This is a security release of the Drupal 9 series.
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:
No other fixes are included.
Which release do I choose? Security coverage information
- Drupal 9.4.x will receive security coverage until June 2023 when Drupal 10.1.0 is released. Update to Drupal 9.5 soon, and plan to update to Drupal 10 by November 2023, to continue receiving security coverage.
- Versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage.
- Drupal 8 is end-of-life and does not receive security coverage.
Important update information
Changes to site-owner-managed files
-
Following this release, Drupal will block access to private files at certain specially crafted paths. Previous versions of Drupal allowed access to these paths, and in most cases blocking access is the correct behavior.
There may be some sites that rely on allowing access to these paths, or the changes in this release may cause other problems with file access. These sites can add the following line to
settings.php:
$settings['file_sa_core_2023_005_schemes'] = ['private'];
This will preserve the old behavior for files saved in the private files directory, using the
privatestream wrapper from Drupal core. Sites that need to preserve the old behavior for files using other stream wrappers, from contributed or custom modules, should list those stream wrappers instead of'private'.The comments in
default.settings.phphave additional information.Using this setting will bypass the access checks added in this release, which may allow public access to files that are meant to be private. This setting is a temporary backward-compatibility layer for misconfigured sites. It will be removed in a future release since it is insecure.