Magento 2.4.6-p3, 2.4.5-p5 and 2.4.4-p6 Security Releases

·

·

On October 10, 2023 Adobe published various security releases for Adobe Commerce and Magento Open Source.

Note

Adobe Commerce and Magento Open Source releases may contain backward-incompatible changes (BICs). To review backward-incompatible changes, see BIC reference. Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.

Security highlights

All 3 releases introduce a new full page cache configuration setting that helps to mitigate the risks associated with the {BASE-URL}/page_cache/block/esi HTTP endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles Param configuration setting sets the value of this endpoint’s handles parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles Param.

Security fixes

This patch includes ten security fixes for all 3 versions mentioned here. See Adobe Security Bulletin for the latest discussion of these fixed issues.

Magento 2.4.6-p3

Adobe Commerce 2.4.6-p3 includes resolution of the performance degradation that was addressed by patch ACSD-51892. Merchants are not affected by the issue addressed by this patch, which is described in the ACSD-51892: Performance issue where config files load multiple times Knowledge Base article.

Picture by Alex Harvey.