Mage One Patches für Magento 1: 5 new patches released

Newsfeed Support in your Admin Panel

With our patch MO-23 we introduce a new Mage One feature: Patch Notification via your Magento admin panel. As soon as we release new patches, your admin panel will give you a notification on login.

Custom Patch Notification Mail Address

If you would like to receive our newsletter with an email address other than your account email address on my.mage-one.com, you can change it now under “user settings” in our platform!

Patch MO-21

This patch Improves compatibility of 3rd party integrations by flagging cookies as SameSite=None.
 

Patch MO-22

This patch prevents access to the ./downloader directory which was used for the “CardBleed” attack.

We added a few lines to ./downloader/.htaccess. If you want access ./downloader you have to add # in front of the 2 lines at the beginning.
 

Patch MO-23

This patch adds patch notification to your admin panel. As soon as a patch is released you’ll be notified on you next login to your shop’s admin panel.
 

Patch MO-24

With MO-18 wie improved the formkey validation. Unfortunately this results in a lot of error log entries if you shop is subject of a brute force attack. We changed the way these errors are logged to prevent flooding of your error log files.
 

Patch MO-25

An administrator with permission to update product data was able to store an executable file on the server and load it via layout xml. We improved layout xml security with some additional sanitation checks for method executions.

Thanks to Edgar Boda-Majer for sharing his findings!

You can download these patches in your customer account at https://my.mage-one.com/patches. Everything you need to know about the issue and how to install it is explained there.

FAQ

• How often will you release patches?
• I am an agency or partner and I don’t see the download in my customer account?
• Will there always be one patch per fix, or can more than one problem be fixed in one patch?