Magento News

Magento News Roundup #23

Magento News Roundup #23

As you might have noticed we are a bit on a slowdown. So here is yet again a double edition of the Magento News Roundup. Content in this issue spans approximately the weeks 15 to 20.

Magento

  • Magento (1.9.1.0 CE and 1.14.1.0 EE) has been affected by a remote code execution vulnerability.
    • Mid-January CheckPoint briefed Magento about the vulnerability (advisory #1, #2 and #3 published on the 1st of February)
    • On February 9, the SUPEE-5344 patch was released to fix the vulnerability. A Tweet was sent out to let the world know.
    • Due to lacking communication of Magento, mid-April saw more than 50% of the Magento installations still unpatched.
    • On April 20, Checkpoint went for public disclosure of the exploit. There is a video demonstrating it.
    • Nothing helps better for raising awareness of a major exploit than giving it a name (Magento Shoplift™) a fancy logo, and an unofficial vulnerability check.
    • Of which Byte (a specialized Magento hosting provider) should be fully credited for. They even monitor fancy statistics.
    • Quickly thereafter, abuse of the vulnerability was already spotted in the wild.
    • It was then when Magento finally put out an official PR message and vulnerability checker, advising everybody to “implement the [SUPEE-5344] patch as soon as possible”.
    • A lot of critique has since surfaced that it is ridiculous that “clean” Magento installations from the download page still do not have the latest patches applied.
    • In response, Magento 1.9.1.1 was released which is “Magento 1.9.1.0 with SUPEE-5344″ (and other changes).
  • In case you want to quickly see which patches are included in your Magento installation, Philwinkle_AppliedPatches does exactly that.
  • Sonassi gave some tips which should help with identifying and blocking malicious traffic to your Magento installation on nginx webservers.
  • SMTPPro is now compatible with Magento 1.9.1.
  • Wojtek published an useful checklist for various scenarios to test a newly developed Magento against.
  • SomethingDigital released a proof of concept module which saves recently viewed products to local storage.
  • Integer-net argues that modules should not be installed via the Magento Connect Manager.

Magento 2

Community

With a massive delay but better late than never!? Mostly due to time constraints content is not appearing on Magenticians as often as intended. If anyone has had any expectations about the interval of content appearing on this website, sincere apologies for the disappointment.

If you can read German, don’t forget to check out Matthias Zeis’ Magento Neuigkeiten which we are basing our Magento News Roundups on. Let us know on Twitter, in the comments below or send us an email in case we made a mistake or forgot something we should have included. Thanks for reading.

Header image background by Stefano Corso (Pensiero)

Subscribe Newsletter

Subscribe to get latest Magento news

40% Off for 4 Months on Magento Hosting + 30 Free Migration