On November 28 the latest version of Magento 2.3 was released, but also an update for 2.2.x which fixes over 30 critical security risks and over 150 issues in the Magento core code. The found vulnerabilities were not exploited yet but it is highly recommended to update as soon as possible to stay protected.
This release includes improvements to general usability of the core code plus enhancements to wishlist and shipping features.
The fixed vulnerabilities (Patch SUPEE-10975)
- PHP Object Injection (POI) and Remote Code Execution (RCE) in the Admin (also Magento 2.1.15 Admin) (PRODSECBUG-2123 + PRODSECBUG-2122)
- Unauthorized File Upload via Customer Attributes (PRODSECBUG-2160)
- Remote Code Execution through Path Traversal / Admin / Upload of Quote File / Race Condition (PRODSECBUG-2151 + PRODSECBUG-2154 + PRODSECBUG-2057 + PRODSECBUG-2157)
- Stops Brute Force Requests via basic RSS authentication (PRODSECBUG-1589)
- M1 Credit Card Storage Capability (MAG-23)
- Authenticated RCE using customer import (PRODSECBUG-2149)
- API Based RCE Vulnerability (PRODSECBUG-2159)
- RCE Via Unauthorized Upload (PRODSECBUG-2156)
- Authenticated RCE using dataflow (PRODSECBUG-2155)
- Prevents XSS in Newsletter Template (PRODSECBUG-2053)
- More in the Magento Security Center
The fixes and enhancements in Magento 2.2.7
General:
- All relevant attributes are now populated in the Google Tag Manager when a customer adds a product to their shopping cart.
- The Magento UPS module has been updated to support new UPS API endpoints.
- Currency conversion rate services now work as expected in the Admin.
- Magento can no longer send more than 50 emails per cronjob, which will reduce duplicate emails.
- The email server no longer throws an exception when a customer places an order using a PayPal payment method.
- You can now use REST to add a configurable product to a shopping cart without creating a duplicate product entry.
- The price range displayed for bundle products now shows only valid prices.
Wishlist:
- Customers can now choose which wishlist to add a product to.
- Products disabled in the Admin no longer appear in storefront wishlists.
- Magento now displays a success message when a customer successfully updates a wishlist.
- Magento now displays the correct options when you click on View Details for a product with configurable options.
There are many fixes for the installation and setup process of Magento in this update, addidional are in: Bundle products, CAPTCHA, Cart and checkout, catalog, minor refactoring, Configurable products, Customer, EAV, Frameworks, General, Infrastructure, Payment methods, Reports, Shipping, Testing, Translation, UI and Sales.
A complete list of all changes can be found in the Magento DevDocs.
Magento 2.1.16
On November 28 the update 2.1.16 was released along with Magento 2.1.16 and 2.3. Magento 2.1.16 contains fixes for various bugs and enhancements (like support for PHP 7.1) and fixes for 30 security risks like in the other updates. The found vulnerabilities were not exploited untill now, but it is highly recommended to update as soon as possible to stay secure.
The highlights of the fixes and enhancements in this version are:
- 30 security enhancements and fixes (like 2.2.7 above)
- Magento 2.1.16 now provides support for PHP 7.1.
- The Magento UPS module has been updated to support new UPS API endpoints.
- Magento now maintains product image roles as expected after upgrade.
- Magento now supports the new top-level address domains.
- Parent theme image height settings (specified in view.xml) no longer override the height settings assigned to individual images.
- When editing an Admin user role, Magento now displays the Customer Groups section under the Customers section as expected.
- The sidebars for the wishlist on the catalog, my account, and checkout pages now render special characters correctly.
- The password reset strength meter that Magento displays when a customer resets a password now works correctly.
- Magento now displays the wishlist icon on the shopping cart in mobile view.
An overview of all the changes can be found in the Magento DevDocs.
Remember to create a backup before installing updates.
