Drupal Release: 9.3.5

TL;DR

Drupal 9.3.5 updates Twig to version 2.14.11 to address security vulnerabilities. This is a security-focused release that ensures your Drupal installation remains protected against potential template injection attacks. All Drupal 9.3.x users should upgrade immediately to maintain site security.

Highlight of the Release

• Updated Twig dependency from previous version to 2.14.11
• Addressed security vulnerabilities in the Twig templating engine
• Maintained backward compatibility with existing Twig templates

Migration Guide

No specific migration steps are required when updating from Drupal 9.3.4 to 9.3.5. This is a minor security update that should maintain full compatibility with existing sites.

To update:

1. Back up your site's files and database
2. Update Drupal core using your preferred method:
   • Composer: composer update drupal/core --with-dependencies
   • Manual update: Download and replace core files
3. Run the database update script by visiting /update.php in your browser
4. Clear caches

No template modifications should be necessary as this update maintains compatibility with existing Twig templates.

Upgrade Recommendations

Priority: High - Security Update

All sites running Drupal 9.3.x should upgrade to version 9.3.5 immediately to address the security vulnerabilities in the Twig templating engine.

This is a minor security update that should not cause any compatibility issues with existing sites. The update process should be straightforward and can be performed using standard Drupal update procedures.

For sites using Composer:

composer update drupal/core --with-dependencies

After updating, run database updates and clear caches as usual.

Bug Fixes

This release fixes security vulnerabilities in the Twig templating engine by updating to version 2.14.11. The specific bug fixes include:

• Patched potential template injection vulnerabilities in Twig
• Resolved issues related to Twig's handling of certain template expressions
• Fixed security issues identified in previous Twig versions

This update was tracked in Drupal issue #3262583.

New Features

No new features were introduced in this release. This is a security-focused update that specifically addresses vulnerabilities in the Twig templating engine by updating to version 2.14.11.

Security Updates

in Twig 2.14.11

This release updates Drupal's Twig dependency to version 2.14.11 to address security vulnerabilities in the templating engine. The update helps protect against:

• Template injection attacks that could potentially allow malicious code execution
• Security issues in Twig's template parsing and rendering mechanisms
• Vulnerabilities that could expose sensitive information or enable unauthorized access

The security update was coordinated through Drupal issue #3262583 with contributions from community members xjm, neclimdul, bnjmnm, and catch.

Performance Improvements

No specific performance improvements were mentioned in the release notes. This update focuses primarily on security fixes by updating the Twig dependency to version 2.14.11.

Impact Summary

Drupal 9.3.5 is a security-focused release that updates the Twig templating engine to version 2.14.11. This update addresses potential security vulnerabilities that could affect sites running earlier versions of Drupal 9.3.x.

The impact is primarily positive, as it enhances the security posture of Drupal installations without introducing breaking changes. Site administrators should prioritize this update to ensure their sites remain protected against potential template injection attacks and other security issues addressed in the Twig update.

The update is minimal in scope (affecting only 4 files with 31 changes) and focused specifically on the Twig dependency, which suggests a targeted security fix rather than a broad feature update. This focused approach minimizes the risk of unintended consequences while addressing the specific security concerns.