Magento 2.4.1, 2.3.6 and Other October 2020 Releases

Have you been keeping up on the latest Magento software releases? No? Well, have no fear! We have a roundup for you briefly describing what’s now available and how that can impact your business.

First and foremost, remember that security patches should be applied ASAP. To keep your Magento store PCI compliant, patches need to be installed within 30 days of their general release.

Now, on to the details:

Magento Open Source 2.4.1

While this is only an incremental update, it’s an important one. According to Adobe “All known issues identified in Magento 2.4.0 have been fixed in this release.”. That’s a big relief for merchants that have been hesitant to upgrade to the 2.4, this year’s major version release.

One major issue that was addressed related to the SameSite attribute for cookies, but improvements range from the reduction in the size of network transfers between Magento and Redis to improvements to the media gallery in the Magento admin.

In total, there are over 150 core code fixes and over 15 security improvements. Overall, Adobe reported that almost 300 issues reported in GitHub were addressed. As of the writing of this article, there are still +/-1700 issues listed in GitHub, but like all software, many of these issues are aspirational and need to be prioritized according to the impact that they’re having on Magento merchants.

How important are these security issues?

Adobe released Magento 2.4.1 on October 15th, 2020. At the time, there were no confirmed attacks related to these vulnerabilities. Adobe has suggested that these security issues range in severity from moderate to critical. All of the critical issues would require the hacker to have admin privileges, however, one of the “important” vulnerabilities (a designation between moderate and critical) does not require admin privileges. It’s a cross-site scripting issue (stored XSS) that allows Arbitrary JavaScript execution in the browser.  This vulnerability is known by Magento Bug ID PRODSECBUG-2804.

Magento has also added CAPTCHA protection to REST and GraphQL resources.

How does this impact individual Magento store owners? 

It means it’s time to update your site. While these issues haven’t been exploited in the wild as best as the Magento community knows, now that they’re known to the public, as with all security issues, patching is extremely important.

What if you’re not ready to upgrade to Magento 2.4.1?

Magento is now releasing security patch only options. See below for more information.

Magento 2.4.0-p1

Magento 2.4.0.1 is the solution for users on 2.4.0 that aren’t prepared for the full update to 2.4.1. It covers the security enhancements, without all of the bug fixes and other general improvements. Since 2.4.0 was a major version with a commensurate number of bugs, it’s foreseeable that many merchants will choose to upgrade rather than patch. Nonetheless, the patch-only option is available.

Magento 2.4.1 Commerce

Among the highlights in the latest release of the paid/enterprise version of Magento, are improvements to Page Builder, which now supports full-screen mode. 

For those using Magento Commerce’s B2B feature suite, you’ll find that B2B v.1.3.0 includes a range of improvements to key systems. This includes updates to the Order Approval functionality, shipping methods, shopping card features, and admin features. 

Magento 2.3.6

The security issues that were addressed in Magento 2.4.1 and the Magento 2.4.0-p1 security patch are also included in Magento 2.3.6. Magento 2.3 is still a supported version and will receive bug fixes and other quality updated through July 2021, and security patches will be released through April 2022. That security patch date is actually an extension that Adobe implemented due to COVID-19. 

With all of that in mind, there are over 160 functional fixes in this release, including some backward-incompatible changes, so expect some extra testing when upgrading – as there may always be when upgrading Magento versions. 

Get ready for the future!

Speaking of backward-incompatibility, Adobe is scheduled to release Magento 2.3.7 on May 11, 2021. That release is expected to include support for PHP 7.4.x, and should give you time to test and upgrade, before PHP 7.3 reaches end of life in December 2021.

Magento 2.3.5-p3?

At the time of publishing, there did not appear to be a 2.3.5.3 patch-only update for the Magento 2.3.x branch that covers these latest security issues. Whether you’re currently on Magento 2.3.5-p1 or Magento 2.3.5-p2, the only available option is to upgrade to Magento 2.3.6. This is not an oversight, this is in keeping with Adobe’s published release calendar:

As the Adobe team has published on October 1st, 2020, their releasing of Magento patches is “not intended to replace strategic upgrade plans for merchants; rather, they offer flexibility for merchants planning their upgrade roadmap and a means to react quickly to security/quality issues without having to implement an entire upgrade.”. It’s important to understand this when thinking about the availability of patches. Keep in mind that when it comes to Magento 2, upgrades were required until October of 2019, when the first patch-only release for Magento 2.3.2 became available. While Adobe is now committed to releasing patches, they appear to be focused on providing “1 security release per version.”

It’s understandable that some merchants will not be thrilled to need to upgrade during their preparations for the holiday shopping season. Doubly so for merchants that had previously grown accustomed to patches being a consistent option for Magento 1. It is, however, important that sites get these security fixes, so upgrading will be important.

Then why did Magento 2.3.5 get a 2nd patch?

If you’re wondering why there was a 2.3.5-p1 and 2.3.5-p2 when Adobe is only planning to release 1 single patch per version, there is a good explanation. Before this version reached general release, an error was discovered. When upgrading from Magento 2.3.4 to 2.3.5, the Magento _Wishlist module would throw an error: “Unable to apply data patch Magento\Wishlist\Setup\Patch\Data\CleanUpData…Unable to unserialize value. Error: Syntax error”.

Adobe chose to create new packages, and changed the name of the release from 2.3.5 to 2.3.5-p1. This same wishlist error caused Adobe to change the name of 2.3.4-p1 to Magento 2.3.4-p2.

Magento Scan Tool

Adobe is taking a page out of the playbook of team’s like JetRails, and is partnering with Sansec, a leader in malware scanning. JetRails customers will still have their sites scanned with Sansec and a variety of other malware scanners. JetRails customers will also continue to benefit from a variety of proactive and reactive security measures, from web application firewalling (WAF) to intrusion detection systems (IDS). For those not using a more comprehensive Magento security stack like JetRails, this tool will certainly get you a step closer to a healthy security footing.

PWA Studio 8.0.0

The progressive web app studio for Magento storefronts continues to evolve. The Venia theme created for PWA Studio has received many updates, a new mini-cart/shopping bag feature has been added, and overall performance has been improved. There are also previews for what’s to come in the My Account area, with features for wishlists, Order Histories, and address books. While that may sound basic, the purpose of PWA Studio is to make it easy to launch faster, more customized, and personalized app-style experiences. For now, it’s still a minority of users – pioneers perhaps – that have gone this route.  As this initiative continues, it’s imaginable that more site owners will choose to use PWA Studio and a variation of the Venia theme to manage their front-end user experience.

Need Help?

Need flexible Magento web hosting tailored to the unique needs of your eCommerce site?  Want to improve your Magento site speed? Not sure if your patched or upgraded Magento site can handle your traffic load? In search of a Magento agency to help with patching or upgrading your site? We’re here to help you get the resources that you need, from fully-managed hosting, to hosting consultations, to introductions to leading teams of Magento developers!