Magento News Roundup #23

As you might have noticed we are a bit on a slowdown. So here is yet again a double edition of the Magento News Roundup. Content in this issue spans approximately the weeks 15 to 20.

Magento

• Magento (1.9.1.0 CE and 1.14.1.0 EE) has been affected by a remote code execution vulnerability.
  • Mid-January CheckPoint briefed Magento about the vulnerability (advisory #1, #2 and #3 published on the 1st of February)
  • On February 9, the SUPEE-5344 patch was released to fix the vulnerability. A Tweet was sent out to let the world know.
  • Due to lacking communication of Magento, mid-April saw more than 50% of the Magento installations still unpatched.
  • On April 20, Checkpoint went for public disclosure of the exploit. There is a video demonstrating it.
  • Nothing helps better for raising awareness of a major exploit than giving it a name (Magento Shoplift™) a fancy logo, and an unofficial vulnerability check.
  • Of which Byte (a specialized Magento hosting provider) should be fully credited for. They even monitor fancy statistics.
  • Quickly thereafter, abuse of the vulnerability was already spotted in the wild.
  • It was then when Magento finally put out an official PR message and vulnerability checker, advising everybody to “implement the [SUPEE-5344] patch as soon as possible”.
  • A lot of critique has since surfaced that it is ridiculous that “clean” Magento installations from the download page still do not have the latest patches applied.
  • In response, Magento 1.9.1.1 was released which is “Magento 1.9.1.0 with SUPEE-5344″ (and other changes).
• In case you want to quickly see which patches are included in your Magento installation, Philwinkle_AppliedPatches does exactly that.
• Sonassi gave some tips which should help with identifying and blocking malicious traffic to your Magento installation on nginx webservers.
• SMTPPro is now compatible with Magento 1.9.1.
• Wojtek published an useful checklist for various scenarios to test a newly developed Magento against.
• SomethingDigital released a proof of concept module which saves recently viewed products to local storage.
• Integer-net argues that modules should not be installed via the Magento Connect Manager.

Magento 2

• Since the previous roundup, Magento 2 went all the way from 0.74.0-beta3 to 0.74.0-beta8. A lot has changed and if you want to have a full picture of what that is, please read the official changelog. If time can be found, a breakdown will be published of interesting changes.
• One of these interesting changes is the introduction of the Magento 2 CLI tool during 0.74.0-beta4. Olga wrote about the naming conventions and an older blog post from Magento gives more insight into what the CLI tool will be for.
• Magento now has an official repository showcasing samples of Magento 2 userland code.
• Max is still semi-regularly publishing overviews (#1 and #2) of the backwards incompatible changes.
• BelVG published an article regarding the development and management of themes in Magento 2.
• Alan wrote about using the “localhost” hostname and explained what the difference is between declarative and imperative layout files.
• Atwix detailed how to programatically add an attribute in Magento 2 and how to create custom controller actions.
• Brendan pointed out how Magento its choice for Less might be the same type of mistake when they bet on Prototype instead of jQuery. Interesting is how Magento is signalling that it is at least open for change.
• Magento 2 isn’t even out yet but the planning for 2.1 and 2.2 is already on the drawing table.

Community

• Imagine Commerce 2015 happened.
  • Sherrie Rohde, the newly appointed Community Manager, has compiled a massive overview of all the recaps.
  • The agenda has slides attached for pretty much every entry.
  • “Imagine All The Tweets” by Joshua Warren has an overview of all the Tweets (and pictures) sent out regarding the conference.
  • Magento itself lists 5 takeaways but the really well edited video at the top draws much more attention.
  • During the conference was announced that the new Magento Connect will see the light this year. Here’s a trailer.
• Simon Sprankel created a public Google Calendar listing all Magento related events.
• Cloudways inteviewed Thomas Goletz, the co-founder of the Meet Magento association.
• OroCommerce, from the ex-seniors of Magento and creators of OroCRM, got announced. It is heavily targeted at B2B and some are already believing it will “change everything”. It will be interesting to see whether Magento will allow Oro to capture the B2B market and whether Oro will touch the market Magento currently operates in.
• MageKarma is shutting down due to lack of activity.
• Apparently, a new (unofficial) “community driven hub” for Magento called MageCommerce is in the works.
• Ben Marks went into the lion pit and argued why Magento might not be a piece of junk after all.

With a massive delay but better late than never!? Mostly due to time constraints content is not appearing on Magenticians as often as intended. If anyone has had any expectations about the interval of content appearing on this website, sincere apologies for the disappointment. If you can read German, don’t forget to check out Matthias Zeis’ Magento Neuigkeiten which we are basing our Magento News Roundups on. Let us know on Twitter, in the comments below or send us an email in case we made a mistake or forgot something we should have included. Thanks for reading. Header image background by Stefano Corso (Pensiero)