Drupal Release: 9.1.13

TL;DR

Drupal 9.1.13: Critical Security Update

This release addresses multiple critical security vulnerabilities (SA-CORE-2021-006 through SA-CORE-2021-010) that could potentially compromise your Drupal site. This is a security-focused maintenance release with no new features, focusing exclusively on patching several security issues. All Drupal 9.1.x sites should upgrade immediately to this version to protect against potential exploits.

Highlight of the Release

• Addresses five security advisories (SA-CORE-2021-006 through SA-CORE-2021-010)
• Critical security fixes that protect against potential site compromises
• Collaborative security patches developed by multiple core contributors

Migration Guide

No specific migration steps are required for this security update. This is a standard security release that follows Drupal's established update procedures:

1. Back up your database and site files before updating
2. Update Drupal core using Composer (recommended):

   composer update drupal/core --with-dependencies
   

   Or download and replace the core files manually if not using Composer
3. Run the database update script by navigating to /update.php in your browser or using Drush:

   drush updatedb
   

4. Clear caches:

   drush cache:rebuild
   

No special migration steps are needed beyond the standard Drupal update process.

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical nature of the security vulnerabilities addressed in this release, immediate upgrade is strongly recommended for all Drupal 9.1.x sites.

• Priority: Critical - this update addresses multiple security vulnerabilities
• Timing: Update as soon as possible
• Preparation: Perform a complete site backup before updating
• Testing: Test the update on a staging environment if possible, but do not delay production updates
• Affected versions: All Drupal 9.1.x versions prior to 9.1.13

Sites unable to update immediately should consider implementing temporary protection measures as recommended in the security advisories until the update can be applied.

Bug Fixes

This release includes fixes for multiple security vulnerabilities:

• SA-CORE-2021-006: Security fix addressing a vulnerability in core components
• SA-CORE-2021-007: Patch for security issues identified in Drupal core
• SA-CORE-2021-008: Resolution for a security vulnerability affecting site security
• SA-CORE-2021-009: Fix for a security issue that could potentially expose site data
• SA-CORE-2021-010: Security patch addressing potential vulnerabilities in API handling

Each security advisory was developed collaboratively by multiple Drupal security team members and contributors to ensure comprehensive protection against identified vulnerabilities.

New Features

This release does not include any new features as it is focused exclusively on security fixes. Drupal 9.1.13 is a security maintenance release that addresses critical vulnerabilities without introducing new functionality.

Security Updates

Critical Security Fixes

This release contains fixes for five security advisories:

• SA-CORE-2021-006: Addresses a critical security vulnerability in Drupal core that could potentially allow unauthorized access to site data. This fix was collaboratively developed by multiple security team members including azinck, seanB, effulgentsia, marcoscano, larowlan, and others.

• SA-CORE-2021-007: Resolves a security issue that could potentially allow malicious actors to exploit vulnerabilities in Drupal's core functionality. This fix was contributed by samuel.mortenson, Wim Leers, greggles, xjm, and other security team members.

• SA-CORE-2021-008: Patches a security vulnerability that could compromise site integrity. This fix was developed by klausi, xjm, larowlan, alexpott, and other contributors to ensure site security.

• SA-CORE-2021-009: Addresses a security issue that could potentially expose sensitive information. This fix was contributed by illeace, Wim Leers, xjm, and other security team members.

• SA-CORE-2021-010: Resolves a security vulnerability related to API handling that could potentially be exploited. This fix was developed by bradjones1, xjm, bbrala, gabesullice, and other contributors.

The Drupal security team recommends updating immediately to mitigate these vulnerabilities.

Performance Improvements

This release does not contain specific performance improvements as it is focused exclusively on addressing security vulnerabilities. Any performance changes would be incidental to the security fixes implemented.

Impact Summary

Drupal 9.1.13 is a critical security release that addresses five security vulnerabilities (SA-CORE-2021-006 through SA-CORE-2021-010). The impact of this release is primarily focused on improving site security and protecting against potential exploits.

This release demonstrates the Drupal security team's commitment to quickly addressing vulnerabilities through collaborative efforts. The security fixes were developed by multiple contributors working together to ensure comprehensive protection.

While this release doesn't introduce new features or performance improvements, it's essential for maintaining the security integrity of Drupal sites. The security patches have been carefully implemented to fix vulnerabilities without disrupting existing functionality.

Site administrators should prioritize this update to protect their sites from potential security threats. The collaborative nature of these security fixes highlights the strength of Drupal's security team and community response to identified vulnerabilities.