Home / Support Blog / Magento Update Released - 10-11-2016

Magento Update Released - 10-11-2016

Magento CE (Community Edition) 1.9.3.0 (SUPEE-8788)

Magento has published a software update that covers security issues.

Magento CE 1.9.3.0 Release Notes (devdocs.magento.com)

Magento Community Edition 1.9.3 delivers more than 120 quality improvements, as well as support for PHP 5.6 in addition to PHP 5.4 and 5.5.

General security enhancements

  • Resolved a potential SQL injection (Zend Framework issue)
  • Resolved a cache poisoning issue
  • We now provide better protection against path exploits.
  • Resolved a potential cross-site scripting (XSS) vulnerability when adding a category.
  • Resolved a potential XSS vulnerability that affected the Magento server's request URI.
  • Resolved a potential XSS vulnerability in invitations.
  • You can no longer cause out-of-memory errors on the Magento server by flooding it with images that have incorrect dimensions.
  • The Magento Admin Panel login page now renders in HTTPS if you configured the Magento server for HTTPS.
  • We added the nosniff header to our .htaccess files.
  • Magento no longer uses Adobe Flash for uploads.
  • Fixed several potential issues indicated by static code scans.
  • Resolved a potential man-in-the-middle vulnerability.
  • Resolved a potential PHP security vulnerability.
  • An administrative user is no longer able to create a potential security vulnerability that used the block cache.
  • Resolved a potential cross-site request forgery (CSRF) vulnerability involving the wishlist.
  • Resolved a potential remote code excecution exploit.
  • It is no longer possible to log in to a store as an existing customer using only an e-mail address.

Password enhancements

A user can reset a password only after receiving an e-mail. In addition, we introduced the following configuration settings:

  • Limit the number of forgotten password requests from one IP address to five times per hour.
  • Limit the number of forgotten password requests from one e-mail address to five times per 24 hours.
  • Limit the number of forgotten password requests to no more than once ever 10 minutes per e-mail address.
  • The forgot password link expires after the first use or two hours (by default).
  • When a user changes their e-mail address, they are required to provide their password and to acknowledge the change from the previous address.
  • We now ignore leading and trailing spaces in a user's password.
  • The new customer e-mail now includes the customer's password.
  • Resetting a password using a password recovery e-mail succeeds.

And:

SUPEE-8788 (magento.com)

SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3 address Zend framework and payment vulnerabilities, ensure sessions are invalidated after a user logs out, and make several other security enhancements that are detailed below.

Information on additional functional enhancements available the new 1.14.3 and 1.9.3 releases is available in the Enterprise Edition and Community Edition release notes.

The previous release was on February 28, 2016.

Our Website Maintenance Department will be in contact with our clients regarding this upgrade.

-Webstix Support

SEO / PPC
Get found, increase conversion!
Website Marketing
Get your website noticed and get results.
Design Portfolio
Result driven design makes your website work 24/7 for your business.

What Our Clients Say

“Your company and its professionalism are proof positive that distance truly does not matter when completing a large project such as this.”
-Julie Hilliger
Malcolm-Eaton Enterprises
Our Clients Love Us - CLICK

Need Website Maintenance?

 

Put Our Team

To Work For You

Click Here

Website Financing Options Available
UpCity

FOLLOW US ON
Webstix in Madison, WI
2820 Walton Commons Ln.
Suite 108
Madison, WI 53718
608-277-7849 608-661-8529
magnifier linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram