Magento 2.2.5 and 2.1.14 Security and Fix Updates

·

·

Magento 2.2.5

The latest Magento version 2.2.5 was released on June 27 and includes a lot of bug fixes, some of them security related, and over 150 community contributions. Magento hosters should update Magento as soon as possible because this update fixes some XSS, SQL injection and cross-site request forgery vulnerabilities. This update improves the usability and security of Magento.

The fixes:

  • Magento no longer permits you to re-run an already running cron job.
  • You can now successfully delete an option from a bundle product.
  • Magento now correctly applies coupon codes that exclude bundle products.
  • The Category\Collection::joinUrlRewrite method now returns the URL of the store whose storeId is set on the collection.
  • Sorting products by price now applies catalog rules as expected and with required custom options as well.
  • Tier pricing for a single product unit now works as expected.
  • Magento now successfully saves products when using a locale that formats dates in this way: DD/MM/YYYY.
  • Magento no longer lists as in stock any products whose CSV values indicate that they should be represented as out-of-stock after a CSV import of new products.
  • When working in the media gallery, you can now successfully delete any files and folders that are symlinked in pub/media.
  • Magento now displays the correct status for a backordered configurable product on the order view page and wishlist.
  • The Hide from Product Page option now works for the child product of a configurable product.
  • The Update on Save re-index operation now works as expected when re-indexing configurable products after changing options.
  • The Related Products rule for up-sell products with customer segments set to Specified now works as expected.
  • The data check on imported customer information now completes as expected.
  • If you remove a product’s custom options from the CSV file created during product import, Magento no longer displays the custom options on the storefront.
  • Magento now filters recent orders by store on the customer account page as expected.
  • In multistore environments, Magento now retrieves the correct PayPal Payflow Pro credentials.
  • Swagger now displays the text area that contains the payload structure of all POST and PUT operations.
  • Magento no longer throws a 404 error when a customer navigates from the Catalog page of the default store to a custom Catalog page on a different store.
  • The correct tax amount is now included as expected in the Order Total that is listed under the Order Summary section of the Orders page.
  • The including tax and excluding tax fields on the Checkout page now contain correctly calculated prices.
  • Magento now displays the Tax amount field in the Order Summary section of the Checkout page for orders that contain virtual products.
  • Merchants can now create a Vertex invoice refund as expected after an order has been canceled.
  • Magento now prompts you to select order status if a customer does not select an option from the Order Status drop down list.
  • Magento now disables Vertex API Status as expected when you set the Enable Vertex Tax Calculation option to no.
  • Customers no longer receive a notice about negative tax amount after a merchant creates a refund on Vertex Cloud.

The enhancements:

  • The search indexer is now scoped and multithreaded.
  • Magento now caches popular search results for faster response time on popular searches.
  • The performance and logic of Magento\Sales\Helper\Guest has been improved.
  • Magento improved the performance of editing or saving products in large categories.
  • The performance has been improved by removing the count() method from some loops in backend files.
  • Merchants can now run the catalog search full text indexer and category product indexer in parallel mode by store view.
  • The required minimal PHP version is now 7.0.13.
  • The product repository now uses store_id when saving attributes for an existing product.
  • Out-of-stock options for configurable products no longer show up in search and layered navigation results.
  • Merchants can now choose whether to request and include tax information from UPS in the rate charged to the customer during checkout.
  • You can now use JavaScript mixins to extend swatch functionality in all supported browsers.
  • You can now use REST to update the available_payment_methods company extension attribute.

The security fixes (update SUPEE-10752):

  • APPSEC-2027: CSRF is possible against Web sites, Stores, and Store Views
  • APPSEC-1882: The cron.php file can leak database credentials
  • APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
  • APPSEC-2005: Persistent Cross-Site Scripting (XSS) injection in Configuration table
  • APPSEC-1880: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
  • APPSEC-2004: Cross-Site Scripting (XSS) through Remote File Inclusion
  • APPSEC-1988: Path traversal vulnerability in templates
  • APPSEC-1987: Reflective cross-site scripting (XSS) through filter manipulation
  • APPSEC-2034: XSS in Admin Create Order Configure Product Via Compatible File Extensions
  • APPSEC-1876: Cross-site scripting (XSS) in Admin Bundle Product Bundle Items Tab through Product SKU
  • APPSEC-1874: Cross-Site Scripting (XSS) in the Admin Gift Registry Type Edit via Attribute Group
  • APPSEC-1872: Cross-Site Scripting (XSS) in the Admin Manage Catalog Events list through category name
  • APPSEC-1928: Stored XSS in Downloadable Product Links title – frontend
  • APPSEC-1871: Cross-Site Scripting (XSS) in the Admin Manage Customer Rewards points history using the Reason field
  • APPSEC-1870: Cross-Site Scripting (XSS) in Admin Manage Invitations list through Invitee email address
  • APPSEC-1972/APPSEC-2103: Admin password change does not force the logout of the Admin user
  • APPSEC-1934: Systemic Cross-Site Request Forgery (CSRF) on the Checkout page
  • APPSEC-1917: Password theft though uploaded video and Auth Prompt password theft vulnerability
  • APPSEC-1993: IP spoofing

Magento 2.1.14

Magento 2.1.14 contains almost the same fixes as the newer version 2.2.5 therefore also a lot of security fixes. You should install the update as soon as possible to secure your shop. The detailed list of all the security issues which were solved are above. Magento 2.1 gets with this update an improved experience because many issues with the backend have been solved in this latest update.

The fixes and enhancements:

  • The magento cron:run command now runs scheduled jobs as expected.
  • The misspelling in the name of the namespace in Magento\Cron\Observer\ProcessCronQueueObserver.php has been fixed.
  • The magento setup:di:compile command now supports quoting for base paths.
  • Store getConfig() now respects valid false return values.
  • All console commands now return status.
  • Magento added the web/unsecure/base_url config to both website and store scopes.
  • Magento now checks if storeId is not null rather than checking if it is empty.
  • Magento no longer displays HTML tags in product meta descriptions.
  • The layout of catalog_rule_promo_catalog_edit.xml has been changed to adjust sidebar settings.
  • The Catalog Price rule’s contains condition now works as expected when the contains condition allows multiple options.
  • Enhancements to LESS code include moving several LESS variables to .lib-dropdown() variables and adding font-weight variable to navigation.less.
  • Magento improved the display of the Payment Methods section of the checkout page on mobile devices.
  • You can now successfully override settings in module-directory/etc/zip_codes.xml.
  • ou can now successfully save an address with a blank address field.
  • Magento removed <title>Billing Agreements</title> from the customer_account.xml file in the PayPal module.
  • Magento added JSON and XML support to the post method in the \Magento\Framework\HTTP\Client\Socket class.
  • Navigation menus without the display: inline-block setting now work as expected on deployments running on Internet Explorer 11.x.
  • You can now successfully prevent the removal of a block or container by setting the remove attribute to false.
  • String type was added to \Magento\Framework\HTTP\Client\Curl to support sending JSON or XML requests.
  • Magento improved the ability to store passwords using different hashing algorithms.
  • You can now cancel the removal of a block or container from a layout by setting the remove attribute value to false.
  • You can now add an XML comment node as a parameter when adding a new widget declaration to widget.xml.
  • The setAttributeFilter method now specifies the relevant table when calling the addFieldToFilter method.
  • The catalog gallery allowfullscreen setting In the theme’s view.xml file now works as expected.
  • Magento removed the ability of the Magento Framework to explicitly set file and directory permissions from the default cache backend.
  • Magento now installs the AdminGws module after it installs Magento_Authorization.
  • The robots.txt response header content type is now plain text.
  • Load query no longer uses requireJS to print.
  • You can now translate the text associated with rating stars in product reviews and some additional issues with translations have been fixed too.

Remember to create a backup before updating your site.

(Image by peshkova)