On October 8th, 2019, Magento released the latest iterative versions of their software. With these new releases, you have a very important choice to make. Upgrade your storefront to incorporate the latest bug and security fixes and improvements, or apply a patch to your existing version to ensure you are gaining the security enhancements needed.
Magento 220.127.116.11 and 18.104.22.168
If you’re still on Magento 1.x, you’ll be able to download Magento Open Source (Community Edition) version 22.214.171.124. Alternatively, for those with a paid license, you’ll be able to access Magento Commerce (Enterprise Edition) 126.96.36.199.
Both are considered minor releases on the path toward Magento 1 End of Life. You can listen to Episode 1 of The JetRails Podcast to learn more about that upcoming sunset of the very much aged (but beloved by many) original version of Magento.
If you upgrade, you’ll get important security fixes in addition to core updates, such as to remove WebserviceX from the Magento 1.x code base and add CurrencyConverterAPI and FixerIO as additional currency services.
While upgrading will include some core enhancements, alternatively, you can opt to patch your site with SUPEE-11219 to address known security holes. These include vulnerabilities that, unaddressed, can allow for:
– Remote Code Execution
– Cross-Site Scripting
– Information Leakage
– Insufficient Logging and Monitoring
Please note that the Magento team only initially launched a copy of this patch for Magento 1.9.3.x and 1.9.4.x. The Magento team is still working on releasing copies of the SUPEE-11219 patch for older versions of Magento. If there isn’t a patch for your version yet, you may need to keep checking back until it’s available. This is a crucial security patch.
Magento 2.2 is approaching its end of life in December of 2019. With that in mind, this is expected to be the last release for 2.2.x, so if you’re looking for the latest bells and whistles, you’ll want to plan to upgrade to 2.3.x. However, there are some important updates included with 2.2.10. These include support for PHP 7.2.
Even though there are only a couple more months of support ahead for Magento 2.2, this is a pretty extensive upgrade. It includes 75 security enhancements, 147 fixes and improvements to Magento’s core, and includes fixes to 56 issues submitted by the community through GitHub.
This release includes updates for multiple payment gateways to make them PSD2 compliant. PSD2 compliance is really important for stores selling in the EU and your storefront’s overall checkout security.
In regard to payment modules, you should also be aware that Cybersource and eWay modules have deprecated. Moving forward, merchants will be able to download Magento Extensions (as available) for such gateways, but Magento won’t be including them in Magento’s core. This may also be a precursor for Magento Payments moving to general release.
Overall, this release included some major improvements to security, such as to improve protections against future cross-site scripting exploits.
Like 2.2.10, this release addresses many issues related to PSD2 compliance, cross-site scripting along with other security and compliance improvements. It also addresses specific issues faced by users of Magento 2.3.x, such as a critical issue with Elasticsearch 6.x. One major security issue that this update addresses, is a critical security vulnerability in Page Builder, a feature in Magento Commerce.
Magento will now support PHP 7.3.x and Varnish 6.2.0, and PWA Studio 4.0.0 has been released. There were also improvements made to Magento Shipping, although it’s worth noting that it’s been announced that Temando, which is an important part of Magento Shipping, is facing a pending shutdown. It’s foreseeable that Magento Shipping users will consider other solutions, like ShipperHQ, in order to meet their needs in the future.
One item that we’re less sure about is an option to automatically share user data with Adobe. Specifically, Adobe will prompt you to automatically share admin user actions and events. While it makes sense for Adobe to learn about how Magento admins are interacting with their admin panels, as with all data sharing, we recommend pausing to consider if this is data that you want being transmitted and stored.
Magento 2.3.2-p2 Security Patch
For those that can’t or simply won’t always keep up with Magento 2.x upgrades, Magento is now making security-only patches available. These are smaller updates that don’t include other bug fixes and overall iterative improvements. This would be helpful in various scenarios. For instance, if your team is attempting to move into a coding freeze for the holiday shopping season, now might not be the time to apply a bigger update with 100+ additional fixes and improvements, but you don’t want to leave 75 security vulnerabilities sitting in your website in the meantime.
The initial patch was originally made available in a pre-release version, 2.3.2-p1, but Magento is strongly urging merchants to upgrade to 2.3.2-p2 asap. The new 2.3.2-p2 patch release includes the critical security fixes that were released with both Magento 2.3.3 and Magento 2.2.10.
… but don’t stop there. Even if you’re upgraded or patched, it’s important to follow security best practices. For instance, you can use a CDN and WAF to better protect your site and should consider if you’ve conducted a Magento security audit recently.