Magento 1.9.4.2 Security Update

·

·

Magento released version 1.9.4.2 on June 26. The update contains 75 security enhancements and has the patchname SUPEE-11155. There are also 2 small fixes and some changes you can find on Magento DevDocs.

Security Fixes (SUPEE-11155)

  • Arbitrary code execution through design layout update (PRODSECBUG-2296)
  • Arbitrary code execution through product imports and design layout update (PRODSECBUG-2298)
  • Arbitrary code execution via file upload (PRODSECBUG-2349)
  • Security bypass via form data injection (PRODSECBUG-2202)
  • Arbitrary code execution via malicious XML layouts (PRODSECBUG-2375)
  • Remote code execution through crafted email templates (PRODSECBUG-2306)
  • MySQL Error through crafted Elasticsearch query (PRODSECBUG-2350)
  • Arbitrary code execution via crafted sitemap creation (PRODSECBUG-2351)
  • Arbitrary code execution through malicious elastic search module configuration (PRODSECBUG-2266)

There are more security fixes with a CVSSv3 Severity under 9, but they are still very dangerous. You can find a complete list of the 75 fixed vulnerabilities on Magento Tech Resources.

Fixes

  • The Magento logging feature now works as expected after the SUPEE-11086 patch is installed.
  • Magento 1.14.4.0 and the PHP7.2 support patch now include the same files as expected. 

Remember to create a backup before installing updates!