Magento 2.0.17, 2.1.10, 2.2.1 Security Updates

·

·

Magento released the latest updates on November 7. They contain almost 40 security fixes as well as functional enhancements. The update is available as version 2.0.17, 2.1.10 and 2.2.1. They include 15 security related fixes against cross-site-scripting, cross-site request forgery, unauthorized data leak, and authenticated admin user remote code execution vulnerabilities.

Because this update increases the security, it should be installed as fast as possible. Here is an overview of the most important changes and security fixes.

The fixed security issues:

  • APPSEC-1325: Stored XSS in Billing Agreements
  • APPSEC-1825: PHP Object Injection in E-mail templates leading to Remote Code Execution
  • APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
  • APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
  • APPSEC-1881: PHP Object Injection in Downloadable Products leading to Remote Code Execution
  • APPSEC-1893: PHP Object Injection in product metadata leading to Remote Code Execution
  • APPSEC-1900: Remote Code Execution by leveraging 1st stage unsanitized form input
  • APPSEC-1910: Local File Inclusion (LFI) in Import History
  • APPSEC-1930: PHP Object Injection in Widgets leading to Remote Code Execution
  • APPSEC-1931: PHP Object Injection in Zend Framework leading to Arbitrary File Deletion

More informations of the security fixes can be found in the Magento Tech Resources.

 

Highlights in all versions:

  • Security fixes and enhancements.
  • Significant reduction in JavaScript-related translation issues.
  • Improvements to how the PayPal Express Checkout payment method processes virtual products.

 

Magento 2.0.17

  • Magento now permits a customer to share a shopping cart between the store views of the same website, but not between store views of different websites.
  • It is now possible to create a blank attribute option using the drop-down input option on products that do not require an attribute.
  • The category/product indexer now successfully completes a full reindexing of all indexes on large profiles with 500,000 or more products.
  • The storefront now displays images that Magento resizes during product save operations, rather than resizing the product on the storefront.
  • When you delete an image in the Admin, Magento no longer deletes it on the server.
  • You can now use the WYSIWYG editor to update product descriptions.
  • Magento now saves and filters configurable products by their specific options.
  • Magento now displays all images associated with a selected swatch before it displays other images associated with the configurable product.
  • The Add Products Manually option now lets you add existing products as well as generate new variations.
  • Widgets now accept UTF-8 special characters type as input parameters.
  • When you edit a product list widget on a CMS page, Magento now shows previously set conditions.
  • Enabling Admin > Stores > Configuration > Advanced > Developer > Merge CSS files no longer degrades product performance.
  • Magento no longer generates incorrect URLs in the site map when the Use Secure URLs in Admin setting is set to Yes.
  • Directive values can now be escaped with quotation marks.
  • Magento now correctly calculates a bundle product’s price even when it contains only one product in a required product option.
  • Magento no longer uses the wrong address template for shipping, invoice and credit memo emails when second website has a different template.
  • Inline translation is now available for button elements.
  • Log entries no longer show the current_password field, which should be hidden.
  • Backtrace information no longer appears on the frontend.
  • Improvements to the performance of importing up to 100,000 products from the Admin were made.
  • Magento now uses the address template from the store-view level of the placed order.
  • You can now base a Related Product rule on a product attribute, such as color.
  • You can now use REST to successfully update customer information without unintentionally deleting default billing and shipping address information.
  • You can now use REST to add a video to a product description.

All changes for this version can be found in these release notes.

 

Magento 2.1.10

  • Magento now displays the checkout agreement validation for Terms and Condition acknowledgment after you’ve changed your payment method.
  • Magento now provides a Login button so that a customer can resume your checkout process if he or she returns to the check out page after leaving it mid-order.
  • Credit card information now persists as expected after a customer enters a promotion code during checkout.
  • You cannot check out as a guest customer until you delete any lingering long-term cookies by clicking «Not me».
  • Simple product videos now display the embedded video player instead of the thumbnail image.
  • You can now save a configurable product for which you’ve set the Weight value to this item has no weight.
  • Magento now displays tier prices of simple or virtual products on the configurable products page.
  • You can now save a value for an attribute that is shared between related, upsell, or cross-sell products that have different attribute sets.
  • Magento fixed an issue with session behavior that resulted in different customer sessions being shared between different customers on two websites.
  • Vimeo videos now work when HTTPS is enabled.
  • Magento now displays the correct configurable product price based on the website to which it is assigned.
  • Magento now allows you to import multiple alternative images with multiple labels that include commas in the description.
  • Magento now completes order processing if the customer needs to re-enter credit card information during the order process.
  • You can now receive shipping quotes from either the Admin panel or the storefront.
  • Magento now handles tracking for FedEx shipments with valid tracking numbers as expected.
  • Search synonyms in a group now can declare several words as synonyms. For example, “Elon Musk,tesla” is a valid synonym group, and a search on the phrase “Elon Musk” will also show results for the “tesla” keyword.

All changes for this version can be found in these release notes.

 

Magento 2.2.1

  • Magento now displays products that are filtered to a particular store view even when the corresponding store view has been deleted.
  • Magento no longer displays the inappropriate product price when a configurable product has two price options.
  • Magento fixed JavaScript date validation on the store front.
  • You can now generate unsecure URLs even when the current URL is secure.
  • Creating a new product with a custom attribute set now works as expected.
  • Magento fixed multiple issues where indexes were invalidated as a result of typical import, scheduled import, and catalog permission tasks.
  • You can now use PayPal Express Checkout to place an order in a split-database environment.
  • If a credit card error occurs on an order, the user can now correct the error and successfully create a new order.
  • Magento now completes processing an order if the customer needs to re-enter credit card information during the order process.
  • Search terms from the same synonym group now return the same results.
  • A search query results are now more consistent.

All changes for this version can be found in these release notes.

Remember to back up before installing an update.

(Beitragsbild von peshkova)