Drupal Release: 9.1.3

TL;DR

Drupal 9.1.3 is a security release that addresses critical vulnerabilities identified as SA-CORE-2021-001. This release is essential for all Drupal 9.1.x users to protect their sites from potential security exploits. The update contains security patches developed by multiple core contributors and security team members.

Highlight of the Release

• Critical security update addressing vulnerabilities identified as SA-CORE-2021-001
• Collaborative security fix developed by multiple core contributors
• Maintains compatibility with existing Drupal 9.1.x installations

Migration Guide

No specific migration steps are required when updating from Drupal 9.1.2 to 9.1.3. This is a security update that maintains backward compatibility with existing Drupal 9.1.x installations.

Standard update procedures apply:

1. Back up your database and site files before updating
2. Update using Composer (recommended): composer update drupal/core --with-dependencies
3. Run database updates: drush updatedb or visit /update.php in your browser
4. Clear caches: drush cache:rebuild or via the admin interface

If you're updating from an earlier version than 9.1.2, please review the release notes for intermediate versions as well.

Upgrade Recommendations

Immediate Update Strongly Recommended

This security release addresses critical vulnerabilities and should be applied immediately to all Drupal 9.1.x sites. The security team considers this update essential for maintaining site security.

• Priority: Critical
• Risk: Low (standard security update with minimal risk of breaking functionality)
• Timing: Update as soon as possible

Sites running earlier versions of Drupal 9 or Drupal 8 should follow their respective security update paths. Sites still running Drupal 7 should refer to the Drupal 7 security advisories.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security issues fixed are documented in the security advisory SA-CORE-2021-001, following responsible disclosure practices. Any bugs fixed as part of addressing these security concerns are included in the security fixes section.

New Features

No new features were introduced in this release as it focuses exclusively on security fixes. This is typical for minor point releases (9.1.x) which prioritize stability and security over new functionality.

Security Updates

SA-CORE-2021-001 Security Advisory

This release fixes critical security vulnerabilities covered under the SA-CORE-2021-001 advisory. The security team and contributing developers (larowlan, stephenacrossri, siliconmeadow, mcdruid, xjm, vijaycs85, mlhess, and greggles) collaborated to address these issues.

While specific details about the vulnerabilities are typically limited in public release notes to protect sites that haven't yet updated, users should consider this a critical update that requires immediate attention.

For more details, refer to the official security advisory on Drupal.org.

Performance Improvements

No specific performance improvements were highlighted in this security-focused release. The primary goal was to address critical security vulnerabilities rather than enhance performance.

Impact Summary

Drupal 9.1.3 is a critical security release that addresses vulnerabilities identified in the SA-CORE-2021-001 security advisory. The impact of this release is primarily protective - it shields Drupal sites from potential exploitation of the fixed security issues.

The security fixes were developed through collaboration between multiple core contributors and security team members, demonstrating the Drupal community's commitment to maintaining a secure CMS platform.

This release maintains compatibility with existing Drupal 9.1.x installations and follows the standard minor version update path, minimizing disruption while maximizing security. No new features or API changes were introduced, keeping the focus entirely on security improvements.

Sites that delay implementing this update may be vulnerable to security exploits, making this an urgent update for all Drupal 9.1.x users.