Magento 2.0.6 Security Update

·

·

Magento 2.0.6 was released on May 17. It contains many very important security fixes, so you should update as soon as possible. The update fixes security issues, which allowed hacker to take over administrator sessions.

 

Fixed issues:

  • Varnish no longer returns a 400 bad request error message when clearing its cache. Previously, this issue occurred with Magento instances running on GoDaddy.

 

Improvements:

  • You can now use the Redis adapter to provide session storage in Magento 2.0.6.
  • Magento now provides a more flexible way for you to set file ownership and permissions. For more information visit Magento file system ownership and permissions.

 

Security fixes:

  • Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs.
  • Magento no longer allows authenticated customers to change other customers’ account information using either SOAP or REST calls. Magento now confirms that the ID of the customer whose account is being edited matches the authentication token in use.
  • Anonymous users can no longer retrieve the private data of registered customers.
  • Several parameters in the Authorize.net payment module are vulnerable to reflected Cross-Site Scripting (XSS) attacks.
  • Magento no longer allows users with minimum privileges (for example, access to the dashboard only) to force re-installation of Magento, which could allow them to potentially execute malicious code.
  • The Magento installation code is no longer accessible once the installation process has completed.
  • When an integration is created, Magento now bases the OAuth consumer key expiration from when the token exchange begins instead of when the consumer key is created.
  • Only a registered customer can assign a guest cart to himself. Previously, an anonymous user could modify the state (that is, set an active quote) of a registered customer.
  • Magento no longer discloses information about its internal path during installation.
  • Magento no longer discloses the administrator URL to an unauthenticated user during setup.
  • Application error messages no longer include the path to the file where the error occurred.

 

For more information about the security fixes visit the Magento Security Center. The release notes you can find here.

 

Depending on how you installed Magento 2, the upgrade process will vary. Obviously, the best approach to upgrade is in a test environment on the same server or on a local development environment. If you feel lucky and your store does not have lots of traffic, you might want to upgrade in production, but you still should do a full backup of all your files and your database.

 

Beitragsbild von Nejron Photo