OpenMage Hacker Swiss Mountains

OpenMage 19.4.22/23 and 20.0.19/20 Releases

Developer Blog / Von /

OpenMage 19.4.22 and 20.0.19

On January 26, 2023 versions 19.4.22 and 20.0.19 were released including 6 security fixes:

  • CVE-2021-21395 – GHSA-r3c9-9j5q-pwv4 – Reset Password not protected against well-timed CSRF
  • CVE-2021-41144 – GHSA-5j2g-3ph4-rgvm – Fix for authenticated remote code execution through layout update
  • CVE-2021-41143 – GHSA-5vpv-xmcj-9q85 – Fix for arbitrary file deletion in customer media allows for remote code execution
  • CVE-2021-41231 – GHSA-h632-p764-pjqm – DataFlow upload remote code execution vulnerability
  • CVE-2021-39217 – GHSA-c9q3-r4rv-mjm7 – Fix for arbitrary command execution in custom layout update through blocks
  • CVE-2023-23617 – GHSA-3p73-mm7v-4f6m – DoS vulnerability in MaliciousCode filter

All of these updates should be totally backward compatible, except one, CVE-2021-21395 – GHSA-r3c9-9j5q-pwv4 – Reset Password not protected against well-timed CSRF in fact is a breaking change and you will need to take action after upgrading to this version of OpenMage.

Specifically, you will have to modify the customer/form/resetforgottenpassword.phtml file of your custom theme (in case you have customized it) and add this code

In case your custom theme does not have the customer/form/resetforgottenpassword.phtml or in case you are not using a custom theme then you will not have to do the aforementioned procedure.

OpenMage 19.4.23 and 20.0.20

On February 2, 2023 Fabrizio Balliano released security updates OpenMage 19.4.23 and 20.0.20:

  • single fix regarding CVE-2020-27511
  • ReDos (Regular Expression Denial of Service) vulnerability in prototypejs

About OpenMage LTS

OpenMage LTS Is the new life of Magento 1 Community Edition, free of any charges. Migrate easily from Magento Community Edition. The OpenMage community is continuing to support Magento 1 by releasing security patches, tending to bugs, and providing general improvements to the platform. You can upgrade your Magento 1 installation, or set up a new store from GitHub.

OpenMage Version 19.x

Will be an LTS Version with indefinite Lifetime, but at least 5 Years. It will ensure a maximum on backwards compatibility to Magento 1.

OpenMage Version 20.x

Will not be backward compatible with Magento. It is an independent project in which there will be bolder changes.

Credits

  • Release notes from OpenMage Github
  • Picture made with Midjourney

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Nutze die Suche, den digitalen Assistenten oder das Menü.

Text und «Enter» eingeben, um eine Suche zu starten.