Magento patches & updates – Latest news

Peter .

Magento Patches & Updates – 

October 2016 – With the recent rise of malware attacks on Magento sites, the Magento Security Center have published an article that outlines some specific steps you can take to clean your site, improve your security practices and remove Google warnings from search results.Although obviously a good place to start for any stores that have been affected by malware, this is also a good opportunity for any Magento site owner to create a comprehensive security plan to prevent any future attacks.

Protecting yourself and your customers is an ongoing practice and prevention is always going to be easier and normally cheaper than cure.

You can read more about this HERE

October 2016 – Magento just announced a new security patch concerning multiple high-risk vulnerabilities in all current Magento 1 versions: SUPEE-8788. We’ve just added a check for this patch to Please implement the patch asap and check MageReport to find out if your shop is safe.

One of the vulnerabilities fixed in SUPEE-8788 is a remote code execution (RCE) flaw, which allows attackers to run arbitrary code on the store and take complete control. This impact is similar to the infamous Shoplift bug, which has been exploited on a large scale from April 2015 until today.

Unfortunately this patch may not be simple to implement so it’s worth getting a developer to install this as if it’s not done completely or correctly it may leave you vulnerable still.

May 2016 – Magento Enterprise Edition and Community Edition 2.0.6 released which contains multiple security and functional enhancements.

April 2016 – Magento have released the latest security patches for their popular commerce software.

February 2016 – Magento released a new patch for their popular commerce software. This is a non critical patch that provides bug fixes for the previous patch, but will still need applying to ensure future patch compatibility.

January 2016 – A new release of a Magento security update patch intended to improve both the security and functionality of Magento sites was released for all editions. Although so far there haven’t been any attacks reported, some vulnerabilities have been found that could potentially be exploited and used to obtain customer information or take over admin log-ins.

The Magento 2.0.1 update also contains important functional updates such as official support for PHP 7.0.2 which should reduce memory consumption as well as provide other dramatic improvements to performance.

November 2015Magento 2 released!

August 2015 – Magento issued a fourth round of security patches for all editions – SUPEE-6482 . There are no confirmed reports of attacks related to these issues to-date, but it is important that you update as soon as possible.

The patch addressed the following security issues:
-Cross-site Scripting Using Invalidated Headers
-Auto loaded File Inclusion in Magento SOAP API
-XSS in Gift Registry Search
-SSRF Vulnerability in WSDL File

July 2015 – Magento issued a third security patch for all editions – SUPEE-6285 contains multiple critical security fixes and is recommended that it is applied to all Magento Community and Enterprise stores urgently.

The patch addresses the following security issues: It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location. It  also closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.

May 2015 – Magento issued a second security patch for all editions – SUPEE-5994 contains multiple critical security fixes and is recommended that it is applied to all Magento Community and Enterprise stores urgently.

Official Magento Guides on how to apply the patches:
Magento Community Edition
Magento Enterprise Edition
The patches are not server wide – The patches need to be applied to each Magento instance – i.e if you have multiple Magento sites or dev areas, you need to apply the patch to each of these.
February 2015 – Magento Go closes.
November 2014 – Magento Community Edition 1.9.1 released for download
July 2014 – Magento Go, Magento’s internal hosted and maintained shopping platform will be closing in February 2015. The eBay owned company have made the difficult decision to focus on their more versatile Enterprise and Community editions (both client hosted/maintained).
January 2014 – Magento now supports PHP 5.4
March 2008 – First general-availability release of the software

Nimbus Hosting
1 Centrus, Mead Lane Hertford Hertfordshire SG13 7GX GB 0203 005 9181 [email protected]