Drupal Release: 9.3.6

TL;DR

Drupal 9.3.6 is a security release that addresses critical vulnerabilities identified in SA-CORE-2022-003 and SA-CORE-2022-004. This release contains no new features or non-security-related bug fixes. It's essential for all Drupal 9.3.x sites to update immediately to mitigate security risks.

Highlight of the Release

• Critical security fixes addressing vulnerabilities reported in SA-CORE-2022-003 and SA-CORE-2022-004
• Collaborative security patches developed by multiple core contributors
• Maintenance release focused exclusively on security improvements

Migration Guide

No migration steps are required for this security update. Standard update procedures apply:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core to version 9.3.6
4. Run the database update script by visiting /update.php in your browser
5. Take your site out of maintenance mode

If you encounter any issues during the update process, refer to the Drupal update documentation.

Upgrade Recommendations

Immediate Update Strongly Recommended

All sites running Drupal 9.3.x should update to Drupal 9.3.6 immediately. This is a security release that addresses critical vulnerabilities that could be exploited by malicious actors.

Sites still running Drupal 9.2.x or earlier should update to the latest secure version for their branch or consider upgrading to 9.3.6 if possible.

The security team strongly recommends applying this update as soon as possible, as the fixed vulnerabilities may already be known to potential attackers.

Bug Fixes

This release contains security-related bug fixes only. The specific details of the fixed vulnerabilities are documented in the security advisories:

• SA-CORE-2022-003: Addresses critical security vulnerabilities in core components
• SA-CORE-2022-004: Fixes additional security issues identified in the Drupal core

For security reasons, detailed information about the specific vulnerabilities is only available in the official security advisories.

New Features

This security release does not contain any new features. Drupal 9.3.6 is focused exclusively on addressing security vulnerabilities.

Security Updates

Drupal 9.3.6 addresses critical security vulnerabilities detailed in two security advisories:

SA-CORE-2022-003

This security advisory addresses vulnerabilities that could potentially allow unauthorized access or code execution. The fix was developed collaboratively by multiple core contributors including ciss, xjm, larowlan, benjy, mcdruid, jenlampton, quicksketch, Fabianx, and effulgentsia.

SA-CORE-2022-004

This advisory addresses additional security issues discovered in Drupal core. The patch was developed by a team including samuel.mortenson, xjm, nod_, effulgentsia, phenaproxima, mcdruid, Wim Leers, tedbow, longwave, dww, larowlan, and pandaski.

For complete details on these security issues, please refer to the official security advisories on Drupal.org.

Performance Improvements

No specific performance improvements are included in this security-focused release.

Impact Summary

Drupal 9.3.6 is a critical security release that addresses vulnerabilities that could potentially be exploited to compromise site security. The impact of not updating could be severe, including unauthorized access to your site, data breaches, or site defacement.

This release demonstrates the Drupal security team's ongoing commitment to maintaining a secure CMS platform. The collaborative effort from multiple contributors highlights the strength of the Drupal community in responding quickly to security threats.

While this release contains no new features or non-security fixes, it's an essential update for maintaining the security posture of all Drupal 9.3.x sites. The security fixes were carefully developed and tested to ensure they address the vulnerabilities without disrupting existing functionality.