Drupal Release: 9.3.12

TL;DR

Drupal 9.3.12 is a security-focused release addressing two critical security advisories (SA-CORE-2022-008 and SA-CORE-2022-009). This release contains no new features but includes important security patches that protect Drupal sites from potential vulnerabilities. All Drupal 9.3.x users should upgrade immediately to maintain site security.

Highlight of the Release

• Addresses two critical security advisories: SA-CORE-2022-008 and SA-CORE-2022-009
• Security patches developed by multiple core contributors
• Minimal code changes focused specifically on security issues

Migration Guide

No migration steps are required for this security update. This is a direct update from Drupal 9.3.11 to 9.3.12 with no database schema changes or other modifications that would require special migration procedures.

To update:

1. Back up your site's files and database
2. Update Drupal core using your preferred method (Composer, Drush, or manual update)
3. Run the database update script if prompted (though no schema changes are expected)
4. Clear caches

No additional migration steps are needed beyond the standard update process.

Upgrade Recommendations

Immediate upgrade strongly recommended

All sites running Drupal 9.3.x should upgrade to Drupal 9.3.12 immediately. This release contains fixes for security vulnerabilities, and sites not updated promptly may be at risk.

For sites still on Drupal 9.2.x or earlier, consider upgrading to the latest secure version of your branch or, preferably, to the latest secure version of Drupal 9.3.x or 9.4.x if possible.

The security fixes in this release are critical for maintaining site security. Delaying this update could expose your site to potential security threats.

Bug Fixes

This release primarily addresses security vulnerabilities rather than functional bugs. The specific details of the security issues fixed are documented in the security advisories:

• SA-CORE-2022-008: Security vulnerability patched by contributors mxr576, xjm, effulgentsia, and larowlan
• SA-CORE-2022-009: Security vulnerability patched by contributors kristiaanvandeneynde, larowlan, acbramley, xjm, longwave, catch, jibran, and benjifisher

For security reasons, detailed information about the specific vulnerabilities is typically not disclosed immediately to prevent exploitation on sites that have not yet been updated.

New Features

This security release does not contain any new features. It focuses exclusively on addressing security vulnerabilities identified in previous versions.

Security Updates

This release addresses two critical security advisories:

1. SA-CORE-2022-008: A security vulnerability patched by contributors mxr576, xjm, effulgentsia, and larowlan. The Drupal security team and core maintainers collaborated to identify and fix this issue.

2. SA-CORE-2022-009: A security vulnerability patched by contributors kristiaanvandeneynde, larowlan, acbramley, xjm, longwave, catch, jibran, and benjifisher.

Full details of these security issues are available in the respective security advisories on the Drupal security page. As is standard practice with security releases, specific details about the vulnerabilities are initially limited to prevent exploitation on unpatched sites.

Performance Improvements

No specific performance improvements are included in this security-focused release.

Impact Summary

Drupal 9.3.12 is a security release that addresses two critical security advisories (SA-CORE-2022-008 and SA-CORE-2022-009). The impact is primarily on site security rather than functionality.

The release contains minimal code changes (10 additions, 10 deletions across 7 files) focused specifically on patching security vulnerabilities. No new features, API changes, or performance improvements are included.

The primary impact is positive - sites updated to this version will be protected against the security vulnerabilities addressed by the patches. Sites not updated promptly may be at risk of exploitation.

This release maintains compatibility with existing Drupal 9.3.x sites and requires no special migration procedures beyond the standard update process.