This past week, Magento released a patch as well as new versions of both Magento 1 and Magento 2.
SUPEE-10975, which was released alongside Magento Commerce (Magento Enterprise) version 220.127.116.11 and Open Source (Magento Community) version 18.104.22.168. This patch helps to tighten security around almost 20 vulnerabilities. These include helping to protect against:
– Brute Force logins to the Magento admin panel
– Access to the Magento admin panel from IP addresses that aren’t whitelisted
– API connections being used as an attack vector
– Low-level Admin users being able to inject code and take malicious actions
– Access to backups, which were previously not able to be encrypted out-of-the-box
– Using an outdated version of Jquery, which is likely to fail PCI Compliance scans
– Send to a Friend feature being abused by botnet attackers
– Spamming of shopper wishlists
– Users submitting harmful files through video upload features
This patch also removes the Saved Credit Card feature that should not be used regardless of this patch. All credit card transactions taking place through your Magento website should go through a secure, PCI compliant gateway. Whether you use Adyen, AmazonPay, Authorize.net, Bolt, Braintree, CCBill, CyberSource, Klarna, Moneris, PayPal, Square, WorldPay, or another service, you should not be storing credit card data within your Magento website. Should you need to keep cards on file, this should be done with a vaulting solution from one of these providers.
Magento Open Source 22.214.171.124 and Magento Commerce 126.96.36.199 include additional updates, above and beyond the security enhancements provided by SUPEE-10975. Examples include:
– Support for PHP version 7.2
– A fix for how the Continue button functions when using the PayPal payment method in the checkout
– An updated Magento logo, which is used through the Magento admin panel
– A fix for Google Tag Manager to properly log sales data in Google Analytics
– Support for Super Attributes in product export CSVs
– A fix for an error that was being displayed to users trying to access their shopping cart after a timeout period had elapsed.
– Clicking on a product swatch on a Category page now updates the product price being displayed as one would expect
– A fix to the indexing locking mechanism that had been throwing an exception error after indexing completed
– Magento will no longer throw a fatal error if an admin attempts to name a product attribute with an already reserved word
– Sales tax will now be properly charged when a shopper enters the 4 digit suffix to their zip code (example: 90210-1234). The tax rules had been triggering a failure when a user entered a 4 digit suffix.*This is something that you should discuss with the person(s) that oversee sales tax within your organization.
As you can tell, there are some very important fixes being provided. While the SUPEE-10975 patch is very important from a security perspective, the Magento Open Source 188.8.131.52 and Magento Commerce 184.108.40.206 updates include improvements that will be very important to most merchants.
In other news, the Magento 2.3 general release has finally arrived. This is a significant update for Magento 2, so we highly recommend going back to read these recent articles that touched on Magento 2.3 being on the way and Magento 2.3 being in Beta Release. You can also peruse the Release Notes from Magento, which are extensive.
If you have any questions, please let us know. Also, make sure to test any patches or software updates thoroughly before updating your production websites. It’s common for extensions and/or custom coding within your website to need additional modifications in order to be compatible