drupal 8.8.8

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• Drupal core - Critical - Cross-Site Request Forgery - SA-CORE-2020-004
• Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-005
• Drupal core - Less critical - Access bypass - SA-CORE-2020-006

No other fixes are included.

Which release do I choose? Security coverage information

• Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released.
• Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Important update information

• Previously, if a form failed submission failed Drupal's cross-site request forgery protection, the submitted form values would be re-displayed to the user along with a message advising them to copy their previously submitted values and reload the page. Beginning with this release, the form is shown without any values for security reasons, and the user is prompted to press the back button to return to their previously entered values.

  The user-facing error message that appears when a form is outdated has also been changed, and translations of it will need to be updated.

• No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.