En

Drupal官网安全更新(2020-02-11)

来源:Drupal官网 发布日期:2020-02-11 阅读次数:102 评论:0

基本信息

发布日期:2020-02-11(官方当地时间)

更新类型:安全更新

更新版本:9.0.0-alpha1

感知时间:2020-02-12 03:20:02

风险等级:未知

情报贡献:TSRC

更新标题

drupal 9.0.0-alpha1

更新详情










Download

Size

md5 hash





drupal-9.0.0-alpha1.tar.gz

15.92 MB

d6966108add1d681774406209981fb77



drupal-9.0.0-alpha1.zip

26.73 MB

6384cfb849b0f04d87523a1a9f90e204










Last updated: 11 Feb 2020 at 19:05 UTCRelease notesThis is an alpha release for the next major version of Drupal. Drupal 9 alpha releases are intended for site owners and module or theme authors to begin testing whether their sites and code are compatible with significant dependency changes in Drupal 9.0.x. Drupal 9 alpha releases should not be used in production. No upgrade path is provided between Drupal 9 alpha releases or to Drupal 9.0.0-beta1.

Drupal 9 alphas do not include all the breaking changes that will be included in 9.0.0. Any further alpha releases as well as the first beta release will include more dependency updates and remove more of the previously identified deprecated APIs. Refer to How to prepare your Drupal 7 or 8 site for Drupal 9 for tools you can use to check the Drupal 9 compatibility of modules, themes, and sites.
For more information on 9.0.x development, see #3007300: [META] Release Drupal 9 on June 3 2020.
The 9.0.x branch also includes all the latest commits that will be backported to 8.9.x and earlier branches. 9.0.x will be nearly identical to 8.9.x except for the following:

Deprecated code will be removed.
Dependencies will be updated to new major versions as appropriate.

For all other changes, refer to the 8.9.x branch.
Information on updating to Drupal 9
Drupal 8 sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 with update.php. All Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 8 and 9 will remain supported throughout Drupal 9's release cycle.
For more information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.
Removal of Drupal 8's deprecated APIs
85% of all mentions of @deprecated APIs have been already removed, including the removal of the deprecated EntityManager service, and the removal of drupal_set_message() among others.
Render array hardening against remote code execution
The security fixes required for SA-CORE-2018-002 and SA-CORE-2018-004, as well as other publicly disclosed security issues, all indicated that the render system needs to be stricter about what may be called by a callback. If you have code that adds a render callback (#access_callback, #lazy_builder, #pre_render or #post_render), it might need to be updated to work in Drupal 9. Read more in the change record for limitations on what can be called by a callback in render arrays.
Ongoing changes to core themes and theme APIs


Core themes are being updated to remove their dependency on the Classy and Stable base themes. In this alpha release, they instead create copies of libraries inherited from Classy. Work is underway to similarly remove dependencies on Classy templates and on Stable theme code. See the change record on the Classy dependency removal and the issue for decoupling themes from Stable for more information.


Work is underway to create a new Stable 9 theme, which will have updated markup and CSS that will be kept backwards-compatible throughout Drupal 9. Drupal 8 Stable will be deprecated and moved to a contributed project before Drupal 10. It is recommended that new themes be built based on the new Stable 9 theme, while existing themes can continue to extend Drupal 8 Stable.


Theme functions were deprecated in Drupal 8.1.x and scheduled for removal in Drupal 9. However, we improved our deprecation policy during the lifecycle of Drupal 8 and added warnings to developers; these warnings were never added to the theme function system. We are currently exploring applying those warnings to theme functions and building support into our deprecation checking tools. Themes or modules making use of theme functions should follow the instructions for converting theme functions to Twig templates.


Backend (PHP) dependency updates
This alpha release includes the following key PHP dependency updates compared to Drupal 8.9.x:


Drupal 9 now requires at least PHP 7.3 to be installed. PHP 7.4 is also supported.


Symfony has been updated from Symfony 3.4.32 to 4.4.3.


Twig has been updated from 1.38.2 to 2.12.0. The changes for PHP developers and template creators are listed at Preparing for use of Twig 2 in Drupal 9.


SimpleAnnotationReader has been dropped from the master branch of Doctrine Annotations. It consequently has been forked into Drupal core to maintain the same functionality. Contributed modules should not be relying on this library directly.


Guzzle's minimum version was updated from 6.3 to 6.5.2.


Following the project's move, ZendFramework/* packages have been updated to their Laminas equivalents. The packages have also been updated to their latest versions, including a major version update for Diactoros from 1.8 to 2.1.

PhantomJS-based testing has been removed.


Most Doctrine packages have received minor- and patch-level updates to their latest versions. doctrine/reflection 1.1.0 has been added as a dependency. and its dependencies (doctrine/cache, doctrine/collections, and doctrine/inflector) have been removed as they are no longer used by Drupal core.


The empty paragonie/random_compat PHP 5 polyfill has been removed and will no longer be packaged as a dependency of Drupal 9.


The package easyrdf/easyrdf is no longer a runtime dependency of Drupal and will not be included in tagged releases. Contributed or custom modules using EasyRDF need to add the dependency to their composer.json.


PHPUnit has been updated to PHPUnit 7, and the compatibility layer for PHPUnit 6 has been dropped since Drupal 9 requires PHP 7.3 or higher.


Numerous other dependencies have received minor- and patch-level updates to the latest versions.


Frontend (CSS and JavaScript) dependency updates
Drupal 9 will continue to depend on CKEditor 4 and jQuery 3.4.


Most jQuery UI components were deprecated in Drupal 8.8 and removed in Drupal 9.0. The libraries are now provided as contributed modules to make updating easier for any modules or themes that depend on them. See the change record on the removal of these jQuery UI libraries for more information.
The libraries that are still in use as of Drupal 8.8 were forked into Drupal 9 core to make it easier to fix any potential security issues with jQuery UI before Drupal 9's end-of-life. We plan to deprecate and remove all of these forked components prior to Drupal 10.0.0's release.


The following browser support polyfill libraries were deprecated in 8.8.0 and have been removed from Drupal 9.0 because they are no longer required by any of the browsers supported by Drupal core:

html5shiv
matchMedia
domready (Replaced by a single simple function that will now work in all supported browsers. See domready is deprecated for more information.)
classList

For sites that need to support older browsers, the contributed html5shiv module and matchmedia module provide identical replacements for the core libraries.


Other planned dependency updates
The following dependency updates are still outstanding and will be resolved before 9.0.0-beta1:

The minimum required PostgreSQL version is planned to be raised to 9.5.x or higher. The minimum MySQL version is planned to be raised to 5.7, while MariaDB requirement is planned to be raised to 10.2.
normalize.css is being updated to the latest version.
The Node.js requirement is being raised from 8.11 to 10.18.0.
Popper.js is being updated to version 2.
jQuery.cookie is being replaced with JS-cookie.
Various further frontend dependencies in package.json will be updated.

What's next?
We may release further alpha versions as needed. There are three release scenarios for Drupal 9. If we complete all Drupal 9.0.0 beta requirements by the end of February, the first beta will be released in the first week of March and Drupal 9.0.0 will be released on June 3rd, 2020. If the beta requirements are not completed by the end of February, one of the later beta windows will be used.
All changes since 8.8.0
Browse the commit log for 9.0.x.Official release from tag: 9.0.0-alpha1Release type: Bug fixesNew featuresShort description: This is an alpha release for the next major version of Drupal. Drupal 9 alpha releases are intended for site owners and module or theme authors to begin testing whether their sites and code are compatible with significant dependency changes in Drupal 9.0.Packaged Git sha1: 1e7dfe0df82f2bac92e2159c7b500bd66967169a

软件描述

Drupal是使用PHP语言编写的开源内容管理框架(CMF),它由内容管理系统(CMS)和PHP开发框架(Framework)共同构成。

CVE编号

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入