A new version of Magento has been released. Since a potential Cross-Site Scripting (XSS) vulnerability was fixed, we're considering this a security fix and we recommend all Magento website owners have this upgrade done.
Since there's a problem using the Magento Connect Manager, we'll just do the upgrade via SSH/SFTP instead.
Magento CE 126.96.36.199 Release Notes (devdocs.magento.com)
This patch addresses the following issues:
We restored the old tax calculation algorithm for shipping charges. The patch to apply new calculation will be available on request.
Resolved an issue with setting the session lifetime to 0.
The monthly cron job that cleans up the table that contains IP addresses and passwords runs properly.
All configurable product images are imported.
You no longer get an exception due to an undefined addCrumbs() method call.
Resolved the error Notice: Undefined index: session_expire_timestamp when accessing the storefront.
Values for drop-down label values are saved correctly.
The "Price as configured" for bundle products displays correctly in the shopping cart.
Auto-generated passwords are sent to new customers as expected.
The method Mage_Api_Model_Server_Handler_Abstract::processingMethodResult() accepts scalar and array values.
The default MySQL Full-Text search works as expected; it no longer returns all products.
Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront.
Prevented a potential Cross-Site Scripting (XSS) vulnerability when adding a category.
Catalog price rules return the correct price.
Indexers now update all products instead of skipping the last product updated.
Note: You currently cannot upgrade to this version using Magento Connect Manager. We expect to resolve this issue soon.
Our Website Maintenance Department will be in contact with our clients regarding this upgrade. If you need this upgrade done on your website, please contact us.