Magento March 2019 Update: Fixes for Critical SQL Injections and Other Highlights

Magento March 2019 Update: Fixes for Critical SQL Injections and Other Highlights

Magento March 2019 Update: Fixes for Critical SQL Injections and Other Highlights

From time to time Magento releases security updates for both M1 and M2 platforms. While they don’t come out very often, these patches contain important bug fixes and security updates that help you keep your customer data secure.

This spring the updates both for M1 and M2 contain critical fixes that you should really not overlook. Take the time and update your store to the latest version of your platform.

Install the New SUPEE-11086 for Magento 1

March 26, 2019, Magento dev team has released another batch of important fixes to the platform. Among the discovered security holes:

  • remote code execution (RCE) vulnerabilities,
  • cross-site scripting (XSS),
  • cross-site request forgeries (CSRF).

The new patch, in particular, focuses on a critical SQL injection in Magento Commerce 1.9.0.0-1.14.4.0 and Magento Open Source 1.5.0.0-1.9.4.0. After you install the patch, Magento will change to newer versions of the platform: Magento Commerce 1.14.4.1 and Magento Open Source 1.9.4.1.

SUPEE-11086 fixes 25 security issues originating from a multitude of sources: from Redis configuration settings to product attributes to store customizations. If not installed in time, your store will be defenseless against multiple vectors of attack.

SUPEE-11086 is already available for download. Install the patch to protect your data from hackers ASAP.

Update Magento 2 to the Latest Version

Magento 2 also received a sizeable update. The 3 up-to-date branches of M2 now have versions 2.3.1, 2.2.8, and 2.1.17.

M2 security vulnerabilities include newsletter and email templates issues, catalog vulnerabilities, login attempts bypassing proper user authorization, archive-related breaches, and insecure API calls. Order a full Magento security audit to detect all potential issues your site has.

The Magento 2 update contains a total of 37 security issues ranging in severity from Critical to Low (according to CVSSv3 classification). Discovered exploits allow hackers to gain unrestricted access to your store and do damage where it really hurts: stealing customer data, CC payments, disclosing shipping details, getting access to PHP server settings, and more.

Magento dev team advises updating to the latest M2 version as soon as you can.

How to Install SUPEE-11086 on Magento 1

Upload the patch into your Magento root directory and run the appropriate SSH command:

For patch files with the file extension .sh:

sh PATCH_SUPEE-1868_CE_1.7.0.2_v1.sh

For patch files with the file extension .patch:

patch –p0 < PATCH_SUPEE-1868_CE_1.7.0.2_v1.patch

Refresh the cache in the Admin under System > Cache Management to reflect new changes.

Authorize.Net Direct Post – Problem Solved

As we’ve already mentioned, March 2019 was a turbulent time for store owners who use Authorize.Net Direct Post as one of their payment methods. Direct Post has been in need of an upgrade since forever. And in March the dev team finally came around to migrate it from MD5 to SHA-512 encryption.

The developers wanted to make the migration process a seamless transition for those users who still have Direct Post on their platforms. And for some reason even though Direct Post is absolutely ancient, it has a large audience on the Magento platform.

So the dev team released a fix that store owners had to implement to continue using Direct Post past March 2019. As you can imagine, the vast majority of Magento stores ignored the deadline.

So since the move would break payments for all stores who didn’t implement the March hotfix, Authorize.Net had to move the final switch from one deadline to another so users could prepare for the change. But as we all know, users don’t like changes and they also don’t like to spend time fixing things that haven’t been broken (yet). So the majority of the store owners who used Direct Post were completely unprepared for what was about to come.

Finally, Authorize.net team decided to postpone the migration until Magento patches arrive. Which in retrospect is a great decision. No need for a hotfix. Just patch your M1 or M2 store to the latest version and you are good to go. But make sure you update before June 28.

Magento 2.3.1: Better Speed, More Features

Magento 2.3 brought the community built-in multi-store inventory management, Magento PWA Studio, the first release of Magento Page Builder, declarative schema, and other smaller features. You can read the overview of Magento 2.3 release here.

These 4 months Magento dev team has been hard at work. Let’s take a look at what they managed to achieve since November 2018:

  • updated Magento Page Builder,
  • added the ability to upload PDP images in high resolution,
  • released Inventory Management 1.1.0,
  • introduced quality-of-life development features.

Magento Commerce Page Builder

Magento Commerce now uses Page Builder to edit content with simple drag-and-drop functionality. It’s a great tool for those who don’t have special knowledge in HTML/CSS.

The idea behind Page Builder is that anyone can create and personalize content. Page Builder enables merchants to create content on any page, even building something from scratch. Magento 2.3.1 evolves this idea further.

Updates in Multistore Inventory Management

New features in this community-created functionality is a welcome change. At last Magento becomes a viable platform for stores with complex logistics.

Main highlights:

  • Now Magento can select warehouses based on distance and time: the system will take into account 2 new factors when it determines the shipment process. Either how long it will take the goods to reach the customer or based on how far the warehouse is from the shipping address. A more intricate priorities system is a nice addition to Magento inventory management. Even though the module is still a far cry from the popular third-party solutions from Magento Marketplace, it’s cool to see how Magento grows its much needed multi-warehouse capabilities with every release.
  • Managing sources from Product Grid became more convenient. Each product has at least 5 sources that you can choose from if the quantity matches your needs.
  • Elasticsearch used to be supported only for Single Source modes. From 2.3.1, this is no longer the case. From now on you can use Elasticsearch for Multi-Source Mode as well. Neat!
  • Managing multiple sources doesn’t have to be slow anymore. Most users probably remember that the 2.3.0 release was pretty rough around the edges in that regard. The multi-source system suffered from low performance.
  • Checkout page quality-of-life improvements. Now customers can interrupt Checkout process and continue shopping. When they come back, the page will remember any fields they have already filled in.
  • The main speed improvement includes handling customers with 3000+ addresses better.

Other quality of life improvements:

  • You can cancel shipments now if you want to. The only condition is that it hasn’t been dispatched yet. Feel free to revisit and cancel any shipping orders you are not ready to fulfill right now.
  • You can now access Magento Shipping Portal right within Magento. All you need is your user credentials.
  • You can now apply cart price rules to shipments. Useful when you need to offer special shipping prices regardless of normal shipping costs.
  • Tons of fixes for bundles. Seriously, lots of fixes. You should just read the notes.

Magento 2.3.0 to 2.3.1 Update Instructions

First of all switch to the maintenance mode:

bin/magento maintenance:enable

If you are running Magento 2 Open Source:

composer require magento/product-community-edition 2.3.1 --no-update
composer update

If you are running Magento 2 Commerce:

composer require magento/product-enterprise-edition 2.3.1 --no-update
composer update

Upgrade your database, recompile DI, deploy static content:

bin/magento setup:upgrade
bin/magento setup:di:compile
bin/magento setup:static-content:deploy

Turn off the maintenance mode:

bin/magento maintenance:disable

This is it. You’ve successfully performed a Magento 2 upgrade! Now go to the frontend and backend and check everything.

If you need help applying the updates to work well with your customizations – contact us now and we’ll make sure everything runs smoothly.

Looking Forward to New Magento Releases

Update 2.3.1 has given the community a lot of interesting features, but what are some of the stuff that we can look forward to for the next release?

According to the unofficial M2 roadmap and other announcements, Magento 2.4 will have:

  • Advanced reporting. Magento lacks more complex analytics tools. So the dev team decided to build in a better reporting module into Magento 2. Although please bear in mind that for now this is an EE-only feature.
  • Further introduction of native PWAs for Magento. Magento 2.3 released Magento PWA Studio. Magento 2.4 will extend its functionality.
  • Completion of GraphQL API. Some features got left out. The dev team will introduce the rest of this promising API in the 2.4 release.
    Further Apollo API development.

We are looking forward to what Magento 2.4 will bring to the table. In the meantime if you have any problems updating to Magento 2.3.1, 2.2.8 or 2.1.14, get in touch. We are ready to help.

Magento tips from real projects
Magento tips from real projects
Close
CALL US 24/7:
Australia
& asia
+61 (02) 8005-7494