Magento 1.9.4.2 is Out
A new version of Magento has been released. Since a few security issues have been resolved, we’re considering this a security fix and also, this security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues. We recommend all Magento website owners have this upgrade done.
Magento Open Source 1.9.4.2 Release Notes (Magento.com)
This version (or patch SUPEE-11155, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.
Fixed issues and enhancements
- The Magento logging feature now works as expected after the SUPEE-11086 patch is installed. Previously, after application of this patch, Magento could only write only to a file that already existed on the server, and did not create new log files.
- Magento 1.14.4.0 and the PHP7.2 support patch now include the same files as expected. The previous version of the patch did not include the following three files, which were included in Magento 1.14.4.0. Magento 1.14.4.0:
lib/phpseclib/PHP/Compat/Function/array_fill.php, lib/phpseclib/PHP/Compat/Function/bcpowmod.php, and lib/phpseclib/PHP/Compat/Function/str_split.php.
Known issues
The extensive security enhancements we’ve included to this release have resulted in the following changes to Magento behavior:
- You can no longer upload files with the extension
.swf to the WYSIWYG editor.
- Quotes created by customers who are logged in as guest are no longer accessible after a Magento update. Third-party checkout extensions and closed security cases will either not not work securely or will not work at all.
- The Authorize.net Direct Post module has been enhanced to support the replacement of Authorize.net’s MD5-based hash with a (SHA-512) signature key. Authorize.net will no longer support implementations using the MD5-based hash as of June 28, 2019. You will need to update your signature key after upgrading to this version of Magento. For information about updating your signature key, see the Get a New Signature Key discussion in the Update Authorize.Net Direct Post from MD5 to SHA-512 help article. Note that although this help article describes how to install the earlier patch, merchants upgrading to this release of Magento are not applying the patch and should consult only the Get a New Signature Key discussion. If you’ve applied the patch to your Magento installation while running an earlier version of Magento, uninstall the Update Authorize.Net Direct Post from MD5 to SHA-512 patch before upgrading to this release.
- You can no longer preview JavaScript in a newsletter template in the Admin.
- Sitemap names cannot exceed 32 characters.
The previous release was on March 27, 2019.
Our Website Maintenance Department will be in contact with our clients regarding this upgrade. If you need this upgrade done on your website, please contact us.
Thank you,
–Webstix Support
