Drupal Release: 9.4.3

TL;DR

Drupal 9.4.3 Security Release

This is a critical security release addressing multiple vulnerabilities (SA-CORE-2022-012 through SA-CORE-2022-015). All Drupal 9 site owners should update immediately to protect their sites from potential security exploits. This release contains no new features but focuses exclusively on security patches.

Highlight of the Release

• Addresses four security advisories (SA-CORE-2022-012, SA-CORE-2022-013, SA-CORE-2022-014, and SA-CORE-2022-015)
• Collaborative security fixes from multiple core contributors
• Critical security release that all Drupal 9 sites should apply immediately

Migration Guide

No migration steps are required for this update as it contains only security fixes. Standard Drupal update procedures apply:

1. Back up your database and site files
2. Put the site into maintenance mode
3. Update Drupal core using your preferred method (Composer, Drush, or manual update)
4. Run the database updates
5. Clear caches
6. Take the site out of maintenance mode

For detailed instructions, refer to the Drupal update documentation.

Upgrade Recommendations

Immediate Update Strongly Recommended

This is a critical security release that all Drupal 9 site owners should apply immediately. The security fixes address vulnerabilities that could potentially be exploited if left unpatched.

• Priority: Critical
• Timing: Update as soon as possible
• Preparation: Perform a full site backup before updating
• Testing: Test your site functionality after applying the update
• Monitoring: Review logs for any suspicious activity after updating

Sites running Drupal 9.4.2 or earlier versions should update to Drupal 9.4.3 immediately to ensure protection against the security vulnerabilities addressed in this release.

Bug Fixes

Security Vulnerabilities Fixed

This release addresses four security advisories:

• SA-CORE-2022-012: Security vulnerability patched by multiple contributors including cmlara, GuyPaddock, larowlan, mondrake, effulgentsia, xjm, longwave, Dave Reid, lauriii, David Strauss, benjifisher, alexpott, mcdruid, and Fabianx.

• SA-CORE-2022-013: Security vulnerability addressed by prudloff, tim.plunkett, Heine, effulgentsia, xjm, lauriii, longwave, and larowlan.

• SA-CORE-2022-014: Security vulnerability fixed by elarlang, pwolanin, xjm, mcdruid, effulgentsia, greggles, jenlampton, larowlan, and longwave.

• SA-CORE-2022-015: Security vulnerability patched by Heine, larowlan, alexpott, samuel.mortenson, xjm, pandaski, vijaycs85, effulgentsia, drumm, benjifisher, jenlampton, and longwave.

The specific details of these vulnerabilities are typically not disclosed immediately to prevent exploitation on sites that have not yet been updated.

New Features

This release does not contain any new features as it is focused exclusively on security fixes. The changes are limited to addressing the security vulnerabilities identified in the security advisories.

Security Updates

Critical Security Fixes

This release contains fixes for four security advisories:

1. SA-CORE-2022-012: While specific details are limited to prevent exploitation, this security advisory was addressed by a large team of contributors, suggesting a significant vulnerability that required extensive collaboration to fix.

2. SA-CORE-2022-013: This security fix involved contributions from core developers specializing in various parts of the Drupal system, indicating a vulnerability that potentially affected multiple components.

3. SA-CORE-2022-014: Another critical security fix with contributions from security specialists and core maintainers.

4. SA-CORE-2022-015: The fourth security advisory addressed in this release, with patches from twelve different contributors.

The Drupal security team follows responsible disclosure practices and typically releases more detailed information about vulnerabilities after users have had adequate time to update their sites.

Performance Improvements

No specific performance improvements are included in this release as it focuses exclusively on security fixes. Any performance changes would be incidental to the security patches applied.

Impact Summary

This release is focused exclusively on security fixes, addressing four security advisories (SA-CORE-2022-012 through SA-CORE-2022-015). The security team and numerous contributors collaborated to patch these vulnerabilities, resulting in 226 changes across 14 files (200 additions and 26 deletions).

The impact is primarily on site security, with no new features or intentional changes to functionality. Site administrators should prioritize this update to protect their sites from potential security exploits. While the specific details of the vulnerabilities are not immediately disclosed (following security best practices), the involvement of many core contributors suggests these were significant issues requiring immediate attention.

All Drupal 9 sites should be updated immediately, following standard update procedures including creating backups before applying the update.