Download drupal-8.1.7.tar.gztar.gz 12.02 MB
MD5: 19e95079e50dd3c19222b91ef1b57036
SHA-1: aa2c2e57e4b200e38f5e1c12dd1d19e5fdf24d09
SHA-256: 1d4c9d58c22651aca312d9fd1446f28f16018326a03e3f40dfcce264212a8e2e
Download drupal-8.1.7.zipzip 19.62 MB
MD5: a158b536720915b60a0c6ef4e7109466
SHA-1: 42736afd52761aca10be94d210fe5045c491eb08
SHA-256: f3d7b9bd543e5521a1b1c43eeed744d4c15ebcbe1b5a84bb1012f90f63bc9b9a

Release info

Created by: xjm
Created on: 18 Jul 2016 at 15:22 UTC
Last updated: 21 Sep 2016 at 17:36 UTC
Core compatibility: 8.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcements:

No other fixes are included.

Third-party dependency updates in this release

This release includes an update for Guzzle, a third-party dependency of Drupal 8, as well as security hardenings for the vulnerability described in SA-CORE-2016-003. If you manage your site's dependencies with Composer, you should update to Guzzle 6.2.1 immediately and review the web server configuration information below. If you installed Drupal 8 from a Drupal.org zip or tar package, the Guzzle update is provided automatically when you update Drupal.

Web server configuration

This release includes changes to .htaccess and web.config. To ensure that your site is secure, use Drupal 8.1.7's default version of these files, or add the following to your custom versions:

.htaccess

<IfModule mod_headers.c>
  # Disable Proxy header, since it's an attack vector.
  RequestHeader unset Proxy
</IfModule>

web.config

<system.webServer>
  <rewrite>
    <rules>
      <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
        <match url="*.*" />
        <serverVariables>
          <set name="HTTP_PROXY" value="" />
        </serverVariables>
        <action type="None" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

The release also includes a change to instructions in default.settings.php. If you are using a proxy from outbound requests from your web server, the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environmental variables are no longer supported. You will need to change your settings.php to configure these using the following settings:

  • $settings['http_client_config']['proxy']['http']
  • $settings['http_client_config']['proxy']['https']
  • $settings['http_client_config']['proxy']['no']

If you do not use an outbound proxy, you do not need to make any changes to your settings.php. Most sites do not use an outbound proxy.

See https://httpoxy.org/ for full details on the vulnerability and the required changes on all affected environments.

Known issues

See the list of the known issues for the 8.1.x branch. There are no known regressions in this release.