[Security-news] Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20
security-news at drupal.org
security-news at drupal.org
Mon Jun 20 19:45:28 UTC 2022
View online: https://www.drupal.org/psa-2022-06-20
Date: 2022-June-20
Description:
.... In Drupal 9.4 and higher, drupal/core-recommended allows patch-level
vendor updates
The drupal/core-recommended metapackage now allows patch-level updates for
Composer dependencies. This means that site owners using
drupal/core-recommended can now install most Composer dependency security
updates themselves, without needing to wait for an upstream release of Drupal
core that updates the affected package.
For example, in the future, a Guzzle vendor update like the recent Guzzle
security release [1] can be installed by running:
composer update guzzlehttp/guzzle
The change record on drupal/core-recommended and patch-level updates [2] has
more detailed information on how this change affects site dependency
management.
.... Drupal security advisories and same-day releases for vendor updates will
only be issued if Drupal core is known to be exploitable
It is the Drupal Security Team's policy to create new core releases and issue
security advisories for third-party vendor libraries only if an exploit is
possible in Drupal core. However, both the earlier version of the
drupal/core-recommended metapackage and Drupal.org file archive downloads
restrict sites to the exact Composer dependency versions used in Drupal core.
Therefore, in practice, we have issued numerous security advisories (or
same-day releases without security advisories) where only contributed or
custom code might be vulnerable.
For Drupal 9.4.0 and higher, the Security Team plans to no longer issue these
"just-in-case" security advisories for Composer dependency security updates.
Instead, the dependency updates will be handled as public security
hardenings, and will be included alongside other bugfixes in normal Drupal
core patch releases. These security hardenings may be released within a few
days as off-schedule bugfix releases if contributed projects are known to be
vulnerable, or on the next scheduled monthly bugfix window [3] for uncommon
or theoretical vulnerabilities. (Keep in mind that Drupal core often already
mitigates vulnerabilities present in its dependencies, so automated security
scanners sometimes raise false positives when an upstream CVE is announced.)
Site owners are responsible for monitoring security announcements for
third-party dependencies as well as for Drupal projects [4], and for
installing dependency security updates when necessary.
.... Sites built using .tar.gz or .zip file downloads should convert to
drupal/core-recommended for same-day dependency updates
Drupal 9.4 sites built with tarball or zip file archives will no longer
receive the same level of security support for core dependencies. Going
forward, if core is not known to be exploitable, the core file downloads'
dependencies will be updated in normal bugfix releases within a few days (if
contributed projects are known to be vulnerable) to a few weeks (if the
vulnerability is uncommon or theoretical).
Sites built with tarball or zip files should convert to using
drupal/core-recommended [5] to apply security updates more promptly than the
above timeframe.
.... Drupal 9.3 will receive prompt, best-effort updates until its end of
life
Drupal 9.3 receives security coverage until the release of Drupal 9.5.0 in
December 2022, and will not include the above improvement to
drupal/core-recommended. Therefore, we will still try to provide prompt
releases of Drupal 9.3 for vendor security updates when it is possible for us
to do so.
Since normal bugfixes are no longer backported to Drupal 9.3, there will
already be few to no other changes between its future releases, so dependency
updates may be released as normal bugfix releases (rather than security-only
releases). Security advisories for Drupal 9.3 vendor updates may still be
issued depending on the nature of the vulnerability.
.... Drupal 7 is not affected by this change and Drupal 7 core file downloads
remain fully covered by the Drupal Security Team
Drupal 7 core includes only limited use of third-party dependencies (in
particular, the jQuery and jQuery UI JavaScript packages). Therefore, Drupal
7 is not affected by this policy change. Note that Drupal 7 sites that use
third-party libraries with Drupal 7 contributed modules must still monitor
and apply updates for those third-party libraries [6].
For press contacts, please email security-press at drupal.org [7].
[1] https://www.drupal.org/sa-core-2022-011
[2] https://www.drupal.org/node/3285240
[3]
https://www.drupal.org/about/core/policies/core-release-cycles/schedule#monthly
[4] https://www.drupal.org/psa-2011-002
[5]
https://www.drupal.org/docs/user_guide/en/install-composer.html#s-converting-a-previously-downloaded-site-to-use-composer
[6] https://www.drupal.org/psa-2011-002
[7] mailto:security-press at drupal.org
More information about the Security-news
mailing list