Drupal Release: 9.4.7

TL;DR

Drupal 9.4.7 is a security release that addresses critical vulnerabilities identified in SA-CORE-2022-016. This update is essential for all Drupal 9.4.x sites to protect against potential security exploits. The release contains security patches with minimal code changes (278 additions, 18 deletions across 11 files) and no new features or functionality changes.

Highlight of the Release

• Critical security update addressing vulnerabilities detailed in SA-CORE-2022-016
• Minimal code changes focused specifically on security fixes
• Collaborative security patch developed by multiple core contributors

Migration Guide

No migration steps are required for this security update. The update focuses on security fixes that don't change APIs or functionality. Standard update procedures apply:

1. Back up your database and site files before updating
2. Update Drupal core using your preferred method (Composer, Drush, or manual update)
3. Run the database updates by visiting /update.php or using Drush
4. Clear caches

For detailed instructions on updating Drupal core, refer to the official documentation.

Upgrade Recommendations

Immediate upgrade strongly recommended

All sites running Drupal 9.4.x should update to Drupal 9.4.7 immediately to address the security vulnerabilities. This is a critical security release that fixes issues that could potentially be exploited by malicious actors.

If you are running an earlier version of Drupal (9.3.x or earlier), you should update to the latest secure version for your branch or consider upgrading to 9.4.7 if feasible for your site.

The security fixes in this release are targeted and minimal, making this update relatively low-risk from an implementation standpoint.

Bug Fixes

This release primarily contains security fixes rather than regular bug fixes. The changes are specifically targeted at addressing the security vulnerabilities outlined in the SA-CORE-2022-016 security advisory. For details about the specific vulnerabilities fixed, refer to the official security advisory.

New Features

No new features were introduced in this release. Drupal 9.4.7 is strictly a security update that addresses vulnerabilities without adding functionality.

Security Updates

This release addresses critical security vulnerabilities detailed in SA-CORE-2022-016. The security team and core contributors collaborated to develop and implement fixes for these issues. The specific nature of the vulnerabilities is documented in the security advisory, which should be consulted for detailed information about the security implications and the fixes implemented.

The security patches were contributed by multiple core team members including fabpot, nicolas.grekas, xjm, lauriii, alexpott, Berdir, larowlan, catch, longwave, cilefen, james.williams, and benjifisher.

Performance Improvements

No specific performance improvements were included in this release. The focus was exclusively on addressing security vulnerabilities.

Impact Summary

Drupal 9.4.7 is a security-focused release that addresses critical vulnerabilities without changing functionality or APIs. The impact is primarily positive as it improves the security posture of Drupal sites without introducing breaking changes.

The security fixes involve changes to 11 files with 278 additions and 18 deletions, indicating targeted patches rather than extensive rewrites. The collaborative nature of the fix, with contributions from 12 core team members, suggests a thorough review and testing process.

While the update itself is low-risk from a functionality perspective, the security vulnerabilities being addressed pose a significant risk to unpatched sites. Therefore, the overall impact of applying this update is a substantial improvement to site security with minimal risk of disruption to existing functionality.