×
  • Home /
  • Blog /
  • Magento /
  • Improve the Magento security with Magento 2.2.1, 2.2.2 and 1.9.3.7 security fixes and enhancements

Improve the Magento security with Magento 2.2.1, 2.2.2 and 1.9.3.7 security fixes and enhancements

Improve the Magento security with Magento 2.2.1, 2.2.2 and 1.9.3.7 security fixes and enhancements.

Starting a year ago, we have been writing monthly reports. Each of our posts is about releases and updates that are important for security and improved functionality of your Magento/ Magento 2 stores. All they are for building reliable and fully protected websites.

Also, today, our blog post is about the recent enhancements to the Magento, in particular regarding the Magento 2.2.1- 2.2.2 and Magento Open Source 1.9.3.7 releases. We trust you'll take this into consideration. Hope, you'll pay attention to what we will say at the end of the post.

Read more to know the key highlights.

The upgrades for Magento Open Source 1.9.3.7 first

We’ve been writing about Magento SUPEE-10415 patch in a newsletter.

Among major security enhancements available for Magento Open Source 1.5.0.0-1.9.3.7 you can see the resolution of:

  • Cross-site request forgery (CSRF)
  • Denial-of-Service (DoS)
  • Authenticated Admin user remote code execution (RCE) vulnerabilities.

Fixes

When considering the last release, we see that Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin. In contrast, the new message will be displayed on the one-page checkout page when a customer checks out an order for which no amount is due. The users will see: “No payment information required.”

Equally interesting was the idea of limiting a password for new users to 256 characters. In case the password exceeds 256 characters, Magento will show the message: Please enter a password with at most 256 characters.

You can find out more the release here.

Security improvements in Magento 2.2.1

Among key changes you can see:

  • Ability to implement translations from themes. Reduced JavaScript-related translation issues.
  • Improvements in the PayPal Express Checkout payment method area, notably in virtual products.
  • Multiple enhancements to product security.
  • Bug fixes and multiple pull requests.

Magento 2.2.1 release also comes with multiple security improvements that help close Cross-Site Scripting (XSS), Local File Inclusion (LFI), authenticated Admin user remote code execution (RCE) and Arbitrary File Delete vulnerabilities.

Magento team highly recommends users who have not previously downloaded a Magento 2 release, go straight to Magento Commerce or Open Source 2.2.1. While keeping with recommendations, you can be sure your website avoids the risk of threats and vulnerabilities.

Integrated Signifyd Fraud Protection

In keeping with the theme of protection, Magento states that Signifyd Fraud Protection is available in Magento Open Source now. See the details of integration.

22 fixed issues

When it comes to the submitted bug fixes, you can see the important changes in the fields of installation and upgrade.

The Catalog improvements are:

  • The grouped product page shows the lowest price for a simple product.
  • Magento displays the products that are filtered to a particular store view even when the corresponding store view has been deleted.
  • The changes in price calculation operations.

 

Among enhancements in the Configurable products you can see:

  • Instead of the display of the out-of-stock price of a configurable product, Magento no longer displays the inappropriate product price when a configurable product has two price options.
  • Configurable products no longer show up on the category page when all children are disabled by a mass action, and the display out-of-stock products setting is off.
  • If a configurable product is part of a shipment that is being created by REST, only the parent’s quantity will count towards the total quantity of shipped items. Previously, the Magento counted both child and parent products when calculating quantity.

The Magento 2.2.1 release also contains 8 changes made to Magento framework.

At the same time, there is much other good news in the new release, such as:

  • Now you can remove the system customer address and customer attributes from specific forms. That prevents its display on the frontend.
  • Websites that conduct transactions in multiple currencies can send currency to Google Analytics.
  • The Checkout authentication provides a correct pop-up message to the user.
  • Now you can generate unsecure URLs even when the current URL is secure.
  • The PayPal Express Checkout can be used to place an order in a split-database environment.
  • Magento completes processing an order if the customer needs to re-enter credit card information during the order process.
  • The search for attribute values on the store-view level is available now.
  • Sitemap no longer crashes if the scope of the name attribute is set to global.

Of course, not all enhancements have been described here. Thus you can find much more information on Magento 2 developer documentation pages.

Important in the latest Magento Open Source 2.2.2 release

The latest Magento 2 release contains 5 new features, more than 10 functional enhancements, and over 100 community-submitted bug fixes. All they do the most of the security of your Magento 2 website.

In fact, new changes will help you to:

  • streamline the customer experience
  • improve the payment process
  • minimize efforts to perform regression testing
  • avoid duplicating shipments when creating shipments with bundled products via API.

New features

  1. Advanced Reporting powered by Magento Business Intelligence. Now you can access easy-to-use order, product, and customer reports right from the Magento Admin. That will help you to make the data-driven decision faster.
  2. New Magento Shipping (powered by Temando) feature provides integrated advanced multi-carrier shipping and fulfillment.
  3. Streamlined Instant Purchase checkout (contributed by Creatuity). New option uses previously stored payment credentials and shipping information to bypass steps in the checkout process.
  4. Integrated dotmailer marketing automation software. Magento is actually one of the first e-commerce solutions that include the dotmailer marketing automation with their core product.
  5. Magento Functional Testing Framework is going to simplify the functional testing.

See Magento Open Source user guide for more information.

Fixes and enhancements

  • Significant enhancements for payment methods. In particular, you can see a support for the Indian Rupee (INR) to PayPal Express Checkout as well as an already fixed problem with Braintree refunds.
  • Improvements to multi-store view sites. No error when switching store views multiple times.
  • New functionality for the command-line interface.
  • The ability to use the Enter key (in addition to a mouse click) to search tables in the Admin.
  • No longer creating duplicate shipments when merchants create shipments with bundled products via API.

Now on to our part of the recent releases.

Magento keeps on releasing security improvements. But that's not the whole picture. The secret to optimising your website security is to follow the latest updates from SwissUpLabs.  

To make sure that you are using built-in Magento/ Magento 2 security features, please upgrade the extensions and templates to the latest version as soon as possible.

We can say with confidence that all recent releases for our modules do best with changes in Magento Open Source 2.2.1, 2.2.2 and Magento Open Source 1.9.3.7.

We continue to do our best for the security of your sites, so stay tuned.

December 19, 2017 Roman B.

Leave a Reply
Categories
Trending now
Recent comments
Contact Us
Swissup Labs c/o EasyGiga SA c/o Vischer Partners,
Rue du Cloître 2-4,
1204 Geneva, Switzerland
+41 78 874 20 77

©2024 swissuplabs.com. All rights reserved.