The Drupal Security team has released a critical (15/25) security update for Drupal core today (4/21/2021). Based on the CVE SA-CORE-2021-002 this is a cross site scripting vulnerability. Thankfully, not all sites are impacted. However given the vulnerability is listed as a 15/25 it is strongly recommended that you update ASAP!
Updating Your Site
As always, if you’re using composer you simply need to:
composer update drupal/core --with-all-dependencies
You should see output in your terminal like:
composer update drupal/core --with-all-dependencies
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 6 updates, 0 removals
- Upgrading drupal/core (9.1.6 => 9.1.7)
- Upgrading laminas/laminas-diactoros (2.5.0 => 2.5.1)
- Upgrading symfony/deprecation-contracts (v2.2.0 => v2.4.0)
- Upgrading symfony/http-client-contracts (v2.3.1 => v2.4.0)
- Upgrading symfony/service-contracts (v2.2.0 => v2.4.0)
- Upgrading symfony/translation-contracts (v2.3.0 => v2.4.0)
Writing lock file
If you do NOT see such update, double check your definitions in the composer.json file to ensure you aren’t pinned to a version of Drupal (e.g. 9.1.6) that wouldn’t allow for an update.
There are no database updates or configuration changes made with this release.
In Conclusion
As always, please thoroughly test your site after the update to ensure that nothing broke! I also recommend:
subscribing to Drupal security updates (I find Twitter to be super helpful)
patching and deploying Drupal within 24 hours of any security update
A tutorial for how to use the Drupal plugin system to embed Javascript on a website securely.