Update dependency drupal/core to v9 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
drupal/core	require	major	8.9.20 -> 9.3.19

GitHub Vulnerability Alerts

CVE-2022-25271

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.

CVE-2022-25270

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.

CVE-2022-25275

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config['image.settings']['allow_insecure_derivatives'] or (Drupal 7) $conf['image_allow_insecure_derivatives'] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI.

Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.

CVE-2022-25277

Drupal core sanitizes filenames with dangerous extensions upon upload and strips leading and trailing dots from filenames to prevent uploading server configuration files.

However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files' filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core's default .htaccess files and possible remote code execution on Apache web servers.

This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.

---

Release Notes

drupal/core

v9.3.19

Compare Source

v9.3.18

Compare Source

v9.3.17

Compare Source

v9.3.16

Compare Source

v9.3.15

Compare Source

v9.3.14

Compare Source

v9.3.13

Compare Source

v9.3.12

Compare Source

v9.3.11

Compare Source

v9.3.10

Compare Source

v9.3.9

Compare Source

v9.3.8

Compare Source

v9.3.7

Compare Source

v9.3.6

Compare Source

v9.3.5

Compare Source

v9.3.4

Compare Source

v9.3.3

Compare Source

v9.3.2

Compare Source

v9.3.1

Compare Source

v9.3.0

Compare Source

v9.2.21

Compare Source

v9.2.20

Compare Source

v9.2.19

Compare Source

v9.2.18

Compare Source

v9.2.17

Compare Source

v9.2.16

Compare Source

v9.2.15

Compare Source

v9.2.14

Compare Source

v9.2.13

Compare Source

v9.2.12

Compare Source

v9.2.11

Compare Source

v9.2.10

Compare Source

v9.2.9

Compare Source

v9.2.8

Compare Source

v9.2.7

Compare Source

v9.2.6

Compare Source

v9.2.5

Compare Source

v9.2.4

Compare Source

v9.2.3

Compare Source

v9.2.2

Compare Source

v9.2.1

Compare Source

v9.2.0

Compare Source

v9.1.15

Compare Source

v9.1.14

Compare Source

v9.1.13

Compare Source

v9.1.12

Compare Source

v9.1.11

Compare Source

v9.1.10

Compare Source

v9.1.9

Compare Source

v9.1.8

Compare Source

v9.1.7

Compare Source

v9.1.6

Compare Source

v9.1.5

Compare Source

v9.1.4

Compare Source

v9.1.3

Compare Source

v9.1.2

Compare Source

v9.1.1

Compare Source

v9.1.0

Compare Source

v9.0.14

Compare Source

v9.0.13

Compare Source

v9.0.12

Compare Source

v9.0.11

Compare Source

v9.0.10

Compare Source

v9.0.9

Compare Source

v9.0.8

Compare Source

v9.0.7

Compare Source

v9.0.6

Compare Source

v9.0.5

Compare Source

v9.0.4

Compare Source

v9.0.3

Compare Source

v9.0.2

Compare Source

v9.0.1

Compare Source

v9.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock

Command failed: docker run --rm --name=renovate_sidecar --label=renovate_child -v "/mnt/renovate/gh/YaManicKill/viewfield":"/mnt/renovate/gh/YaManicKill/viewfield" -v "/tmp/renovate-cache":"/tmp/renovate-cache" -v "/tmp/containerbase":"/tmp/containerbase" -e COMPOSER_CACHE_DIR -e COMPOSER_AUTH -e BUILDPACK_CACHE_DIR -e CONTAINERBASE_CACHE_DIR -w "/mnt/renovate/gh/YaManicKill/viewfield" docker.io/containerbase/sidecar bash -l -c "install-tool php 8.2.3 && install-tool composer 2.5.4 && composer update drupal/core --with-dependencies --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins"
Loading composer repositories with package information
Info from https://repo.packagist.org: #StandWithUkraine
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - drupal-composer/drupal-scaffold is locked to version 2.6.1 and an update of this package was not requested.
    - drupal-composer/drupal-scaffold 2.6.1 requires composer-plugin-api ^1.0.0 -> found composer-plugin-api[2.3.0] but it does not match the constraint.
  Problem 2
    - Root composer.json requires drupal/core 9.3.19 -> satisfiable by drupal/core[9.3.19].
    - drupal/core 9.3.19 requires symfony/process ^4.4 -> found symfony/process[v4.4.0-BETA1, ..., 4.4.x-dev] but these were not loaded, likely because it conflicts with another require.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.