For non-Japanese speakers

All the articles and content on this website are written in Japanese.

If you would like to read them in a different language, please use the translation function on your browser.You may not be able to understand the finer points of the text, but you should be able to get the general idea.

Drupal 11.3.11 Update

Drupal Coreのアップデート通知が来ていたので確認します。先日10.3.10にアップデートしたのですが、期間を置かずに来たので、内容を確認してアップデートします。

Drupal 10.3.10

先日アップデートしたDrupal 11.3.10のアップデート内容は

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

PostgreSQLのAPIの脆弱性に関わる緊急アップデートになります。当サイトはMariaDBなので直接の影響はありませんが、Coreの上流アップデートでもあるSymfonyおよびTwig向けのセキュリティ更新も含まれます。

重大なセキュリティアップデートになりますので、通知が来たその日にアップデートを行なっています。

Drupal 11.3.11

Drupal 11.3.11のアップデート内容を確認してみます。

patch (bugfix) release : バグ修正のパッチになります。

早速アップデートを行います。

composer update --dry-run

//dry-runで確認します。
$ composer update --dry-run
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 20 updates, 0 removals
  - Upgrading drupal/core (11.3.10 => 11.3.11)
  - Upgrading drupal/core-composer-scaffold (11.3.10 => 11.3.11)
  - Upgrading drupal/core-project-message (11.3.10 => 11.3.11)
  - Upgrading drupal/core-recommended (11.3.10 => 11.3.11)
  - Upgrading guzzlehttp/guzzle (7.10.2 => 7.10.5)
  - Upgrading laravel/prompts (v0.3.17 => v0.3.18)
  - Upgrading psy/psysh (v0.12.22 => v0.12.23)
  - Upgrading symfony/console (v7.4.11 => v7.4.13)
  - Upgrading symfony/dependency-injection (v7.4.10 => v7.4.13)
  - Upgrading symfony/http-foundation (v7.4.8 => v7.4.13)
  - Upgrading symfony/http-kernel (v7.4.12 => v7.4.13)
  - Upgrading symfony/mime (v7.4.12 => v7.4.13)
  - Upgrading symfony/polyfill-intl-idn (v1.37.0 => v1.38.1)
  - Upgrading symfony/polyfill-php81 (v1.37.0 => v1.38.1)
  - Upgrading symfony/polyfill-php83 (v1.37.0 => v1.38.1)
  - Upgrading symfony/process (v7.4.11 => v7.4.13)
  - Upgrading symfony/routing (v7.4.12 => v7.4.13)
  - Upgrading symfony/string (v7.4.11 => v7.4.13)
  - Upgrading symfony/yaml (v7.4.12 => v7.4.13)
  - Upgrading twig/twig (v3.26.0 => v3.27.0)
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 20 updates, 0 removals
  - Upgrading drupal/core-composer-scaffold (11.3.10 => 11.3.11)
  - Upgrading drupal/core-project-message (11.3.10 => 11.3.11)
  - Upgrading symfony/string (v7.4.11 => v7.4.13)
  - Upgrading symfony/console (v7.4.11 => v7.4.13)
  - Upgrading twig/twig (v3.26.0 => v3.27.0)
  - Upgrading symfony/yaml (v7.4.12 => v7.4.13)
  - Upgrading symfony/polyfill-php83 (v1.37.0 => v1.38.1)
  - Upgrading symfony/routing (v7.4.12 => v7.4.13)
  - Upgrading symfony/http-foundation (v7.4.8 => v7.4.13)
  - Upgrading symfony/process (v7.4.11 => v7.4.13)
  - Upgrading symfony/polyfill-intl-idn (v1.37.0 => v1.38.1)
  - Upgrading symfony/mime (v7.4.12 => v7.4.13)
  - Upgrading symfony/http-kernel (v7.4.12 => v7.4.13)
  - Upgrading symfony/dependency-injection (v7.4.10 => v7.4.13)
  - Upgrading guzzlehttp/guzzle (7.10.2 => 7.10.5)
  - Upgrading drupal/core (11.3.10 => 11.3.11)
  - Upgrading drupal/core-recommended (11.3.10 => 11.3.11)
  - Upgrading psy/psysh (v0.12.22 => v0.12.23)
  - Upgrading laravel/prompts (v0.3.17 => v0.3.18)
  - Upgrading symfony/polyfill-php81 (v1.37.0 => v1.38.1)
44 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

//advisoriesのメッセージが表示されます。
Found 8 security vulnerability advisories affecting 4 packages.
Run "composer audit" for a full list of advisories.

//実際のUpdateのシュミレーションをしてみます。
$ composer update "drupal/core-*" --with-all-dependencies --dry-run
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 18 updates, 0 removals
  - Upgrading drupal/core (11.3.10 => 11.3.11)
  - Upgrading drupal/core-composer-scaffold (11.3.10 => 11.3.11)
  - Upgrading drupal/core-project-message (11.3.10 => 11.3.11)
  - Upgrading drupal/core-recommended (11.3.10 => 11.3.11)
  - Upgrading guzzlehttp/guzzle (7.10.2 => 7.10.5)
  - Upgrading symfony/console (v7.4.11 => v7.4.13)
  - Upgrading symfony/dependency-injection (v7.4.10 => v7.4.13)
  - Upgrading symfony/http-foundation (v7.4.8 => v7.4.13)
  - Upgrading symfony/http-kernel (v7.4.12 => v7.4.13)
  - Upgrading symfony/mime (v7.4.12 => v7.4.13)
  - Upgrading symfony/polyfill-intl-idn (v1.37.0 => v1.38.1)
  - Upgrading symfony/polyfill-php81 (v1.37.0 => v1.38.1)
  - Upgrading symfony/polyfill-php83 (v1.37.0 => v1.38.1)
  - Upgrading symfony/process (v7.4.11 => v7.4.13)
  - Upgrading symfony/routing (v7.4.12 => v7.4.13)
  - Upgrading symfony/string (v7.4.11 => v7.4.13)
  - Upgrading symfony/yaml (v7.4.12 => v7.4.13)
  - Upgrading twig/twig (v3.26.0 => v3.27.0)
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 18 updates, 0 removals
  - Upgrading drupal/core-composer-scaffold (11.3.10 => 11.3.11)
  - Upgrading drupal/core-project-message (11.3.10 => 11.3.11)
  - Upgrading symfony/string (v7.4.11 => v7.4.13)
  - Upgrading symfony/console (v7.4.11 => v7.4.13)
  - Upgrading twig/twig (v3.26.0 => v3.27.0)
  - Upgrading symfony/yaml (v7.4.12 => v7.4.13)
  - Upgrading symfony/polyfill-php83 (v1.37.0 => v1.38.1)
  - Upgrading symfony/routing (v7.4.12 => v7.4.13)
  - Upgrading symfony/http-foundation (v7.4.8 => v7.4.13)
  - Upgrading symfony/process (v7.4.11 => v7.4.13)
  - Upgrading symfony/polyfill-intl-idn (v1.37.0 => v1.38.1)
  - Upgrading symfony/mime (v7.4.12 => v7.4.13)
  - Upgrading symfony/http-kernel (v7.4.12 => v7.4.13)
  - Upgrading symfony/dependency-injection (v7.4.10 => v7.4.13)
  - Upgrading guzzlehttp/guzzle (7.10.2 => 7.10.5)
  - Upgrading drupal/core (11.3.10 => 11.3.11)
  - Upgrading drupal/core-recommended (11.3.10 => 11.3.11)
  - Upgrading symfony/polyfill-php81 (v1.37.0 => v1.38.1)
44 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

//advisoriesのメッセージが表示されます。
Found 8 security vulnerability advisories affecting 4 packages.
Run "composer audit" for a full list of advisories.

「composer update --dry-run」の内容を見ると見慣れないメッセージがあります。

Found 8 security vulnerability advisories affecting 4 packages.
Run "composer audit" for a full list of advisories.

”4つのパッケージに影響する8件のセキュリティ脆弱性に関するアドバイザリが見つかりました。アドバイザリの完全な一覧を確認するには、「composer audit」を実行してください。”

公式サイトを確認するとアドバイザリーはSymfonyに関わるもののようです。

composer audit

「composer audit」を実行します。

$ composer audit
Found 8 security vulnerability advisories affecting 4 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/http-foundation                                                          |
| Severity          |                                                                                  |
| CVE               | CVE-2026-48736                                                                   |
| Title             | CVE-2026-48736: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4,      |
|                   | NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient       |
| URL               | https://symfony.com/cve-2026-48736                                               |
| Affected versions | >=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3.0|>=7.3.0,<7.4.0|>=7. |
|                   | 4.0,<7.4.13|>=8.0.0,<8.0.13                                                      |
| Reported at       | 2026-05-26T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/polyfill-intl-idn                                                        |
| Severity          | low                                                                              |
| CVE               | CVE-2026-46644                                                                   |
| Title             | CVE-2026-46644: symfony/polyfill-intl-idn accepts xn-- labels whose Punycode     |
|                   | payload decodes to ASCII-only: insecure equivalence                              |
| URL               | https://symfony.com/cve-2026-46644                                               |
| Affected versions | >=1.17.1,<1.38.1                                                                 |
| Reported at       | 2026-05-26T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/routing                                                                  |
| Severity          |                                                                                  |
| CVE               | CVE-2026-48784                                                                   |
| Title             | CVE-2026-48784: UrlGenerator Dot-Segment Encoding Skips Every Other Chained      |
|                   | `../` or `./` → Generated URL Collapses Off-Route Under RFC 3986 Normalization   |
| URL               | https://symfony.com/cve-2026-48784                                               |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
|                   | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.53|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
|                   | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.41|>=7.0.0,<7.1.0|>=7.1.0,<7.2.0|>=7.2.0,<7.3. |
|                   | 0|>=7.3.0,<7.4.0|>=7.4.0,<7.4.13|>=8.0.0,<8.0.13                                 |
| Reported at       | 2026-05-26T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | twig/twig                                                                        |
| Severity          |                                                                                  |
| CVE               | CVE-2026-48808                                                                   |
| Title             | Sandbox property allowlist bypass via the `column` filter under                  |
|                   | `SourcePolicyInterface`                                                          |
| URL               | https://symfony.com/blog/cve-2026-48808-sandbox-property-allowlist-bypass-via-th |
|                   | e-column-filter-under-sourcepolicyinterface                                      |
| Affected versions | >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0                                    |
| Reported at       | 2026-05-27T15:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | twig/twig                                                                        |
| Severity          |                                                                                  |
| CVE               | CVE-2026-48805                                                                   |
| Title             | Sandbox state regression in deprecated internal wrappers in                      |
|                   | `src/Resources/core.php`                                                         |
| URL               | https://symfony.com/blog/cve-2026-48805-sandbox-state-regression-in-deprecated-i |
|                   | nternal-wrappers-in-src-resources-core-php                                       |
| Affected versions | >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0                                    |
| Reported at       | 2026-05-27T15:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | twig/twig                                                                        |
| Severity          |                                                                                  |
| CVE               | CVE-2026-46636                                                                   |
| Title             | Sandbox filter, tag and function allow-list bypass when sandbox state changes    |
|                   | between renders                                                                  |
| URL               | https://symfony.com/blog/cve-2026-46636-sandbox-filter-tag-and-function-allow-li |
|                   | st-bypass-when-sandbox-state-changes-between-renders                             |
| Affected versions | >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0                                    |
| Reported at       | 2026-05-27T15:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | twig/twig                                                                        |
| Severity          |                                                                                  |
| CVE               | CVE-2026-48806                                                                   |
| Title             | Sandbox `__toString()` policy bypass via dynamic mapping keys                    |
| URL               | https://symfony.com/blog/cve-2026-48806-sandbox-tostring-policy-bypass-via-dynam |
|                   | ic-mapping-keys                                                                  |
| Affected versions | >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0                                    |
| Reported at       | 2026-05-27T15:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | twig/twig                                                                        |
| Severity          |                                                                                  |
| CVE               | CVE-2026-48807                                                                   |
| Title             | Sandbox `__toString()` policy bypass via `Traversable` in `join`/`replace` and   |
|                   | `in`/`not in` operators                                                          |
| URL               | https://symfony.com/blog/cve-2026-48807-sandbox-tostring-policy-bypass-via-trave |
|                   | rsable-in-join-replace-and-in-not-in-operators                                   |
| Affected versions | >=1.0.0,<2.0.0|>=2.0.0,<3.0.0|>=3.0.0,<3.27.0                                    |
| Reported at       | 2026-05-27T15:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

内容は

  1. symfony/http-foundation / CVE-2026-48736 
  2. symfony/polyfill-intl-idn / CVE-2026-46644
  3. symfony/routing / CVE-2026-48784
  4. twig/twig / CVE-2026-48808
  5. twig/twig / CVE-2026-48805
  6. twig/twig / CVE-2026-46636
  7. twig/twig / CVE-2026-48806
  8. twig/twig / CVE-2026-48807

symfonyの3パッケージと3つの問題、twigの1パッケージと5つの問題なので、8つの問題になっています。各パッケージのアドバイザリーを見ると、対応済みであるsymfonyの7.4.13以上にアップデート、symfony/polyfill-intl-idnは1.38.1以上にアップデート、twigは3.27.0にアップデートしてくださいとなっています。

Affected versions
symfony versions >=6.4, <6.4.41, >=7.0, <7.4.13, >=8.0, <8.0.13 of the Symfony HTTP Client and Symfony HTTP Foundation components are affected by this security issue.
The issue has been fixed in Symfony 5.4.53, 6.4.41, 7.4.13, 8.0.13.

Affected versions
Symfony versions >=1.17.1, <1.38.1 of the Symfony Polyfill and Symfony Polyfill Intl Idn components are affected by this security issue.
The issue has been fixed in Symfony 1.38.1.

Affected versions
Twig versions <=3.26.0 are affected by this security issue.
The issue has been fixed in Twig 3.27.0.

「dry-run」でアップデートされるアドバイザリーで問題が指摘されたパッケージをみます。


Upgrading twig/twig (v3.26.0 => v3.27.0)
...
Upgrading symfony/http-foundation (v7.4.8 => v7.4.13)
...
Upgrading symfony/polyfill-intl-idn (v1.37.0 => v1.38.1)
...
Upgrading symfony/routing (v7.4.12 => v7.4.13)
etc...

今回アドバイザリーで問題が指摘されたパッケージの修正版であるsymfony7.4.13以上、polyfill-intl-idnは1.38.1以上、twigは3.27.0にアップデートを実行しています。

コアのアップデートも問題ないので、Drupal 11.3.11にアップデートします。

Drupal 11.3.11 Update

$ composer update "drupal/core-*" --with-all-dependencies
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 0 installs, 18 updates, 0 removals
 - Upgrading drupal/core (11.3.10 => 11.3.11)
 - Upgrading drupal/core-composer-scaffold (11.3.10 => 11.3.11)
 - Upgrading drupal/core-project-message (11.3.10 => 11.3.11)
 - Upgrading drupal/core-recommended (11.3.10 => 11.3.11)
 - Upgrading guzzlehttp/guzzle (7.10.2 => 7.10.5)
 - Upgrading symfony/console (v7.4.11 => v7.4.13)
 - Upgrading symfony/dependency-injection (v7.4.10 => v7.4.13)
 - Upgrading symfony/http-foundation (v7.4.8 => v7.4.13)
 - Upgrading symfony/http-kernel (v7.4.12 => v7.4.13)
 - Upgrading symfony/mime (v7.4.12 => v7.4.13)
 - Upgrading symfony/polyfill-intl-idn (v1.37.0 => v1.38.1)
 - Upgrading symfony/polyfill-php81 (v1.37.0 => v1.38.1)
 - Upgrading symfony/polyfill-php83 (v1.37.0 => v1.38.1)
 - Upgrading symfony/process (v7.4.11 => v7.4.13)
 - Upgrading symfony/routing (v7.4.12 => v7.4.13)
 - Upgrading symfony/string (v7.4.11 => v7.4.13)
 - Upgrading symfony/yaml (v7.4.12 => v7.4.13)
 - Upgrading twig/twig (v3.26.0 => v3.27.0)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 0 installs, 18 updates, 0 removals
 - Downloading symfony/string (v7.4.13)
 - Downloading symfony/console (v7.4.13)
 - Downloading twig/twig (v3.27.0)
 - Downloading symfony/yaml (v7.4.13)
 - Downloading symfony/polyfill-php83 (v1.38.1)
 - Downloading symfony/routing (v7.4.13)
 - Downloading symfony/http-foundation (v7.4.13)
 - Downloading symfony/process (v7.4.13)
 - Downloading symfony/polyfill-intl-idn (v1.38.1)
 - Downloading symfony/mime (v7.4.13)
 - Downloading symfony/http-kernel (v7.4.13)
 - Downloading symfony/dependency-injection (v7.4.13)
 - Downloading guzzlehttp/guzzle (7.10.5)
 - Downloading drupal/core (11.3.11)
 - Downloading symfony/polyfill-php81 (v1.38.1)
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
 - Upgrading drupal/core-composer-scaffold (11.3.10 => 11.3.11): Extracting archive
 - Upgrading drupal/core-project-message (11.3.10 => 11.3.11): Extracting archive
 - Upgrading symfony/string (v7.4.11 => v7.4.13): Extracting archive
 - Upgrading symfony/console (v7.4.11 => v7.4.13): Extracting archive
 - Upgrading twig/twig (v3.26.0 => v3.27.0): Extracting archive
 - Upgrading symfony/yaml (v7.4.12 => v7.4.13): Extracting archive
 - Upgrading symfony/polyfill-php83 (v1.37.0 => v1.38.1): Extracting archive
 - Upgrading symfony/routing (v7.4.12 => v7.4.13): Extracting archive
 - Upgrading symfony/http-foundation (v7.4.8 => v7.4.13): Extracting archive
 - Upgrading symfony/process (v7.4.11 => v7.4.13): Extracting archive
 - Upgrading symfony/polyfill-intl-idn (v1.37.0 => v1.38.1): Extracting archive
 - Upgrading symfony/mime (v7.4.12 => v7.4.13): Extracting archive
 - Upgrading symfony/http-kernel (v7.4.12 => v7.4.13): Extracting archive
 - Upgrading symfony/dependency-injection (v7.4.10 => v7.4.13): Extracting archive
 - Upgrading guzzlehttp/guzzle (7.10.2 => 7.10.5): Extracting archive
 - Upgrading drupal/core (11.3.10 => 11.3.11): Extracting archive
 - Upgrading drupal/core-recommended (11.3.10 => 11.3.11)
 - Upgrading symfony/polyfill-php81 (v1.37.0 => v1.38.1): Extracting archive
 - Applying patches for drupal/core
   https://www.drupal.org/files/issues/2023-07-16/3204271-20-missing-layout-exception.patch (Layout builder cannot recover on missing layout: https://www.drupal.org/node/3204271)
Generating autoload files
44 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

問題なくアップデートされます。

データベースのアップデートとキャッシュをクリアしてから、「composer audit」を実行し問題は消えたかの確認を行います。

$ drush updatedb
[success] No pending updates.
$ drush cache:rebuild
[success] Cache rebuild complete.
$ composer audit
No security vulnerability advisories found.

「No security vulnerability advisories found.」Drupal 11.3.11にアップデートしたことで、セキュリティの問題も解決されています。

Update完了

公式サイトを確認すると、

11.3.10ではsymfonyのセキュリティ修正版である

  • 該当するパッケージであるsymfony/http-foundation他を7.4.12
  • 該当するパッケージであるtwigを3.26.0

にアップデートを行い

11.3.11ではsymfonyのセキュリティ修正版である

  • 該当するパッケージであるsymfony/http-foundation、symfony/routingを7.4.13
  • 該当するパッケージであるsymfony/polyfill-intl-idnを1.38.1
  • 該当するパッケージであるtwigを3.27.0

にアップデートしています。

このパッケージの修正に関わるsymfonyのアドバイザリーのメッセージが表示されていたので、通常のアップデートと異なるメッセージが表示されました。

今回、見慣れないメッセージが表示されたので、久しぶりに、公式サイトのアップデート内容とその元になるsymfonyのアップデートを確認しました。

本来は、常に確認すべきですが、アップデート通知が来て、--dry-runで問題なければアップデート実行という形で問題なかったので、しばらくアップデートの詳細を公式サイトで確認していなかったのは反省すべきと考えています。今後はアップデート通知やセキュリティ通知が来たら公式サイトで内容をしっかり確認したいと考える出来事でした。

[ drupal11.3.10 | Drupal.org(Opens in a new tab/window) ]

[ Drupal core - Highly critical - SQL injection - SA-CORE-2026-004(Opens in a new tab/window) ]

[ drupal 11.3.11 | Drupal.org(Opens in a new tab/window) ]

[ Symfony Security Advisories blog post(Opens in a new tab/window) ]

 

前の記事

#D41 Fatal error WordPress

今回サーバー移転でDrupalを10.6.xから11.3.xにアップデートしました。共有サーバーのWordPressのサイトにFatal errorが出たので、エラーの解決を行いました。DrupalとWordPressの開発思想の違いが見えるエラーだったので記事にまとめました。

#D42
  • Drupalの記事
  • 環境構築