header

Magento 1.x Software Support Notice

For Magento Commerce 1, Magento is providing software support through June 2020. Depending on your Magento Commerce 1 version, software support may include both quality fixes and security patches. Please review our Magento Software Lifecycle Policy to see how your version of Magento Commerce 1 is supported.

For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Magento Open Source Release Notes (1.9 and later)

Contents

These Release Notes contain the following information:

Important Upgrade Information

importantImportant: Use Magento Open Source 1.9.3.0 or later for all new Magento Open Source installations and upgrades to get the latest fixes, features, and security updates.

Magento Open Source 1.9.4.5 Release Notes

This version (or patch SUPEE-11314, which applies to older versions of Magento) provides resolution of multiple critical security issues. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento | APSB20-22 for a comprehensive discussion of these issues.

Magento Open Source 1.9.4.4 Release Notes

This version (or patch SUPEE-11295, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento | APSB20-02 for a comprehensive discussion of these issues.

Fixed issues and enhancements

Magento Open Source 1.9.4.3 Release Notes

This version (or patch SUPEE-11219, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issue

This release includes a fix for a security vulnerability that potentially allowed changes to protected store settings. As a result, extensions or customizations that depend on saving configuration fields that are not defined in system.xml files may no longer work correctly.

Magento Open Source 1.9.4.2 Release Notes

This version (or patch SUPEE-11155, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

Note: We are aware of the incompatibilities between patch SUPEE-11155 and the PHP 7.2 support patch and are currently working on a new version of SUPEE-11155 that resolves these incompatibilities. See Security Patch SUPEE-11555 - Possible issues? for a community-driven discussion on issues and solutions related to this SUPEE. Check these release notes and the Magento Security Center for updates on the availability on the new patch.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issues

The extensive security enhancements we’ve included to this release have resulted in the following changes to Magento behavior:

Magento Open Source 1.9.4.1 Release Notes

This version (or patch SUPEE-11086, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Note: Magento’s implementation of the Authorize.Net Direct Post payment method currently uses MD5-based hash for all M1 and M2 installations. As of June 28, 2019, Authorize.Net will stop supporting MD5-based hash usage.

This will result in Magento merchants not being able to use Authorize.Net Direct Post to process payments. To avoid disruption and to continue processing payments, merchants must apply a patch provided by Magento and add a Signature Key (SHA-512) in the Magento Admin configuration settings. Magento released this patch in late February to address this issue on pre-2.3.1 installations of Magento. See Update Authorize.Net Direct Post from MD5 to SHA-512.

Information about the deprecation of Authorize.Net Direct Post can be found in Authorize.net Direct Post (Deprecated).

Fixed issues and enhancements

Known issue

Magento Open Source 1.9.4.0 Release Notes

This version (or patch SUPEE-10975, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These critical security issues include remote code execution (RCE), cross-site scripting (XSS), and cross-site request forgery (CSRF) issues. This release also provides support for PHP 7.2.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Note that after updating to this release, third-party modules that depend upon Magento core backup functionality will no longer work. Alternatively, you can use one of these two methods to enable database backups:

Fixed issues and enhancements

Magento Open Source 1.9.3.10 Release Notes

This version (or patch SUPEE-10888, which applies to older versions of Magento) provides resolution of multiple critical security issues. These critical security issues include remote cross-site scripting and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Note: With this release, Magento is announcing the following support policy: For Magento Open Source 1.5 to 1.9, Magento will provide software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Known issue

You cannot re-send the password for new customers who created their account during checkout.

Magento Open Source 1.9.3.9 Release Notes

This version (or patch SUPEE-10752, which applies to older versions of Magento) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issue

If your custom code or extension is using Zend/Filter/PregReplace.php with the modifier e, it will now return an error due to possible RCE issues. See Magento Security Center for more information.

Magento Open Source 1.9.3.8 Release Notes

This version (or patch SUPEE-10570, which applies to older versions of Magento) provides resolution of multiple critical security issues. These critical security issues include authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issues

These two known issues are associated with the use of HTML tags within a product’s SKU attribute:

Magento Open Source 1.9.3.7 Release Notes

This patch (SUPEE-10415) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues

Known issue

Issue: Magento displays a "404: Page Not Found" error from the errors/ directory after upgrading to SUPEE-10415. This issue occurs only in Magento installations that run certain third-party extensions.

Description: Magento is not properly logging PHP warnings that occur early during page initialization. Instead, of logging the error and continuing operation, Magento generates a 404 page. (Previously, Magento logged these warnings in the system.log file, and execution would continue as usual.)

Workaround: Confirm that there are no PHP warnings generated by any of the extensions or customizations.

Notes

Magento Open Source 1.9.3.6 Release Notes

This patch (SUPEE-10266) provides resolution of multiple critical security issues and several functional fixes. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

  • We’ve also fixed an issue where uploaded images were twice their original size after you applied SUPEE-9767 v2.
  • Magento Open Source 1.9.3.5 Release Notes

    We have skipped release 1.9.3.5.

    Magento Open Source 1.9.3.4 Release Notes

    This patch addresses both security and functional issues discovered when using the SUPEE-9767 patch. We recommend upgrading your Magento store to this latest version.

    Here are your upgrade options:

    See Magento Security Center for a comprehensive discussion of these security issues.

    This release also provides support for the following functional issues:

    General fixes

    Installation

    This patch is available from Magento Tech Resources.

    Magento Open Source 1.9.3.3 Release Notes

    This patch provides resolution of multiple critical security issues. These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. See Magento Security Center for a comprehensive discussion of these issues.

    This release also provides support for the following issue:

    Support for PayPal's update to its Instant Payment Notification (IPN) server URL. PayPal provides more information about this feature in IPN Verification Postback to HTTPS Microsite. This update is essential for retaining uninterrupted service after June 30.

    SUPEE-8167, an older patch that also contains this fix, was added on May 8, 2017, and is available from Magento Tech Resources.

    Known Issues

    This patch/release has known issues. Please see SUPEE-9767 for updates.

    Note: Before applying this patch or updating to this release, disable the Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. If the Symlinks setting is enabled, it will override your configuration file settings. If that override occurs, you will need to directly modify the database to change those settings.

    Magento Open Source 1.9.3.2 Release Notes

    This patch addresses the following issues:

    Magento Open Source 1.9.3.1 Release Notes

    This patch addresses the following issues:

    noteNote: You currently cannot upgrade to this version using Magento Connect Manager. We expect to resolve this issue soon.

    Magento Open Source 1.9.3.0 Release Notes

    See the following sections for information about this release:

    Check for .swf Files After Upgrade

    If you upgraded to Magento Open Source 1.9.3 after applying the SUPEE-8788 patch, make sure the following files have been deleted:

    skin/adminhtml/default/default/media/flex.swf
    skin/adminhtml/default/default/media/uploader.swf
    skin/adminhtml/default/default/media/uploaderSingle.swf

    If the files are present, delete them to avoid a potential security exploit. As of Magento Open Source 1.9.0.0, we no longer distribute .swf files with the Magento software.

    Backward-Incompatible Changes

    The following backward-incompatible changes were made in this release:

    Mage_Adminhtml_Block_Cms_Wysiwyg_Images_Content_Uploader: Parent class was removed.

    Mage_Uploader_Model_Config_Abstract: Overrides the magic method __call and its behavior can be inconsistent. For example:

    ->setData('underscore_key', 1)
    ->getUnderscoreKey() //null

    Fixes

    The following sections discuss other fixes in this release:

    Tax Calculation Fixes

    Shopping cart and checkout fixes

    Catalog fixes

    Price rule fixes

    Configurable swatches fixes

    Import/export fixes

    Indexer fixes

    Other fixes

    Magento Open Source 1.9.0.1 Release Notes

    Magento Open Source 1.9.0.1 resolved the following issues:

    Recent Patches

    We'd like to draw your attention to several new patches that were recently posted to the Partner Portal and Support Center. These patches deliver important improvements, such as enabling several concurrent administrators to work with the product catalog, and to make it easier to install community-created translation packages.

    Details about the patches follow. To install patches, see How to Get Patches For Magento Commerce.

    noteNote: Some of the patches discussed in this section have EE_1.14.0.1 in the name. These patches were all tested against Open Source 1.9.x as well.

    General Magento Connect Patches

    Patch name: SUPEE-3941

    Magento Install Page Displays After SOAP v2 Index Page Refresh

    Patch name: SUPEE-3762. Refreshing the SOAP v2 index page (http://your-magento-host-name/index.php/api/v2_soap/index/) results in all administrators and customers viewing the Magento installation page.

    How to Get Patches For Magento Open Source

    This section discusses how to get patches referenced in these Release Notes.

    To get patches for Magento Open Source:

    1. Log in to www.magentocommerce.com/download.
    2. In the left pane, click Downloads.
    3. Scroll down to the Magento Open Source Patches section.
    4. Follow the prompts on your screen to download a patch for your version of Magento Open Source.
    5. Apply the patch as discussed in How to Apply and Revert Magento Patches.

    Magento Open Source 1.9.0.0 Release Notes

    See the following sections for information about changes in this release:

    Highlights

    This section lists the key new features in Magento Open Source 1.9. For more information about these new features, see the Magento User Guide.