Magento released version 1.9.4.2 on June 26. The update contains 75 security enhancements and has the patchname SUPEE-11155. There are also 2 small fixes and some changes you can find on Magento DevDocs.
Security Fixes (SUPEE-11155)
- Arbitrary code execution through design layout update (PRODSECBUG-2296)
- Arbitrary code execution through product imports and design layout update (PRODSECBUG-2298)
- Arbitrary code execution via file upload (PRODSECBUG-2349)
- Security bypass via form data injection (PRODSECBUG-2202)
- Arbitrary code execution via malicious XML layouts (PRODSECBUG-2375)
- Remote code execution through crafted email templates (PRODSECBUG-2306)
- MySQL Error through crafted Elasticsearch query (PRODSECBUG-2350)
- Arbitrary code execution via crafted sitemap creation (PRODSECBUG-2351)
- Arbitrary code execution through malicious elastic search module configuration (PRODSECBUG-2266)
There are more security fixes with a CVSSv3 Severity under 9, but they are still very dangerous. You can find a complete list of the 75 fixed vulnerabilities on Magento Tech Resources.
Fixes
- The Magento logging feature now works as expected after the SUPEE-11086 patch is installed.
- Magento 1.14.4.0 and the PHP7.2 support patch now include the same files as expected.
Remember to create a backup before installing updates!
