiple security team members suggests a coordinated effort to address potentially serious issues.

Site administrators should prioritize testing and deploying this update to ensure their sites remain secure during the release candidate phase of Drupal 9.1.0.