Install

To start a new Drupal project with version 8.1.7:

To update your site and all dependencies to the latest version of Drupal:

To update your site to this specific release:
Pinning to a specific release may make it more challenging to update your site in future, see composer documentation for managing pinned versions

Using Composer to manage Drupal site dependencies

Downloads

Download drupal-8.1.7.tar.gztar.gz 12.02 MB
MD5: 19e95079e50dd3c19222b91ef1b57036
SHA-1: aa2c2e57e4b200e38f5e1c12dd1d19e5fdf24d09
SHA-256: 1d4c9d58c22651aca312d9fd1446f28f16018326a03e3f40dfcce264212a8e2e
Download drupal-8.1.7.zipzip 19.62 MB
MD5: a158b536720915b60a0c6ef4e7109466
SHA-1: 42736afd52761aca10be94d210fe5045c491eb08
SHA-256: f3d7b9bd543e5521a1b1c43eeed744d4c15ebcbe1b5a84bb1012f90f63bc9b9a

Release notes

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcements:

No other fixes are included.

Third-party dependency updates in this release

This release includes an update for Guzzle, a third-party dependency of Drupal 8, as well as security hardenings for the vulnerability described in SA-CORE-2016-003. If you manage your site's dependencies with Composer, you should update to Guzzle 6.2.1 immediately and review the web server configuration information below. If you installed Drupal 8 from a Drupal.org zip or tar package, the Guzzle update is provided automatically when you update Drupal.

Web server configuration

This release includes changes to .htaccess and web.config. To ensure that your site is secure, use Drupal 8.1.7's default version of these files, or add the following to your custom versions:

.htaccess

<IfModule mod_headers.c>
  # Disable Proxy header, since it's an attack vector.
  RequestHeader unset Proxy
</IfModule>

web.config

<system.webServer>
  <rewrite>
    <rules>
      <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
        <match url="*.*" />
        <serverVariables>
          <set name="HTTP_PROXY" value="" />
        </serverVariables>
        <action type="None" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

The release also includes a change to instructions in default.settings.php. If you are using a proxy from outbound requests from your web server, the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environmental variables are no longer supported. You will need to change your settings.php to configure these using the following settings:

  • $settings['http_client_config']['proxy']['http']
  • $settings['http_client_config']['proxy']['https']
  • $settings['http_client_config']['proxy']['no']

If you do not use an outbound proxy, you do not need to make any changes to your settings.php. Most sites do not use an outbound proxy.

See https://httpoxy.org/ for full details on the vulnerability and the required changes on all affected environments.

Known issues

See the list of the known issues for the 8.1.x branch. There are no known regressions in this release.

What’s next?

  1. Learn how to install Drupal
  2. Learn how to update Drupal
  3. Extend Drupal to do more
  4. Get training
  5. Check out what others built
Created by: xjm
Created on: 18 Jul 2016 at 15:22 UTC
Last updated: 12 Mar 2018 at 21:22 UTC
Security update
Insecure

Other releases