Magento has recently launched Magento Community Edition 126.96.36.199, Magento Enterprise Edition 188.8.131.52, and a new Mobile SDK for Android. These releases improve security and performance, and empower you with a new tool to drive mobile sales.
Along with these, a new security patch has also been released for Community Edition and Enterprise Edition (SUPEE-6482). The patch addresses 2 issues with Community Edition and 4 issues with Enterprise Edition.
MAGENTO COMMUNITY EDITION 184.108.40.206
This new edition release includes several significant security enhancements. We recommend using Magento Community Edition 220.127.116.11 or later for all new installations and upgrades to ensure that you have the latest fixes, features, and security updates. If you use an earlier version, you must install the SUPEE-5344 patch to protect your store.
MAGENTO ENTEPPRISE EDITION 18.104.22.168
Magento Enterprise Edition 22.214.171.124 updates include performance optimizations, the USPS API patch from June (SUPEE-6237), and 4 security patches, including the new one issued earlier previous week (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482).
MAGENTO MOBILE SDK FOR ANDROID
The Magento Mobile SDK includes a library of Android resources to make it faster and easier to create a full-featured Magento mobile application. The SDK, which is only available to Enterprise Edition customers, also includes a sample application that can be customized by merchants to accelerate development. With this release, Enterprise Edition merchants and partners can now more easily create both iOS and Android applications.
NEW SECURITY PATCH BUNDLE – SUPEE-6482
This patch includes protection against the following security-related issues:
- Autoloaded File Inclusion in Magento SOAP API
Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.
- SSRF Vulnerability in WSDL File
Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.
- Cross-site Scripting Using Unvalidated Headers
- XSS in Gift Registry Search
Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.
This patch bundle protects your Magento installation against several potential threats. The first two patches apply to both Magento Community and Magento Enterprise installations. The second two patches are for Magento Enterprise installations only. This patch is a proactive, preventative measure, as there are no known attacks at this time.
All these new releases are fully tested, complete and ready for merchants to deploy. We strongly encourage you to implement the patch or upgrade to the new versions as soon as possible.