Magento recently released CE 1.9.2.3 for Magento 1.x and CE 2.0.1 for recently found security loopholes. Magento also released two Security Patches SUPEE 7405 & SUPEE 7616. Let’s talk in detail what are they for:
Magento 1.9.2.3 Community Edition
With the Security Patch SUPEE 7405 and SUPEE 7616, Magento has released Magento 1.9.2.3 which includes an update to the USPS API, and a bundle of patches to improve the security of your Magento installation.
It is highly recommended to upgrade your Magento store to 1.9.2.3 or later for all new installations and upgrades to ensure that you have the latest fixes, features, and security updates.
Chekout our Magento Upgrade Service page for more information.
In case you are not able to upgrade your Magento, make sure you install these security patches on your Magento store. You can follow below methods or contact us for the Security Patch Installation Service.
Leverage latest fixes, features, and security updates through upgrading #magento and stay safe https://t.co/XtKeIuUA71
— MageComp (@theMageComp) February 17, 2016
Magento 2.0.1 Community Edition
Yes, with the release of these 2 security patches, Magento had to release the newer version for Magento 2 and it is Magento 2.0.1. This release contains several important functional updates, including official support for PHP 7.0.2.
PHP 7.0.2 Compatibility
Magento 2.0.1 adds support for PHP 7.0.2, which provides dramatic performance improvements, drastically reduces memory consumption, and supports new PHP language features.
Security Updates and USPS Changes
If you are using Magento 2.0, it Is highly recommended to upgrade your Magento version to 2.0.1 as latest release addresses numerous enhancement to improve the security of Magento 2.0 installation.
Security fixes in this release include the following:
- SQL injection
- Persistent XSS vulnerability for order comments made from Admin
- Ability to save XSS code into database
- Reflected XSS in cookie HTTP header
- CSRF vulnerability on cart checkout.
- Ability for users to bypass filter by editing inline translations
- Ability to access core system information using CMS blocks and cache entries.
- Ability to save XSS code through custom options.
- Ability to bypass Magento storefront CAPTCHA.
- Persistent XSS using customer name.
- Ability for unauthenticated users to delete any product review from the storefront.
- Attackers able to access order information in the store.
- Lack of password quality enforcement when changing admin passwords.
USPS changes are as stated above, those are same.
For more information about the Other Changes in this Release you can read Magento Release Notes.
Update:
Release of Magento 2.0.2
Magento again has come up with the few bug fixes in the older version and released 2.0.2. The version resolves the issues encountered while upgrading from 2.0.0 to 2.0.1 with compressed archive file. The current installation will not get affected as the release does not include the change in code part if you have installed in through Git clone or composer create-project. But if you have installed the upgrade from an archive, you can get issues upgrading future updates.
Bug fixed with the upgrade
- Exception or fatal error encountered when upgrading Magento from 2.0.0 to 2.0.1.
- No more errors while upgrading from Magento 2.0.0 to Magento 2.0.1 using composer update.
- Successful use of Packagist to upgrade from Magento 2.0.0 to Magento 2.0.1.
- No more updater application error for the server on PHP 7 during Magento upgrade process.
Do leave a comment or two if you can share more information about these latest security updates!