SA-CORE-2021-001

Unfortunately, Drupal is getting worse at security.

+1 for a 7.x-1.x release. Thank you!

quick fix of vulnerabilities = good security

At this point the distribution appears green .
The distribution now includes a major security issue and should appear red.
A person who does not know what the security issues are up to date may think that everything is fine.
A few years ago there were no such problems.
Unfortunately, the number of Drupal members has dropped a lot.

You can actually update core without updating the entire distro... but regardless, new release packaged includes the update. 🤷🏼‍♂️

I would caution against updating Core outside of the distro—unless something has changed in the last year or so that's made this possible? I have one site remaining on Commerce Kickstart; when I first took over this site in 2015, I didn't realize the original developer had used CK on the install and when I applied a straight Core update, the site was totally borked (many of the files that the CK install rely on were wiped out). It was only the dev environment, and I was able to roll back the update once I realized what I'd done, so wasn't a big deal. I've attempted this as a test again a number of times over the year (to patch "critical security updates" instead of waiting on CK to be updated) and I've never been successful. Maybe this is just this site that can't do a straight Core update, but again, I'd apply with caution (and just make sure you have a backup before doing so).

Like I said, I've looked into this option many times over the years (as CK has always been slow on the uptake of Core updates; at least since I've been dealing with it from as far back as 2015).

I realize this is an old thread, but this post from one of the CK maintainers says NOT to do this:

You are not allowed to do that, and that can seriously break your installation. Kickstart ships with patched Drupal installations, by removing patches you are destabilizing your install.

Whenever a Drupal core security release happens, a parallel Kickstart release is made. You always update Kickstart as a whole.

https://www.drupal.org/node/1594622#comment-7201030

Again, as that's an old thread, maybe something has changed over the last while that allows for this, but the last time I attempted it (last year), it failed.

rszrama — Can you confirm what, if anything, has changed so that Core updates can be applied outside of the distro? Possible to provide instructions on how to apply the Core update without overwritting CK-related files?

Thanks,
Kristin.