Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Install
To start a new Drupal project with version 9.3.19:To update your site and all dependencies to the latest version of Drupal:
To update your site to this specific release:
Pinning to a specific release may make it more challenging to update your site in future, see composer documentation for managing pinned versions
Using Composer to manage Drupal site dependencies
Downloads
Download drupal-9.3.19.tar.gztar.gz
19.98 MB
MD5: ea5d03708df82582607023003f00289f
SHA-1: 923557edeeb07063ff160f3b630a23130b60e678
SHA-256: 9226712a5115c77f20204404091eb61df6db562a5858ca5c8fcb1a4017b95aa3
Download drupal-9.3.19.zipzip
32.3 MB
MD5: 4781069c631345ede5be9b68fd352398
SHA-1: c67cb86efdfc60e1942e528b6cd5d78aa48a2376
SHA-256: d26a79d75b04c1a51fa32b742b1a0afb22fcfb08f6741dbef2f863ce4c2c5128
Release notes
This is a security release of the Drupal 9 series.
This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:
- Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
- Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
- Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
- Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
No other changes are included.
Which release do I choose? Security coverage information
- Drupal 9.3.x will receive security coverage until December 14, 2022 when Drupal 9.5.0 is released. Update to Drupal 9.4.x soon to continue receiving security coverage.
- Versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage.
- Versions of Drupal 8 are end-of-life and do not receive security coverage.
Important update information
-
Following this release, Drupal will assume by default that custom stream wrappers (like Remote Stream Wrapper or Flysystem, among many others) should be private by default so that Drupal will manage downloads and access control. If a module intentionally wishes to serve files with no access checking or management by Drupal, the module should implement
hook_file_download().Since various contributed stream wrapper modules might not be able to update immediately for this security release, site owners may also specify which stream wrappers should be treated as public stream wrappers (with no access control). If content from a stream wrapper on your site stops working after this update, you can add the following line to
settings.php:$settings['file_additional_public_schemes'] = ['example'];…where
exampleis replaced by the name of the affected stream wrapper. (For example,s3orhttps.) The name of the stream wrapper will depend on the affected module and its configuration.You should also locate or submit an issue in the module's queue to implement
hook_file_download()for this security advisory. -
If the private files directory is inside the public files directory (e.g.
drupal/sites/files/private), a site file field misconfiguration or other issue might lead to the site relying on the previous access bypass. If parts of your file or image content become inaccessible after this release, add the following line to your site'ssettings.php:$settings['sa_core_2022_012_override'] = TRUE;This setting is a temporary backward-compatibility layer for misconfigured sites and will be removed in a future release. In the long term, you should migrate your uploaded files to the correct public or private directories.
What’s next?
- Learn how to install Drupal
- Learn how to update Drupal
- Extend Drupal to do more
- Get training
- Check out what others built
Security update
Insecure
