Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
SA-CORE-2018-002 provided security releases for 8.5.x, 8.4.x, and 8.3.x. In order to work around #2804155: If the next minor version of core has a security release, status still says "Security update required!" even if the site is on an equivalent, secure release already, the security release introduced a hotfix in the Update module to allow 8.4.6 and 8.3.7 to be considered equivalent to 8.5.1 for security purposes (since all three releases included the same security fix). Without this hotfix, Drupal would have displayed "Security update required!" on 8.3.7 even though it was the most secure release at the time.
Since that release, all 8.5.x core security releases have also been unofficially backported to 8.4.x in order to beta-test providing security coverage or old minor releases as per #2909665: [plan] Extend security support to cover the previous minor version of Drupal.
However, the hotfix was only added to 8.4.x and 8.3.x, and does not exist in 8.5.x and higher. This means that if an 8.6.x security release is issued in the future, #2804155: If the next minor version of core has a security release, status still says "Security update required!" even if the site is on an equivalent, secure release already will again crop up for the 8.5.x backport of that release.
Furthermore, the function _update_equivalent_security_releases() is also different on 8.4.x than 8.3.x. This is not actually necessary since the function already checks for an exact, hardcoded match for an equivalent security release. The difference has meant that different security patches were required on different core branches (adding overhead and also resulting in the introduction of #2957251: Update manager shows false "security update" message after update to 8.4.6 and #2966258: Wrongly indicates security update for 8.4.8?).
Proposed resolution
Make _update_equivalent_security_releases() the same on all branches (with all the historical equivalent matches) so that the same security patches can be used across branches in the future.
Remaining tasks
#2804155: If the next minor version of core has a security release, status still says "Security update required!" even if the site is on an equivalent, secure release already will fix this in a more robust way for future releases (using Drupal.org metadata instead of a hardcoded list to determine which core releases are currently considered secure at any given time).
User interface changes
None.
API changes
_update_equivalent_security_releases() will be added to 8.5.x through 8.7.x.
Data model changes
None.
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | update-2989243-6-8_4.patch | 1.67 KB | xjm |
| #5 | 2989243-5-interdiff.txt | 753 bytes | xjm |
| #5 | update-2989243-5.patch | 2.77 KB | xjm |
| #3 | update-2989243-2-8_4.patch | 1.26 KB | xjm |
| #2 | update-2989243-1.patch | 2.87 KB | xjm |
Comments
Comment #2
xjmHere's the patch porting the whole thing to 8.5.x and higher.
Comment #3
xjmHere is a patch bringing 8.4.x into line for the sake of any future backports.
Comment #4
xjmComment #5
xjmI guess I should probably remove the sentence "It should not be included in the codebase of any release or branch other than such backports," since we're going to do exactly that here. :P
Comment #6
xjmAnd the 8.4.x version again.
Comment #7
catch+1, having the redundant code is better than having merge conflicts in this case.
Comment #10
catchCommitted/pushed the respective patches to 8.5 and 8.4, thanks!
Comment #11
xjmThanks @catch!