Patch Releases

Date of Release: 10/27/2015

This patch bundle protects your Magento installation against several potential threats, and includes a new configuration setting that helps manage the backward compatibility of the patch for extensions and customizations. The first patch in the bundle was included in the Magento Community 1.9.2.1 release. However, versions of Magento Community prior to 1.9.2.1 need this critical patch.

Important! This patch breaks backward compatibility, and can impact extensions and customizations.

Admin Routing Compatibility Mode

To help manage the compatibility of extensions and customizations, the following setting has been added to the Admin > Security configuration:

• Field	Scope	Description
  Admin routing compatibility mode for extensions	Global	Allows you to verify that all extensions and customizations are compatible before the patch is enabled.

We recommend that you install the patch first in the test environment, and try disabling the compatibility mode. If you discover issues, set Admin Routing Compatibility back to “Enabled." If your extensions and customizations work correctly, you can deploy the fully-enabled patch to production. If you discover issues accessing extensions or customizations from the Admin, set Admin Routing Compatibility Mode to “Disabled” before deploying the patch to production. Then, update the impacted customizations and extensions as needed.

We urge you to enable Admin Routing Compatibility Mode as soon as possible to protect your installation from automated attacks. To learn more, see the technical details in the Security Center.

Date of Release: 08/04/2015

This patch bundle protects your Magento installation against several potential threats. The first two patches apply to both Magento Community and Magento Enterprise installations. The second two patches are for Magento Enterprise installations only. This patch is a proactive, preventative measure, as there are no known attacks at this time.

Date of Release: 07/07/2015

This bundle includes protection against the following security-related issues:

Date of Release: CE: EE: 06/18/2015

On May 31, 2015, USPS made changes to their API that impact international shipping rate requests to and from Canada. As a result, some Canadian shipping rates are returned incorrectly, and customers are unable to see all available shipping options. The USPS API patch ensures that Canadian international shipping rates are returned correctly, and that customers can see all available shipping options during checkout. To learn more, see: USPS API Update – What You Need to Know by WebShopApps, a Magento Partner.

Date of Release: 05/14/2015

SUPEE-5994 is a bundle of eight patches that resolves the following security-related issues. The patch can be downloaded from the Downloads section of your Magento account.

Date of Release: 02/19/2015

This patch addresses a specific remote code execution (RCE) vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store. To determine if your store has been patched, see the Shoplift Bug Test. If your store is not protected, you must immediately download and install the patch from the from the Downloads section of your Magento account.

• Patch Details
  Type:	Remote Code Execution
  CVSS Severity:	9.1 (Critical)
  Known Attacks:	Yes
  Description:	Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.
  Product(s) Affected:	Magento CE prior to 1.9.1.1 Magento EE prior to 1.14.2.0.
  Fixed In:	EE 1.14.2.0, CE 1.9.1.1
  Reporter:	Netanel Rubin