Maintenance and security release of the Drupal 9 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
Drupal core - Moderately critical - Access bypass - SA-CORE-2021-008
Drupal core - Moderately critical - Access bypass - SA-CORE-2021-009
Drupal core - Moderately critical - Access bypass - SA-CORE-2021-010
No other fixes are included.
Which release do I choose? Security coverage information
Drupal 9.2.x will receive security coverage until June 15, 2022 when Drupal 9.4.0 is released.
Sites on 9.1.x or earlier should update immediately to Drupal 9.1.13 instead of this release, and plan to update to the latest 9.x release before December 8, 2021 (when Drupal 9.3.0 is scheduled for release and 9.1.x security coverage ends).
Sites on 8.9.x should update immediately to Drupal 8.9.19 instead of this release, and update to Drupal 9 as soon as possible afterward because Drupal 8 is end-of-life in six weeks.
Versions of Drupal 9 prior to 9.1.x and of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.
Important update information
No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.
Release type: Security update