Posted by xjm on July 20, 2022 at 4:07pm

This is a security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

No other changes are included.

Which release do I choose? Security coverage information

  • Drupal 9.4.x will receive security coverage until June 2023 when Drupal 10.1.0 is released.
  • Sites on 9.3.x or earlier should update immediately to Drupal 9.3.19 instead of this release (but update to 9.4 or higher soon).
  • Versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage.
  • Versions of Drupal 8 are end-of-life and do not receive security coverage.

Important update information

  • Following this release, Drupal will assume by default that custom stream wrappers (like Remote Stream Wrapper or Flysystem, among many others) should be private by default so that Drupal will manage downloads and access control. If a module intentionally wishes to serve files with no access checking or management by Drupal, the module should implement hook_file_download().

    Since various contributed stream wrapper modules might not be able to update immediately for this security release, site owners may also specify which stream wrappers should be treated as public stream wrappers (with no access control). If content from a stream wrapper on your site stops working after this update, you can add the following line to settings.php:


    $settings['file_additional_public_schemes'] = ['example'];

    …where example is replaced by the name of the affected stream wrapper. (For example, s3 or https.) The name of the stream wrapper will depend on the affected module and its configuration.

    You should also locate or submit an issue in the module's queue to implement hook_file_download() for this security advisory.

  • If the private files directory is inside the public files directory (e.g. drupal/sites/files/private), a site file field misconfiguration or other issue might lead to the site relying on the previous access bypass. If parts of your file or image content become inaccessible after this release, add the following line to your site's settings.php:


    $settings['sa_core_2022_012_override'] = TRUE;

    This setting is a temporary backward-compatibility layer for misconfigured sites and will be removed in a future release. In the long term, you should migrate your uploaded files to the correct public or private directories.

VCS Label
9.4.3
Release type
Security update
Insecure
Short description
Actively maintained with new features and backwards-compatible improvements every six months. Use this version for the best compatibility with future releases.
Packaged Git sha1
bf401c8d5c5a88d442ac7e95a9eb059d123a771c
Release files
3c5a6cec68a833f50bb10490a2c60f50
Release file SHA-1 hash
7336a9c9023e1d04ec92aa679f248616e837a9bc
Release file SHA-256 hash
6db29f26f5a6c1431a51e3679b966507c9e8c95f0ca61499176013eb2af66cc5
bba49c8b0becae38bc685f1156ea7e69
Release file SHA-1 hash
82d65708df12808eaca8f611c1e4851ab675c5f9
Release file SHA-256 hash
0f17f89a18ee142da0e6f044b4bebe34d683a346147e9d8936ae28f85791b9eb