Drupal Release: 9.3.9

TL;DR

Drupal 9.3.9 Release: Critical Security Update

This release addresses a critical security vulnerability identified as SA-CORE-2022-006. It's a security-focused update with no new features or performance improvements. All Drupal 9.3.x sites should upgrade immediately to protect against potential security exploits.

Highlight of the Release

• Addresses critical security vulnerability SA-CORE-2022-006
• Minimal codebase changes focused specifically on security fixes
• Direct upgrade path from Drupal 9.3.8

Migration Guide

No special migration steps are required for this update. Standard Drupal update procedures apply:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core to version 9.3.9
4. Run the database update script
5. Take the site out of maintenance mode

For detailed instructions, refer to the standard Drupal update documentation.

Upgrade Recommendations

Immediate Upgrade Recommended

Due to the security-critical nature of this release, immediate upgrade is strongly recommended for all sites running Drupal 9.3.x.

• Priority: Critical
• Timing: Update as soon as possible
• Preparation: Follow standard backup procedures before updating
• Compatibility: No known compatibility issues with properly maintained Drupal 9.3.x sites

Sites that cannot update immediately should consult with security professionals about potential mitigations until the update can be applied.

Bug Fixes

This release primarily focuses on security fixes rather than general bug fixes. Any bug fixes included are directly related to resolving the security vulnerability identified in SA-CORE-2022-006.

New Features

No new features were introduced in this release. Drupal 9.3.9 is strictly a security update addressing the vulnerability identified in SA-CORE-2022-006.

Security Updates

Critical Security Fix: SA-CORE-2022-006

This release addresses a critical security vulnerability identified as SA-CORE-2022-006. While specific details about the vulnerability are limited to prevent exploitation, the security advisory indicates this is an important update that all Drupal 9.3.x sites should implement immediately.

The security fix was contributed by multiple core team members and security experts including JeroenT, DamienMcKenna, xjm, pwolanin, alexpott, larowlan, and greggles.

Performance Improvements

No specific performance improvements were included in this release. The update focuses exclusively on addressing the security vulnerability.

Impact Summary

This security-focused release addresses a critical vulnerability that could potentially affect the security of Drupal 9.3.x websites. The minimal nature of the changes (34 code changes across 4 files) suggests a targeted fix for a specific security issue.

The involvement of multiple core security team members in the fix indicates the importance of this update. While the exact nature of the vulnerability is not detailed to prevent exploitation, the security advisory SA-CORE-2022-006 classification suggests it requires immediate attention.

Sites that delay updating may be vulnerable to security exploits. The update process should be straightforward with minimal risk of disruption to site functionality, as it contains no new features or significant changes beyond the security fix.