Drupal Release: 9.3.19

TL;DR

Drupal 9.3.19: Critical Security Update

This release addresses four critical security vulnerabilities (SA-CORE-2022-012, SA-CORE-2022-013, SA-CORE-2022-014, and SA-CORE-2022-015) that could potentially compromise your Drupal site. All Drupal 9.3.x users should update immediately to version 9.3.19 to protect their sites from these security issues. This is a security-focused release with no new features or performance improvements.

Highlight of the Release

• Addresses four critical security advisories: SA-CORE-2022-012, SA-CORE-2022-013, SA-CORE-2022-014, and SA-CORE-2022-015
• Collaborative security fixes from multiple core contributors
• Immediate update recommended for all Drupal 9.3.x sites

Migration Guide

No specific migration steps are required for this security update. This is a standard update within the 9.3.x branch:

1. Back up your database and site files before updating
2. Update using your preferred method:
   • Using Composer (recommended): composer update drupal/core --with-dependencies
   • Using Drush: drush up drupal
3. Run database updates: drush updatedb or visit /update.php in your browser
4. Clear caches: drush cache:rebuild or clear caches through the admin interface

No API changes or deprecations are included in this release, so custom code should continue to function as before.

Upgrade Recommendations

Immediate Update Strongly Recommended

Due to the critical nature of the security vulnerabilities addressed in this release, immediate upgrade is strongly recommended for all sites running Drupal 9.3.x.

• Priority: Critical
• Timing: Update as soon as possible
• Preparation: Perform a full site backup before updating
• Testing: Test the update on a staging environment if possible, but do not delay the production update
• Monitoring: After updating, monitor your site for any unusual activity that might indicate a previous compromise

If you cannot update immediately, consider temporarily taking your site offline until the update can be applied, especially for high-profile or sensitive sites.

Bug Fixes

This release includes fixes for four security vulnerabilities:

• SA-CORE-2022-012: Security vulnerability fixed by multiple contributors including cmlara, GuyPaddock, larowlan, mondrake, effulgentsia, xjm, longwave, Dave Reid, lauriii, David Strauss, benjifisher, alexpott, mcdruid, and Fabianx.

• SA-CORE-2022-013: Security vulnerability addressed by prudloff, tim.plunkett, Heine, effulgentsia, xjm, lauriii, longwave, and larowlan.

• SA-CORE-2022-014: Security vulnerability patched by elarlang, pwolanin, xjm, mcdruid, effulgentsia, greggles, jenlampton, larowlan, and longwave.

• SA-CORE-2022-015: Security vulnerability fixed by Heine, larowlan, alexpott, samuel.mortenson, xjm, pandaski, vijaycs85, effulgentsia, drumm, benjifisher, jenlampton, and longwave.

The specific details of these vulnerabilities are typically not disclosed immediately to prevent exploitation on sites that have not yet been updated.

New Features

This release does not include any new features as it is focused exclusively on security fixes. The primary purpose of Drupal 9.3.19 is to address critical security vulnerabilities identified in previous versions.

Security Updates

Drupal 9.3.19 addresses four critical security advisories:

1. SA-CORE-2022-012: This security advisory addresses a vulnerability that required the collaborative effort of multiple core contributors to fix. While specific details are limited to prevent exploitation, the number of contributors involved suggests this was a complex security issue.

2. SA-CORE-2022-013: This security fix addresses another critical vulnerability in Drupal core, with contributions from eight core team members.

3. SA-CORE-2022-014: This security patch fixes a vulnerability with contributions from nine team members, including security specialists.

4. SA-CORE-2022-015: The final security advisory addressed in this release involved twelve contributors, indicating a significant security concern.

The Drupal security team typically releases limited information about vulnerabilities immediately after a security release to give users time to update before detailed information becomes public. For the most current information about these security advisories, users should check the Drupal Security Advisories page.

Performance Improvements

This release does not contain any specific performance improvements as it is focused exclusively on addressing critical security vulnerabilities. The primary goal of this update is to secure Drupal installations rather than enhance performance.

Impact Summary

This security-focused release addresses four critical vulnerabilities that could potentially allow attackers to compromise Drupal sites. The update contains approximately 200 additions and 26 deletions across 14 files, indicating targeted fixes rather than widespread changes.

The security issues were significant enough to warrant collaboration from many core contributors, suggesting these were complex or high-impact vulnerabilities. While the specific nature of the vulnerabilities is not detailed in the release notes (a standard security practice to protect sites that haven't updated yet), the involvement of security team members and the release of multiple security advisories simultaneously indicates this is a high-priority update.

Sites running Drupal 9.3.x that do not update may be vulnerable to exploitation. The security fixes appear to be backward compatible within the 9.3.x branch, meaning the update should not break existing functionality.