Drupal Release: 9.2.20

TL;DR

Drupal 9.2.20 Release: Critical Security Update

This release addresses a critical security vulnerability identified as SA-CORE-2022-010. It's a security-focused update with no new features or functionality changes. All Drupal 9.2.x sites should upgrade immediately to mitigate potential security risks. This update is essential for maintaining the security integrity of your Drupal installation.

Highlight of the Release

• Critical security update addressing vulnerability SA-CORE-2022-010
• Collaborative security fix developed by multiple core contributors
• Maintains compatibility with existing Drupal 9.2.x installations

Migration Guide

No migration steps are required for this update. This is a direct update that addresses security vulnerabilities without changing APIs or functionality.

To update:

1. Back up your site's files and database
2. Update Drupal core using your preferred method:
   • Composer: composer update drupal/core --with-dependencies
   • Manual update: Download and replace core files
3. Run database updates via the UI at /update.php or using Drush: drush updatedb
4. Clear caches via the UI or using Drush: drush cache:rebuild

Upgrade Recommendations

Immediate Upgrade Strongly Recommended

Due to the security-critical nature of this release, immediate upgrade is strongly recommended for all sites running Drupal 9.2.x.

• Priority: Critical
• Timing: Update as soon as possible
• Preparation: Perform a full site backup before updating
• Testing: While this is a security-only update with minimal risk of functionality regression, testing in a staging environment is still recommended when possible
• Long-term planning: Consider upgrading to the latest supported branch of Drupal if you're on an older version, as security support for Drupal 9.2.x may be limited in the future

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security issue fixed are documented in the security advisory SA-CORE-2022-010.

New Features

No new features were introduced in this release. This is strictly a security update addressing vulnerability SA-CORE-2022-010.

Security Updates

Critical Security Fix: SA-CORE-2022-010

This release patches a security vulnerability identified in the Drupal core. The fix was developed collaboratively by multiple core contributors including mayela, mxr576, xjm, cilefen, greggles, benjifisher, and alexpott.

For detailed information about the vulnerability and its implications, please refer to the official security advisory at https://www.drupal.org/sa-core-2022-010.

Note: As per standard security practices, detailed information about the vulnerability may be limited in public documentation to prevent exploitation on unpatched systems.

Performance Improvements

No specific performance improvements were included in this release. The focus was exclusively on addressing the security vulnerability identified as SA-CORE-2022-010.

Impact Summary

This release addresses a critical security vulnerability (SA-CORE-2022-010) in Drupal 9.2.x. While the specific details of the vulnerability are not fully disclosed in the commit messages to prevent exploitation, the involvement of multiple core security team members indicates this is a significant security issue.

The update consists of 65 additions and 21 deletions across 5 files, suggesting a targeted fix rather than a broad system overhaul. This security-focused release maintains compatibility with existing Drupal 9.2.x installations while closing a security gap.

Sites running Drupal 9.2.x should update immediately to mitigate potential security risks. The update process should be straightforward with minimal risk of breaking existing functionality, as this appears to be a clean security patch without feature changes.