Magento 2.0.3 and 2.0.4 Security Updates

·

·

On April 1st Magento Community Edition 2.0.4 was released. The patch includes all of the security enhancements and performance improvements of Magento 2.0.3, in improved packaging. You must install 2.0.4 to ensure that you receive all fixes of 2.0.3.

 

Improvements and fixes:

  • The patch fixed issues in the installation and upgrade of Magento.
  • It also improves the import of existing pruducts and pruducts with custom URLs.
  • There are two API changes, the first one is in the Orders API which now exposes the shipping address. This corrects an issue with using this API to integrate with third-party systems.
  • The second change in the SOAP API fixes a feature, that now returns attributes of type “text swatch” and “visual swatch” when you use the API to add attribute options. Previously, this feature did not work for these attribute types.
  • Magento now allows you to use arguments of url type in nested arrays. Previously, you could pass route parameters only if the urlargument was declared at the top level.
  • Magento no longer displays HTML tags in messages.
  • Product performance has been enhanced when loading catalog products with multiple color swatches.
  • Magento now successfully saves and displays new customer attributes.
  • Magento performance has been improved by the removal of redundant get requests that previously occurred during shopping cart refresh.

The full overview of changes you can see here.

 

Security enhancements

This patch fixes several vulnerabilities which can be exploitet to take over administrator sessions. It’s important that you keep Magento up to date, that something like this can’t happen.

  • Issue with persistent cross-site scripting through a user account has been resolved.
  • Magento now supports setting limits on password attempts. Previously, Admin and Customer Token API access did not limit the number of attempts to enter a password, inadvertently allowing brute force attempts to guess passwords.
  • APIs that previously granted access to anonymous users are now configured to require a higher permission level. Default product behavior does not permit anonymous access to Catalog, Store and CMS APIs. However, if you would like to allow anonymous access, you can change this setting.
  • Magento now prevents the arbitrary execution of PHP code through the language package CSV file.
  • The encryption keys that are generated in System > Manage Encryption Key have been strengthened
  • Reflected XSS can no longer occur through the Authorizenet module’s redirect data.

 

For greater detail in security patches visit Magento Security Center.

Depending on how you installed Magento 2, the upgrade process will vary. Obviously, the best approach to upgrade is in a test environment on the same server or on a local development environment. If you feel lucky and your store does not have lots of traffic, you might want to upgrade in production, but you still should do a full backup of all your files and your database.