Drupal 8.9.1
17 June 2020
Drupal version 8.9.1 is now available (security release).
Upgrading to Drupal 8.9.1
Drupal 8.9.1 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Drupal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Drupal install to test the 8.9.1 upgrade prior to applying it live. Get started managing your Drupal installations with Installatron
What's New in Drupal 8.9.1
Security
- Drupal core - Critical - Cross-Site Request Forgery - SA-CORE-2020-004 - The Drupal core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
- Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005 - Drupal 8 and 9 have a remote code execution vulnerability under certain circumstances. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. With this directory in place, an attacker could attempt to brute force a remote code execution vulnerability. Windows servers are most likely to be affected.
- Drupal core - Less critical - Access bypass - SA-CORE-2020-006 - JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the read_only set to FALSE under jsonapi.settings config are vulnerable.