Magento released various updates on June 26. The update 2.3.2 contains over 200 functional fixes and 75 security enhancements.
Magento 2.3.2 Highlights
Security
- 75 security enhancements to fix vulnerabilities, which allowed cross-site scripting, arbitrary code execution, and sensitive data disclosure.
- PaypalRecaptcha module adds Google reCAPTCHA to the Payflow Pro checkout form to prevent spam attacks. No additional configuration is needed to deploy this feature.
Performance
- Significant improvement to storefront page response time under high load.
- Improved concurrent access to block cache storage by up to 20%.
- Product page gallery loads now faster and as quickly as other page content.
- Improved page rendering through deferred loading and parsing of storefront JavaScript.
Infrastructure
- Braintree payment method is now supported for checkout with multiple addresses.
- Magento now uses the Image-Charts free service to render static charts in Admin dashboards.
- CGI URL gateway endpoint in the UPS module has been updated from HTTP to HTTPS in response to the disablement of the HTTP gateway by UPS in mid-2019.
Various
- Magento now performs mass editing of products, discount coupon generation and data export as asynchronous background processes and sends system messages to alert Admin users when tasks complete.
- Amazon Pay is now compliant with the PSD2 directive for UK and Germany.
Fixes
This update contains over 200 fixes which solve issues in the installation, backend, bundle, cache, checkout and cart, catalog, code refactoring, customers, dashboard, EAV, email, frameworks, import, infrastructure, orders, newsletter, performance, reports, search, shipping, general and a lot more.
You can find a complete list of all the changes on devdocs.magento.com.
Security Fixes (SUPEE-11155)
- Arbitrary code execution through design layout update (PRODSECBUG-2296)
- Arbitrary code execution through product imports and design layout update (PRODSECBUG-2298)
- Arbitrary code execution via file upload (PRODSECBUG-2349)
- Security bypass via form data injection (PRODSECBUG-2202)
- Arbitrary code execution via malicious XML layouts (PRODSECBUG-2375)
- Remote code execution through crafted email templates (PRODSECBUG-2306)
- MySQL Error through crafted Elasticsearch query (PRODSECBUG-2350)
- Arbitrary code execution via crafted sitemap creation (PRODSECBUG-2351)
- Arbitrary code execution through malicious elastic search module configuration (PRODSECBUG-2266)
There are more security fixes with a CVSSv3 Severity under 9, but they are still very dangerous. You can find a complete list of the 75 fixed vulnerabilities on Magento Tech Resources.
Magento 2.2.9
Magento released version 2.2.9 along with 2.3.2, 2.1.18 and 1.9.4.2 on June 26. The update contains 75 security enhancements and over 100 fixes.
Security
- 75 security enhancements to fix vulnerabilities, which allowed cross-site scripting, arbitrary code execution, and sensitive data disclosure. The security fixes are the same as for Magento 2.3.2 above.
- PaypalRecaptcha module adds Google reCAPTCHA to the Payflow Pro checkout form to prevent spam attacks. No additional configuration is needed to deploy this feature.
Infrastructure improvements
- Braintree payment method is now supported for checkout with multiple addresses.
- The CGI URL gateway in UPS module has been updated from HTTP to HTTPS. The CGI URL gateway endpoint in the UPS module has been updated from HTTP to HTTPS in response to the disablement of the HTTP gateway by UPS in mid-2019.
- Google chart API updated to the Image-Charts.
Fixes
Magento 2.2.9 has over 100 fixes. You can find a complete list of all the fixes on Magento DevDocs.
Remember to create a backup before installing updates!
