Try a hosted Drupal demo

Install

To start a new Drupal project with version 10.0.8:

To update your site and all dependencies to the latest version of Drupal:

To update your site to this specific release:
Pinning to a specific release may make it more challenging to update your site in future, see composer documentation for managing pinned versions

Using Composer to manage Drupal site dependencies

Downloads

Download tar.gz 16.63 MB
MD5: c51b557136b053e68220f095eee1dc1f
SHA-1: c1de93c87083c2e1c616af4706c66ac83dad9520
SHA-256: 8a813d5ff58cc49af773fdad8c58a1f6e56772912f1415c6e90c013753d0ad2f
Download zip 27.49 MB
MD5: 2198fe78c0bb35e9e425ee08da9d1266
SHA-1: d730fe2f7d443aeb1b73ac863cc06c09ebed4322
SHA-256: e71484cfa7f031d07e8083f4a3421869037832cad49e2dd8ced9233d14ea9e3f

Security issues fixed

Release notes

This is a security release of the Drupal 10 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcement:


No other fixes are included.

Which release do I choose? Security coverage information

  • Drupal 10.0.x will receive security coverage until December 2023 when Drupal 10.2.0 is released.
  • Sites on 9.5.x should update immediately to Drupal 9.5.8 instead of this release, but plan to update to Drupal 10 by November 2023.
  • Sites on 9.4.x or earlier should update immediately to Drupal 9.4.14 instead of this release, but update to 9.5 or higher soon.
  • Versions of Drupal 9 prior to 9.4.x are end-of-life and do not receive security coverage.
  • Drupal 8 is end-of-life and does not receive security coverage.

Important update information

Changes to site-owner-managed files

  • Following this release, Drupal will block access to private files at certain specially crafted paths. Previous versions of Drupal allowed access to these paths, and in most cases blocking access is the correct behavior.

    There may be some sites that rely on allowing access to these paths, or the changes in this release may cause other problems with file access. These sites can add the following line to settings.php:

    $settings['file_sa_core_2023_005_schemes'] = ['private'];

    This will preserve the old behavior for files saved in the private files directory, using the private stream wrapper from Drupal core. Sites that need to preserve the old behavior for files using other stream wrappers, from contributed or custom modules, should list those stream wrappers instead of 'private'.

    The comments in default.settings.php have additional information.

    Using this setting will bypass the access checks added in this release, which may allow public access to files that are meant to be private. This setting is a temporary backward-compatibility layer for misconfigured sites. It will be removed in a future release since it is insecure.

What’s next?

  1. Learn how to install Drupal
  2. Learn how to update Drupal
  3. Extend Drupal to do more
  4. Get training
  5. Check out what others built
Created by: xjm
Created on: 19 Apr 2023 at 16:20 UTC
Last updated: 19 Apr 2023 at 17:42 UTC
Git tag 10.0.8
Security update
Insecure
Insecure
Unsupported

Other releases