Install
To start a new Drupal project with version 8.1.7:To update your site and all dependencies to the latest version of Drupal:
To update your site to this specific release:
Using Composer to manage Drupal site dependencies
Downloads
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcements:
No other fixes are included.
Third-party dependency updates in this release
This release includes an update for Guzzle, a third-party dependency of Drupal 8, as well as security hardenings for the vulnerability described in SA-CORE-2016-003. If you manage your site's dependencies with Composer, you should update to Guzzle 6.2.1 immediately and review the web server configuration information below. If you installed Drupal 8 from a Drupal.org zip or tar package, the Guzzle update is provided automatically when you update Drupal.
Web server configuration
This release includes changes to .htaccess and web.config. To ensure that your site is secure, use Drupal 8.1.7's default version of these files, or add the following to your custom versions:
.htaccess
<IfModule mod_headers.c>
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
</IfModule>
web.config
<system.webServer>
<rewrite>
<rules>
<rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
<match url="*.*" />
<serverVariables>
<set name="HTTP_PROXY" value="" />
</serverVariables>
<action type="None" />
</rule>
</rules>
</rewrite>
</system.webServer>
The release also includes a change to instructions in default.settings.php. If you are using a proxy from outbound requests from your web server, the HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environmental variables are no longer supported. You will need to change your settings.php to configure these using the following settings:
$settings['http_client_config']['proxy']['http']
$settings['http_client_config']['proxy']['https']
$settings['http_client_config']['proxy']['no']
If you do not use an outbound proxy, you do not need to make any changes to your settings.php. Most sites do not use an outbound proxy.
See https://httpoxy.org/ for full details on the vulnerability and the required changes on all affected environments.
Known issues
See the list of the known issues for the 8.1.x branch. There are no known regressions in this release.