On March 26, Magento released updates for Magento 2.1, 2.2 and 2.3. Those updates contain also security related fixes and enhancements. Magento had multiple vulnerabilities that allowed hackers to gain access to customer information or take over administrator sessions. The update should be installed as soon as possible to close the cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities.
Security fixes (SUPEE-11086)
- SQL Injection through an unauthenticated user (PRODSECBUG-2198)
- Remote code execution via server side request forgery (PRODSECBUG-2285)
- Arbitrary code execution (PRODSECBUG-2232, 2252, 2253, 2261, 2273)
- Remote code execution through PHP code (PRODSECBUG-2203)
- Remote code execution through arbitrary XML data (PRODSECBUG-2210)
- Stored cross-site scriptingin the escaper framework (PRODSECBUG-2245)
- Reflected cross-site scripting (PRODSECBUG-2182)
The complete List of fixes is available on magento.com.
The highlights of Mangento 2.3.1
Merchant tool enhancements
Improved order creation workflow in the Admin
- The Admin order creation workflow has been refactored to eliminate delays when editing billing and shipping addresses.
Ability to upload PDP images without compression and downsizing
- Merchants can now upload PDP images larger than 1920 x 1200 without first compressing and downsizing the images.
Inventory Management 1.1.0 (Community-developed feature!)
- The Multi-Source Inventory (MSI) community project has added multiple new features to this release of Inventory Management.
- Support for Elasticsearch and Inventory Management.
- All site searches now return correct products and quantities when Elasticsearch is used as the search engine. Searches return results from stock assigned to the website. Advanced features are supported, including filtering search results.
- Distance Priority Source Selection algorithm (SSA) option.
- Merchants can enable this algorithm to reduce fulfillment costs by shipping orders from the closest inventory locations. This SSA option uses address geocoding through the Google Maps API to calculate the shortest distance for deliveries.
- Enhancements to mass inventory transfers
- Bulk transfer of inventory has been optimized to improve processing speed and to reduce locking during transfers.
- In-store pickup fulfillment option
- Merchants can use Inventory Management to enable in-store pickup for selected sources, which can reduce shipping costs and increase customer satisfaction. Store pickup orders have a higher reservation priority than shipped orders, which prevents insufficient inventory available in sources to fulfill shipped orders.
Improved developer experience
Automation of upgrade process dependency assessment
- A new composer plugin
magento/composer-root-update-pluginautomatically updates all dependencies incomposer.jsonduring a Magento 2.x upgrade.
Progressive Web Apps (PWA) Studio
PWA Studio is a set of developer tools that allow you to develop, deploy, and maintain a PWA storefront on top of Magento 2.x.
GraphQL
- Community contributions for this release include major additions to cart actions (create cart, populate cart, set shipping address) and customers (create customer account)
Security enhancements
More informations about security related fixes/enhancements on top of this article.
Perfomance boosts
- Customer address handling has been rewritten with UI components that increase platform performance, which in turn streamlines the management of customers with 3000 and more addresses.
- The Admin order creation page now handles customer accounts with 3000 addresses without performance issues.
- Magento now displays the list of additional customer addresses contained in the storefront customer address book as a grid, which has improved performance for customers with many additional addresses associated with their accounts.
- The shipping and billing data that a user enters during checkout nows persists if the user interrupts checkout to continue shopping.
Infrastructure improvements
- This release includes a new Authorize.Net extension to replace the Authorize.Net Direct Post module, which implemented an MD5-based hash that Authorize.Net will no longer support as of June 28, 2019.
- Accept.js library is now used for Authorize.NET payments.
- Magento now supports Elasticsearch 6.0.
- Update PayPal Express Checkout to
checkout.js v4. This introduces a modernized checkout flow, faster checkout performance, and new payment options in a single integration that does not have to be updated as new payment methods become available. It also unlocks new payment options including Venmo and PayPal Credit. - Magento now supports Redis 5.0.
- Magento support for PHP has changed slightly as a result of expanding our Elasticsearch support in this release. Magento 2.3.1 is compatible with PHP 7.2.x and certified on PHP 7.2.11.
- You can now isolate and extract MySQL Views from regular database tables with no negative effects on database backup and restoration.
- Magento now uses version 6.0 of the DHL XML Services schema for the DHL shipping method.
- Checkout information now persists after a cart update. Information previously entered by a customer during check out (such as shipping address) now persists after the customer updates their shopping cart.
- Upgrade of Magento Functional Test Framework (MFTF) to 2.3.13.
You can find the complete list of changes on devdocs.magento.com.
The Highlights of Magento 2.2.8
Merchant tool enhancements
Improved order creation workflow in the Admin.
- The Admin order creation workflow has been refactored to eliminate delays when editing billing and shipping addresses. Processing of these fields now happens only after they are populated. 96174
Ability to upload PDP images without compression and downsizing.
- Merchants can now upload PDP images larger than 1920 x 1200 without first compressing and downsizing the images.
Substantial security enhancements
More informations about security related fixes/enhancements on top of this article.
Infrastructure improvements
- Magento now supports Elasticsearch 6.0. (Elasticsearch 5.x reached end-of-life on March 11, 2019.
- Magento’s implementation of the Authorize.Net Direct Post payment method currently uses MD5 based hash for all M1 and M2 installations. As of June 28, 2019, Authorize.Net will stop supporting MD5 based hash usage.
You can find the complete list of changes on devdocs.magento.com.
The highlights of Magento 2.1.17
Magento 2.1.17 only contains the security fixes (mentioned above) and the changes to the Authorize.Net extension.
Magento’s implementation of the Authorize.Net Direct Post payment method currently uses MD5-based hash for all M1 and M2 installations. As of June 28, 2019, Authorize.Net will stop supporting MD5-based hash usage.
See the official post on devdocs.magento.com.
Remember to create a backup before updating your site.
