On June 22nd, 2020, Adobe released its last patch for Magento 1 – SUPEE-11346. This patch is associated with Adobe security bulletin ASPB20-41, and is important for any sites still on Magento 1 Open Source Edition or Magento 1 Commerce Edition.
The good news is that while this patch addresses a critical PHP object injection vulnerability (Magento Bug ID: PRODSECBUG-2758) as well as an important stored cross-site scripting vulnerability (Magento Bug ID: PRODSECBUG-2759), both issues require Magento admin privileges in order to be exploited. In other words, these issues don’t leave sites susceptible to hackers that don’t have admin privileges to your Magento 1 website.
If you’re working with a team like JetRails to secure your Magento admin and to otherwise secure Magento from intrusion, you should be in pretty good shape on this one, but it’s still important to install this patch, including to maintain PCI and other compliances.
It’s equally important to have a source of patching moving forward now that we’ve reached the end of life of the Magento 1 software. At JetRails, we’re helping clients to vet options including Mage-One and OpenMage.
If you’re on Magento 2.3.5, and not yet ready to upgrade to Magento 2.4, you’re going to want the 22.214.171.124 Magento patch, which is scheduled for general release on July 28th, 2020. This patch includes over 30 security updates for Magento 2, including fixes related to remote code execution and cross-site scripting vulnerabilities. While Adobe is reporting that these vulnerabilities have not been exploited in the wild, now that they’re known, it’s important to get patched in a timely manner.
The latest major version of Magento, 2.4, also releases on July 28th, 2020, and includes many enhancements and improvements, including over 100 fixes to Magento 2’s core code, support for PHP 7.4, Elasticsearch 7.6, MySQL 8.0, MariaDB 10.4, and a variety of updates away from older tech, like Zend Framework and MySQL catalog search, as well as outdated core-bundled payment gateways and integrations like Authorize.net, eWay, CyberSource, WorldPay, and Signifyd.
Not all 3rd party integrations are being removed, of course. Just the opposite – there are updates to core extensions from dotdigital, Amazon Pay, Braintree Payments, Klarna, Vertex, and Yotpo.
There are more specific improvements of course, like a reduction in the size of network data transfers between Redis and Magento and a reduction in Redis’ consumption of server CPU resources, and support for partial-word searches using Elasticsearch.
Some of these updates can potentially lead to significant improvements. For instance, Adobe is suggesting a speed improvement of up to 30% when it comes to the Quick Order add-to-cart feature.
Some are simple but logical UI/UX updates, such as displaying the waiting/spinning icon while prices are updated on the cart page.
There are API updates too, including GraphQL support for pickupLocations, which should be a big help to organizations that are offering in-store and curbside pickup.
This new version of Magento also includes additional Two-Factor Authentication features. We’re big proponents of using 2FA security, and have a Magento 1 2FA extension available for those that are still on Magento 1.
Another improvement worth mention is the new media gallery. This upgraded admin interface for managing images and media adds several benefits. It’s reported to be 30x faster at searching, filtering, and sorting images. It can also help admins evaluate storefront image usage. For those that choose to license stock photos from Adobe, it also allows admins to find Adobe Stock preview images so that they can find images and license them without leaving the Magento Admin interface.
Some updates are specific to Magento Commerce users, such as the addition of Purchase Approval Workflows for B2B organizations. This particular functionality is a natural extension of the Company Accounts feature set, which allows a B2B account to include user accounts for buyers, managers, supervisors, and accounting personnel. This addition makes it possible for admins to create rules that, for example, automatically determine which orders need approval from the purchaser’s manager.
***Whether you upgrade to Magento 2.4.0 or install security patch 126.96.36.199, it’s important to update your Magento 2.x store in a timely fashion for both security and compliance reasons.***
Composer Root Update Plugin
Magento’s new Composer Root Update Plugin is intended to cut down on the number of manual steps it takes to upgrade a Magento 2.x store, speeding up the process and cutting down on errors simultaneously. This plugin takes many steps which were formally manual, and made them automatic. The Magento team is looking for feedback and welcomes you to Tweet them @Magento to let them know what you think.
Formerly Multi-Source Inventory (MSI), Magento Inventory Management includes a variety of updates and improvements, including an in-store delivery method, support for bundled products, asynchronous stock re-indexing, bulk interfaces for salability checks, and increased test coverage to further automate testing. Unlike Magento Order Manager, which is a licensed solution, Magento Inventory Management is open source, and available to both Magento Open Source and Magento Commerce users.
PWA Studio 7.0.0
Magento’s PWA frontend platform continues to become more refined in this latest general release. In PWA Studio v7, developers will find a variety of technical improvements, as well as inclusions like an Order Confirmation page. Between features, updates, and bugfixes, there are about 100 pull requests included in this release, including many updates for the Venia UI, the storefront that is native to PWA Studio. There are also 10 documentation updates, including the publishing of a variety of tutorials.
Have questions or want help? Need an introduction to a Magento Agency or just need more security and performance? Our team is here to assist you! We’d love to hear from you.