Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcements:
No other fixes are included.
Third-party dependency updates in this release
This release includes an update for Guzzle, a third-party dependency of Drupal 8, as well as security hardenings for the vulnerability described in SA-CORE-2016-003. If you manage your site's dependencies with Composer, you should update to Guzzle 6.2.1 immediately and review the web server configuration information below. If you installed Drupal 8 from a Drupal.org zip or tar package, the Guzzle update is provided automatically when you update Drupal.
Web server configuration
This release includes changes to .htaccess and web.config. To ensure that your site is secure, use Drupal 8.1.7's default version of these files, or add the following to your custom versions:
<IfModule mod_headers.c> # Disable Proxy header, since it's an attack vector. RequestHeader unset Proxy </IfModule>
<system.webServer> <rewrite> <rules> <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard"> <match url="*.*" /> <serverVariables> <set name="HTTP_PROXY" value="" /> </serverVariables> <action type="None" /> </rule> </rules> </rewrite> </system.webServer>
The release also includes a change to instructions in default.settings.php. If you are using a proxy from outbound requests from your web server, the
NO_PROXY environmental variables are no longer supported. You will need to change your settings.php to configure these using the following settings:
If you do not use an outbound proxy, you do not need to make any changes to your settings.php. Most sites do not use an outbound proxy.
See https://httpoxy.org/ for full details on the vulnerability and the required changes on all affected environments.
See the list of the known issues for the 8.1.x branch. There are no known regressions in this release.