drupal 8.6.2

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal Core - Multiple vulnerabilities - SA-CORE-2018-006

No other fixes are included.

Sites on 8.5.x or earlier should update immediately to Drupal 8.5.8 instead, and plan to update to the latest 8.6.x release before May 2019.

Important update information

Site update and module owners planning to update to this should take note of the following important changes.

For site owners

• Previously, users who didn't have access to use any Content Moderation transitions were granted implicit access to update content provided the state of the content did not change. This access has been removed. Site owners should ensure that all content editor roles have access to appropriate transitions for moderated content types (including published to published where appropriate).
• There are no database updates in this release, but site owners will need to run update.php to ensure a cache clear.
• No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

For contributed and custom module developers

• \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination() has been removed. If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch.
• An additional method has been added to StateTransitionValidationInterface. Implementations should review the new method and ensure compatibility with it.
• ModerationStateConstraintValidator now has two additional service dependencies. Subclasses will need to update their constructor to inject the new services.