Magento 2.3.5 was released on April 29 and includes over 180 functional fixes and over 25 security enhancements. Magento enhanced the userexperience and the security in this update. For more information on the installation of this update visit devdocs.magento.com.
Security Patch (APSB20-22)
Magento 1.9.4.5 contains this security patch too.
This security patch fixes vulnerabilities that have been identified in the last version. You should therefore install this update soon to be protected against hackers exploiting those vulnerabilities.
No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions.
To protect the admin panel you should use 2-FA, VPN, or IP whitelisting.
Security fixes
- veröffentlicht am 28.04.2020
- enthalten in Magento Open Source (zuvor Magento CE) v1.9.4.5 und 2.3.5
- Stored cross-site scripting (PRODSECBUG-2671, PRODSECBUG-2700, PRODSECBUG-2715)
- Sensitive information disclosure (important)
- Command injection (PRODSECBUG-2707, PRODSECBUG-2695, PRODSECBUG-2708, PRODSECBUG-2710)
- Arbitrary code execution (critical)
- Security mitigation bypass (PRODSECBUG-2696, PRODSECBUG-2697)
- Arbitrary code execution (critical)
- Defense-in-depth security mitigation (PRODSECBUG-2541, MPERF-10898)
- Arbitrary code execution or unauthorized access to admin panel (moderate)
- Observable Timing Discrepancy (PRODSECBUG-2677)
- Signature verification bypass (important)
- Authorization bypass (PRODSECBUG-2518)
- Potentially unauthorized product discounts (moderate)
- weitere Details
Security enhancements
Implementation of Content Security Policies (CSP)
Content Security Policies (CSP) provide additional layers of defense by helping to detect and mitigate Cross-Site Scripting (XSS) and related data injection attacks.
Removal of session_id from URLs
Exposure of session-id values in URLs creates a potential security vulnerability in the form of session fixation.
Magento removed code from the classes and methods that add or read session_id from URLs.
Functional Changes
Platform upgrades
- Support for Elasticsearch 7.x
- Deprecation of core integration of third-party payment methods. With this release, the integrations of the Authorize.Net, eWay, CyberSource, and Worldpay payment methods are deprecated and will no longer be supported.
- Deprecation of the core integration of the Signifyd fraud protection code.
- Upgrade of Symfony Components to the latest lifetime support version (4.4).
- Migration of dependencies on Zend Framework to the Laminas project to reflect the transitioning of Zend Framework to the Linux Foundation’s Laminas Project.
Performance boosts
- Improvements to customer data section invalidation logic
- Multiple optimizations to Redis performance
- The enhancements minimize the number of queries to Redis that are performed on each Magento request.
Infrastructure improvements
- The PayPal Pro payment method now works as expected in the Chrome 80 browser.
- A PHPStan code analysis check has been integrated into Magento static builds. This tool performs sophisticated static code analysis and identifies additional issues that are currently not detected by PHP CodeSniffer and PHP Mess Detector.
Inventory Management
- New extension point for SourceDataProvider and StockDataProvider
- Ability to view allocated inventory sources from the Orders list
Other updates
GraphQL
- GraphQL can now use products and categoryList queries to retrieve information about products and categories.
PWA Studio
- Launch of the PWA extensibility framework which allows developers to create an extensibility API for their storefront.
- Caching and data fetching improvements. This release contains improved caching logic and other data fetching optimizations in the Peregrine and Venia UI component libraries.
- Shopping cart components that can be used for a full-page shopping cart experience
dotdigital
- Integration of Engagement cloud and Magento B2B.
- Improved importer performance and coupon code re-send.
Google Shopping
- The Google Shopping ads Channel bundled extension has reached end-of-life with this release
Vertex
Has the following new features:
- Address Validation
- Admin Configuration.
- Virtual Products
- Restorable configuration settings
- Port in WSDL
Fixes
This update contains over 180 fixes out of the following categories:
- Installation
- Adobe stock integration
- Bundle products
- Cache
- Cart and checkout
- Catalog etc.
- Cleanup and simple code refactoring
- CMS content
- Configurable products
- Cron
- Shipping
- Search
- Customer
- Sales
- Inventory
- Payment methods
- EAV
- Frameworks
- Import/export
- Infrastructure
- Performance
- UI
- General fixes
You can find all detailed information about the fixes on devdocs.magento.com.
Remember to create a backup before installing updates.
