Magento has recently launched Magento Community Edition 1.9.2.1, Magento Enterprise Edition 1.14.2.1, and a new Mobile SDK for Android. These releases improve security and performance, and empower you with a new tool to drive mobile sales.
Along with these, a new security patch has also been released for Community Edition and Enterprise Edition (SUPEE-6482). The patch addresses 2 issues with Community Edition and 4 issues with Enterprise Edition.
Magento Community Edition 1.9.1.1
This new edition release includes several significant security enhancements. We recommend using Magento Community Edition 1.9.1.1 or later for all new installations and upgrades to ensure that you have the latest fixes, features, and security updates. If you use an earlier version, you must install the SUPEE-5344 patch to protect your store.
Magento Entepprise Edition 1.14.2.1
Magento Enterprise Edition 1.14.2.1 updates include performance optimizations, the USPS API patch from June (SUPEE-6237), and 4 security patches, including the new one issued earlier previous week (SUPEE-5344, SUPEE-5994, SUPEE-6285, SUPEE-6482).
Magento Mobile SDK For Android
The Magento Mobile SDK includes a library of Android resources to make it faster and easier to create a full-featured Magento mobile application. The SDK, which is only available to Enterprise Edition customers, also includes a sample application that can be customized by merchants to accelerate development. With this release, Enterprise Edition merchants and partners can now more easily create both iOS and Android applications.
New Security Patch Bundle-Supee-6482
This patch includes protection against the following security-related issues:
- Autoloaded File Inclusion in Magento SOAP API
Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location. - SSRF Vulnerability in WSDL File
Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion. - Cross-site Scripting Using Unvalidated Headers
Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc. - XSS in Gift Registry Search
Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.
This patch bundle protects your Magento installation against several potential threats. The first two patches apply to both Magento Community and Magento Enterprise installations. The second two patches are for Magento Enterprise installations only. This patch is a proactive, preventative measure, as there are no known attacks at this time.
All these new releases are fully tested, complete and ready for merchants to deploy. We strongly encourage you to implement the patch or upgrade to the new versions as soon as possible.