On April 28, 2020, Magento released software patches and updates for all of its currently supported versions. This includes Magento 2.3.x and the soon to be end-of-life Magento 1.x version. Whether you patch or upgrade, it’s important to act, since these releases address security vulnerabilities. If you’re accepting credit cards, keep in mind that you need to patch your site within 30 days of the release of security patches to stay PCI compliant.
***On May 12, 2020, Magento released SUPEE-11314-v2, which addresses some security fixes that were not included in the initial version. If you already downloaded or installed the original patch, you should revert the changes and apply version 2 of the patch as soon as possible.***
What’s addressed in these patches and updates?
A range of moderate, important, and critical security issues are addressed in these software releases. That includes a variety of types of vulnerabilities, including:
– Command injection
– Stored cross-site scripting
– Security mitigation bypass
– Defense-in-depth security mitigation
– Authorization Bypass
– Observable Timing Discrepancy
How worried should you be?
While most vulnerabilities are not exploitable without credentials or administrative privileges, it is still extremely important to patch in a timely manner. However, Adobe reported that none of the “critical” security vulnerabilities are exploitable without credentials or administrative privileges, making it much less likely that the most severe vulnerabilities can be easily used by hackers.
Adobe marked all of these updates as a “Priority 2,” which they define as updates that they may not have been exploited in the wild currently. They do not anticipate that this will cause an imminent threat to Magento websites, but they still recommend patching within 30 days.
Magento CE 220.127.116.11, EE 18.104.22.168, & SUPEE-11314-v2
If you’re still on Magento 1.x, it’s fair to anticipate at most one last security update after this, but that’s about it. We’d be happy to chat with you about how we can support you with patches from Mage-One or OpenMage through our Magento 1 EOL support program.
However, keep in mind that Magento Open Source 22.214.171.124 and Magento Commerce 126.96.36.199 are security-only releases. Even Mage-One, which will pick up by providing paid patches once M1 reaches end-of-life, will only be providing patches related to security.
If you’re looking for new features, by-and-large, you won’t find them being released for the core of Magento 1. Additionally, Magento extension developers are individually making decisions around when to stop investing in their Magento 1 extensions – some have already stopped supporting their existing M1 extensions. Don’t expect a lot of new extensions or integrations for Magento 1.
***UPDATE: Having trouble finding a download for Magento 188.8.131.52? When M1 reached end of life, Adobe removed everything from Magento extensions to documentation. Here’s one resource where you can still download a copy of Magento 184.108.40.206: https://github.com/OpenMage/magento-mirror/releases/tag/220.127.116.11
If you’re on Magento 2.3.4, and you don’t want to upgrade to Magento 2.3.5, you don’t have to. You can upgrade to 2.3.4-p2 to get the latest security updates. This can be less resource-intensive since the full 2.3.5 upgrade includes many additions and improvements, increasing the chances that you may need to address compatibility issues with extensions and customizations in your particular site. With over 25 security enhancements, you’ll want to at least upgrade to 2.3.4-p2, even if you’re not ready to roll out the full 2.3.5 update.
On top of addressing security vulnerabilities, upgrading to Magento 2.3.5 includes a range of platform upgrades, performance boosts, and infrastructure improvements and other changes. For example:
– Support for Elasticsearch 7.x
– Deprecation of all payment integrations except for PayPal
– Deprecation of the Signifyd core-bundled module
– Reduction in data transfer sizes and CPU utilization by Redis
This release also includes hundreds of bug fixes.
Additionally, Magento Commerce users will benefit from some updates that are exclusive to the enterprise version of Magento 2. This includes updates to the Magento Commerce Page Builder, such as the addition of Templates that can be created, making it possible to save work that you can apply to new content you’ll create in the future. This will come in handy for businesses that want to use Page Builder to launch a variety of similar-looking CMS pages.
Magento Commerce users will also get to use Product Recommendations powered by Adobe Sensei, an AI-driven way of delivering product recommendations to shoppers. Magento 1 & 2 Open Source users can still leverage systems like Searchspring to benefit from AI-powered product recommendations.
PWA Studio 6.0.0
Magento has launched version 6 of PWA Studio, which includes the ability to create an extensibility API, among other various enhancements and improvements. There’s also a PWA Studio Fundamentals tutorial now available.