Magento 1.9.4 was released on November 28 and contains the security patch SUPEE-10975 with 30 fixes for multiple critical security issues. Besides the fixed vulnerabilities, support for PHP 7.2 was added and some bugs were solved.
The major fixed security issues:
- Stops Brute Force Requests via basic RSS authentication (PRODSECBUG-1589)
- M1 Credit Card Storage Capability (MAG-23)
- Authenticated RCE using customer import (PRODSECBUG-2149)
- API Based RCE Vulnerability (PRODSECBUG-2159)
- RCE Via Unauthorized Upload (PRODSECBUG-2156)
- Authenticated RCE using dataflow (PRODSECBUG-2155)
- Prevents XSS in Newsletter Template (PRODSECBUG-2053)
- More in the Magento Security Center
Fixes and enhancements
- This release provides support for PHP 7.2.
- Magento removed the CC module. As a result, third-party modules that depend upon either the ccsave method or the xmlconnect method will not work as expected. Third-party themes that implement ccsave will not work as expected, either.
- The Magento logo has been updated throughout the code base.
- The Continue button now works as expected on the Payments step of checkout when paying with the PayPal payment method.
- Google Tag Manager now logs sales information in Google Analytics as expected.
- The product export CSV file now contains columns for super attributes.
- Magento no longer throws an error when a customer accesses their shopping cart after items in their cart have been removed due to a timeout. Previously, Magento displayed this error, `Notice: Undefined variable: freePackageValue in /var/www/dev/htdocs/app/code/core/Mage/Shipping/Model/Carrier/Tablerate.php on line 130`.
- Clicking on a configurable product’s swatch on the product list page now updates product price as expected.
- Customers can now successfully add a grouped product to their shopping cart when category permissions are enabled.
- Magento no longer displays incorrect prices on the storefront after a failure of the enterprise refresh index.
- Magento resolved issues in the indexing locking mechanism that previously resulted in Magento throwing an exception after indexing completed.
- Magento no longer throws a fatal error when a merchant uses an already reserved word to name a product attribute.
- Magento now adds the correct sales tax to orders being shipped to U.S. addresses that use zip codes with the optional four-digit suffix (for example, 73365-1234).
- Magento now displays all products on a production website that were edited by a role-restricted user on the associated staging website.
- Magento resolved an issue that caused Target Rules to throw an exception when a customer opened a product view page.
Remember to create a backup before updating.
