Drupal Release: 9.5.3

TL;DR

Drupal 9.5.3 is a maintenance and security release that addresses several critical issues including security vulnerabilities, bug fixes, and performance improvements. This release fixes a Server-Side Template Injection vulnerability in the CKEditor Language plugin, improves file inclusion security, resolves various PHP 8.2 deprecation notices, and fixes multiple bugs affecting core functionality like views, cron processing, and path aliases. Site administrators should update to this version as soon as possible to ensure their sites remain secure and stable.

Highlight of the Release

• Fixed Server-Side Template Injection vulnerability in CKEditor Language plugin
• Improved file inclusion security with additional hardening measures
• Fixed cron queue processing to prevent duplicate processing
• Resolved path alias manager issues that affected URL handling
• Improved PHP 8.2 compatibility by addressing deprecation notices

Migration Guide

No specific migration steps are required for this maintenance release. This is a standard update that fixes bugs and security issues without introducing breaking changes.

To update to Drupal 9.5.3:

1. Back up your database and site files
2. Put your site into maintenance mode
3. Update Drupal core using your preferred method:
   • Using Composer (recommended): composer update drupal/core-recommended --with-all-dependencies
   • Using Drush: drush up drupal
4. Run database updates: drush updatedb or visit /update.php
5. Clear caches: drush cache:rebuild or clear via the admin interface
6. Take your site out of maintenance mode

If you're using contributed modules that interact with affected core components (particularly those related to views, path aliases, or cron processing), test your site thoroughly after the update.

Upgrade Recommendations

Priority: High

This release contains important security fixes, including a Server-Side Template Injection vulnerability in the CKEditor Language plugin and file inclusion security hardening. All site administrators should update to Drupal 9.5.3 as soon as possible to ensure their sites remain secure.

For sites on Drupal 9.5.x:

• Update directly to 9.5.3 as soon as possible.
• This is a maintenance release with no breaking changes, so the update process should be straightforward.

For sites on older versions of Drupal 9:

• Consider updating to the latest version of your current branch first, then to 9.5.3.
• If you're on Drupal 9.4.x or earlier, plan to update to Drupal 9.5.x soon, as older branches will eventually stop receiving security updates.

For sites on Drupal 8 or earlier:

• Drupal 8 is end-of-life and no longer receives security updates.
• You should plan a migration to Drupal 9 or 10 as soon as possible.

Testing recommendation:

• Always test the update on a staging environment before applying to production.
• Pay particular attention to testing any custom code that interacts with path aliases, views filters, or cron processing, as these areas saw significant fixes.

Bug Fixes

Core System Fixes

• Fixed an issue where the path alias manager could not find aliases by internal path (#3226334)
• Fixed a bug where the security message about failed login attempts wasn't cleared when users reset their passwords (#992540)
• Resolved an issue where blocks with #attached properties were removed after upgrade (#3333858)
• Fixed cron queue processing to prevent duplicate processing when already being handled elsewhere (#1875020)

Views Module Fixes

• Fixed the "Is not equal to" operator in Views combine filter which was incorrectly using the same operator as "Is equal to" (#3323353)
• Fixed random failures in the views_ui LibraryCachIngTest (#3317938)
• Added missing schema for comment_link_approve views field configuration (#3294619)

Media Handling

• Fixed incorrect thumbnail dimensions for YouTube videos (#3088168)

Theme System

• Fixed an issue preventing uninstallation of base theme and subtheme via config sync at the same time (#3001430)
• Fixed select list chevron-down icon position in RTL direction in Claro theme (#3336002)

JavaScript Fixes

• Fixed "Uncaught TypeError: this.$pluginSelect.find(...)[0] is undefined" error (#3305706)
• Fixed issue where "core/drupal.checkbox" was not loading on user permission page (#3244737)

PHP 8.2 Compatibility

• Fixed deprecation notice about creating dynamic property in PostgreSQL driver (#3328005)
• Fixed deprecation notice when passing null to htmlspecialchars() (#3310555)

Other Fixes

• Fixed incorrect return type in LinkBase::getDefaultLabel() (#3331438)
• Fixed issues in TestSettingSummariesContentType (#3324901)
• Fixed documentation issues with cron links pointing to D7 documentation (#3332712)
• Fixed BlockedIp::import to properly implement MigrateDestinationInterface::import (#3260391)
• Fixed SQL escaping in GROUP BY fields for select queries (#3191623)

New Features

No significant new features were added in this maintenance release. This version focuses primarily on security fixes, bug fixes, and performance improvements to existing functionality.

Security Updates

• Server-Side Template Injection Vulnerability: Fixed a Server-Side Template Injection (SSTI) vulnerability in the CKEditor Language plugin via translation of "Language". This could potentially allow attackers to execute arbitrary code. (#3331205)

• File Inclusion Security Hardening: Implemented additional security measures to prevent file inclusion vulnerabilities, strengthening the core system against potential attacks. (#3191389)

• Dependency Security Updates: Updated Yarn dependencies to fix vulnerabilities identified by yarn audit, ensuring third-party libraries don't introduce security risks. (#3332447)

• SQL Injection Prevention: Fixed an issue with SQL escaping in GROUP BY fields for select queries, preventing potential SQL injection attacks. (#3191623)

• Symfony Updates: Updated Symfony components to v6.2.6 / v4.4.50 to address security vulnerabilities in these dependencies. (#3338301)

Performance Improvements

• Cron Queue Processing: Fixed an issue where cron queues were being processed every time cron ran, regardless of whether they were already being processed elsewhere. This could lead to duplicate processing and unnecessary resource usage. (#1875020)

• Database Query Optimization: Improved SQL query handling by ensuring proper escaping of GROUP BY fields in select queries, which can lead to better query performance and prevent potential SQL injection issues. (#3191623)

• Theme Handling: Fixed an issue with theme uninstallation during configuration synchronization, which could previously cause performance degradation during config imports. (#3001430)

• Path Alias Management: Improved the path alias manager's ability to find aliases by internal path, which enhances the performance of URL handling throughout the system. (#3226334)

Impact Summary

Drupal 9.5.3 is primarily a security and bug fix release that addresses several important vulnerabilities and issues. The most significant impact is on security, with fixes for a Server-Side Template Injection vulnerability in the CKEditor Language plugin and improvements to file inclusion security.

For site administrators, this release resolves several long-standing issues, including problems with cron queue processing that could cause performance degradation, and fixes for path alias handling that could affect URL generation throughout the site. The fix for the security message not clearing after password resets improves the user experience for both administrators and end users.

Developers will benefit from improved PHP 8.2 compatibility, fixing several deprecation notices that would appear in logs. The release also includes numerous documentation improvements and code comment fixes that make the API more accurate and easier to use.

Content editors will see improved handling of YouTube media thumbnails, and the security fix for the CKEditor Language plugin ensures their content creation environment remains secure.

From an accessibility standpoint, the release includes fixes for pager headings and RTL language support in the Claro theme, improving the experience for users with assistive technologies and those using right-to-left languages.

Overall, while this release doesn't introduce new features, it significantly improves the security, stability, and performance of Drupal 9.5.x sites, making it an important update for all Drupal installations.