Magento released new updates for Magento 1.9, 2.2 and 2.3. The most important changes are enhancing security and are making Magento PSD2 compliant.
The new Payment Services Directive (PSD) regulation requires changes in the processing of credit cards, for example 3D-Secure is now required by the PSD2 regulation.
Security Patch (SUPEE-11219)
This security patch contains 75 fixes for Magento 2.3.3, 2.2.10, 1.9.4.3 and 1.14.4.3.
This security patch contains fixes for following vulnerabilities:
- Remote code execution via file upload (PRODSECBUG-2462)
- Remote code execution via crafted support configuration modification (PRODSECBUG-2443)
- Remote code execution via product layout update (PRODSECBUG-2492)
- Insufficient logging and monitoring of configuration changes (PRODSECBUG-2445)
- Cross-Site Scripting via wysiwyg editor (PRODSECBUG-2344)
- Sensitive information available in HTTP requests (PRODSECBUG-2328)
Fixes and changes
Highlights
- Besides the security patch, there was a significant change in the platform-security which improves XSS protection against future exploits.
- Core payment methods integrations are now compliant with PSD2 regulations.
- Magento 2.3.3 now supports PHP 7.3.x and Varnish 6.2.0.
- Magento 2.2.10 now supports PHP 7.2.x does not support PHP 7.0.x.
- There are also performance improvements in this update.
- Vendor-developed extension has been enhanced.
- This update contains over 170 fixes for known issues.
All changes for Magento 2.3.3 can be found in the Magento Devdocs.
The changes in Magento 2.2.10 can be found here.
Magento 1.9.4.3
Magento 1.9.4.3 only brings two changes besides the security patch:
- WebserviceX has been removed from the Magento 1.x code base.
- This release adds two new currency services for currency rate import.
Remember to create a full backup of your site before installing updates!
