Magento 2.4.1, 2.3.6 and Security Patch

·

·

The latest Magento update 2.4.1 was released on October 15. This update includes enhancements to performance and security with over 150 fixes.

Magento 2.4.1 contains minor backward-incompatible changes.

Highlights

Security enhancements

This release includes over 15 security fixes and platform security improvements. All security fixes have been backported to Magento 2.4.0-p1 and Magento 2.3.6.

The security enhancements close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities.

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin.

Additional security enhancements

  • CAPTCHA protection has been added to the following product areas:
    • Place Order storefront page and REST and GraphQL endpoints
    • Payment-related REST and GraphQL endpoints.CAPTCHA protection for these additional pages is disabled by default.
  • Support for the SameSite attribute for cookies. To support the Google Chrome enforcement of the new cookie classification system, Magento classes that handle cookies have been updated to support the SameSite cookie attribute.
  • Enhanced Magento Scan Tool. Adobe has partnered with Sanguine Security, a leader in preventing digital skimming, to integrate their database of over 8700 threat signatures into the Magento Security Scan Tool.

Infrastructure improvements

This release contains enhancements to core quality, which improve the quality of the Framework and these functional areas: Customer Account, Catalog, CMS, OMS, Import/Export, Promotions and Targeting, Cart and Checkout, and Staging and Preview.

Performance improvements

  • Reduction in the size of network transfers between Redis and Magento.
  • Enhanced message queue consumer performance. Three new configuration settings support a decrease in consumer queue CPU consumption.
  • Improved execution time for bin/magento commands.

Adobe Stock Integration

This release includes Adobe Stock Integration v2.1.0.

The New Media Gallery is now enabled by default in the Admin. Merchants can now perform these actions on images in the Media Gallery:

  • Delete images in bulk
  • Optimize media storage by identifying duplicate images and images that are not used on the storefront
  • Filter images by the storefront area they are used in, including product and category content and CMS blocks
  • Work with image metadata
    • View metadata from the images uploaded into Media Gallery
    • Edit image metadata (title, description, and keywords)
    • Search for images by their metadata

GraphQL

  • Product reviews. Customers and guests can write product reviews. Customers can retrieve their product review histories.
  • Gift options. All customers and guests can add a gift message to their order. Customers can also add gift wrapping, gift receipts, and printed cards to the order.
  • Order history. All customers can view details about their order histories, including invoices, shipping, and refunds.
  • Add to cart. The addProductsToCart mutation allows you to add any type of product to the active cart.
  • Stored payment methods. Logged-in customers can now store payment details in My Account.
  • Support for wish lists in Magento Open Source. Added support for Open Source wish lists.
  • Improved management of customer accounts. We have added the createCustomerV2 and updateCustomerV2 mutations to manage customer accounts.
  • Support for Payflow Pro Vault. Added GraphQL Vault support for the Payflow Pro Vault payment method. 
  • Updated the GraphQL storeConfig query to include new customer configuration settings. 
  • Added the requestPasswordResetEmail mutation, which triggers the password reset email for the provided email address. 
  • Klarna GraphQL. Added or updated topics on Klarna GraphQL.

PWA Studio

PWA Studio v8.0.0 introduces new features and enhancements:

  • Updates to the Venia style guide that apply to design tokens, typography, colors, core components, and page layouts.
  • Improvements to the Venia mini-cart experience
  • Initial support for multiple locales and localized content on the Venia storefront
  • Numerous improvements to the My Account experience of the Venia storefront

Magento Functional Testing Framework (MFTF)

MFTF 3.1.0 is now available.

Vendor Developed Extensions

See the following articles for updates on features and changes for this release:

  • Amazon Pay
  • Braintree
  • Klarna
  • Vertex Cloud
  • Yotpo Product Reviews

Fixed issues

Magento developers fixed hundreds of issues in the Magento 2.4.1 core code.

The complete list of all changes can be found on devdocs.magento.com.

Remember to create a backup before installing updates.

Magento 2.3.6

Magento 2.3.6 was released on October 15 with the Magento update 2.4.1.

Magento 2.3.6 offers significant platform upgrades, substantial security changes, and performance improvements as well as over 160 functional fixes.

In the next update 2.3.7 Magento will add support for PHP 7.4.x, which is scheduled for Q2 2021. 

Highlights

Substantial security enhancements

This version contains the same securitiy enhacements as Magento 2.4.1.

Fixes

Magento developers fixed hundreds of issues in the Magento 2.3.6 core code. The complete list of all changes can be found on devdocs.magento.com.

Security Patch APSB20-22

  • released on October 15
  • File Upload Allow List Bypass (PRODSECBUG-2799)
    • Arbitrary code execution (critical)
  • SQL Injection (PRODSECBUG-2779)
    • Arbitrary read or write access to database (critical)
  • Improper Authorization (PRODSECBUG-2789, PRODSECBUG-2796, PRODSECBUG-2797, PRODSECBUG-2791)
    • Unauthorized modification of customer list (important)
    • Unauthorized modification of Magento CMS pages (important)
    • Unauthorized access to restricted resources (important)
  • Insufficient Invalidation of User Session (PRODSECBUG-2785)
    • Unauthorized access to restricted resources (important)
  • Sensitive Information Disclosure (PRODSECBUG-2798)
    • Disclosure of document root path (moderate)
  • Cross-site Scripting (Stored XSS) (PRODSECBUG-2804)
    • Arbitrary JavaScript execution in the browser (important)
  • more details

Remember to create a backup before installing updates. Picture courtesy of Noah Buscher.