header

Magento 1.x Software Support Notice

For Magento Commerce 1, Magento is providing software support through June 2020. Depending on your Magento Commerce 1 version, software support may include both quality fixes and security patches. Please review our Magento Software Lifecycle Policy to see how your version of Magento Commerce 1 is supported.

For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Magento Commerce Release Notes (1.14 and later)

Contents

These Release Notes contain the following information:

Important Upgrade Information

importantImportant: Use Magento Commerce 1.14.3.0 or later for all new Magento Commerce installations and upgrades to get the latest fixes, features, and security updates.

Magento Commerce 1.14.4.5 Release Notes

This version (or patch SUPEE-11314, which applies to older versions of Magento) provides resolution of multiple critical security issues. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento | APSB20-22 for a comprehensive discussion of these issues.

Magento Commerce 1.14.4.4 Release Notes

This version (or patch SUPEE-11295, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento | APSB20-02 for a comprehensive discussion of these issues.

Fixed issues and enhancements

Magento Commerce 1.14.4.3 Release Notes

This version (or patch SUPEE-11219, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issue

This release includes a fix for a security vulnerability that potentially allowed changes to protected store settings. As a result, extensions or customizations that depend on saving configuration fields that are not defined in system.xml files may no longer work correctly.

Magento Commerce 1.14.4.2 Release Notes

This version (or patch SUPEE-11155, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

Note: We are aware of the incompatibilities between patch SUPEE-11155 and the PHP 7.2 support patch and are currently working on a new version of SUPEE-11155 that resolves these incompatibilities. See Security Patch SUPEE-11555 - Possible issues? for a community-driven discussion on issues and solutions related to this SUPEE. Check these release notes and the Magento Security Center for updates on the availability on the new patch.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issues

The extensive security enhancements we’ve included to this release have resulted in the following changes to Magento behavior:

Magento Commerce 1.14.4.1 Release Notes

This version (or patch SUPEE-11086, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These security enhancements help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Note: Magento’s implementation of the Authorize.Net Direct Post payment method currently uses MD5-based hash for all M1 and M2 installations. As of June 28, 2019, Authorize.Net will stop supporting MD5-based hash usage.

This will result in Magento merchants not being able to use Authorize.Net Direct Post to process payments. To avoid disruption and to continue processing payments, merchants must apply a patch provided by Magento and add a Signature Key (SHA-512) in the Magento Admin configuration settings. Magento released this patch in late February to address this issue on pre-2.3.1 installations of Magento. See Update Authorize.Net Direct Post from MD5 to SHA-512 .

Information about the deprecation of Authorize.Net Direct Post can be found in Authorize.net Direct Post (Deprecated).

Fixed issues and enhancements

Known issue

Magento Commerce 1.14.4.0 Release Notes

This version (or patch SUPEE-10975, which applies to older versions of Magento) provides resolution of multiple critical security issues and functional fixes. These critical security issues include remote code execution (RCE), cross-site scripting (XSS), and cross-site request forgery (CSRF) issues. This release also provides support for PHP 7.2.

We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Note that after updating to this release, third-party modules that depend upon Magento core backup functionality will no longer work. Alternatively, you can use one of these two methods to enable database backups:

Fixed issues and enhancements

Magento Commerce 1.14.3.10 Release Notes

This version (or patch SUPEE-10888, which applies to older versions of Magento) provides resolution of multiple critical security issues. These critical security issues include remote cross-site scripting and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Note: With this release, Magento is announcing the following support policy: Magento will provide software support through June 2020 for Magento Commerce 1.x. Depending on your Magento Commerce 1 version, software support may include both quality fixes and security patches. Please review our Magento Software Lifecycle Policy Magento Software Lifecycle Policy to see how your version of Magento Commerce 1 is supported.

Known issue

You cannot re-send the password for new customers who created their account during checkout.

Magento Commerce 1.14.3.9 Release Notes

This version (or patch SUPEE-10752, which applies to older versions of Magento) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issue

If your custom code or extension is using Zend/Filter/PregReplace.php with the modifier e, it will now return an error due to possible RCE issues. See APPSEC-2029 in Magento Security Center for more information.

Magento Commerce 1.14.3.8 Release Notes

This version (or patch SUPEE-10570, which applies to older versions of Magento) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues and enhancements

Known issues

These two known issues are associated with the use of HTML tags within a product’s SKU attribute:

Magento Commerce 1.14.3.7 Release Notes

This patch (SUPEE-10415) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

Fixed issues

Known issue

Issue: Magento displays a "404: Page Not Found" error from the errors/ directory after upgrading to SUPEE-10415. This issue occurs only in Magento installations that run certain third-party extensions.

Description: Magento is not properly logging PHP warnings that occur early during page initialization. Instead, of logging the error and continuing operation, Magento generates a 404 page. (Previously, Magento logged these warnings in the system.log file, and execution would continue as usual.)

Workaround: Confirm that there are no PHP warnings generated by any of the extensions or customizations.

Notes

Magento Commerce 1.14.3.6 Release Notes

This patch (SUPEE-10266) provides resolution of multiple critical security issues and several functional fixes. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.

SUPEE-10266 includes a fix for MPERF-9685. This fix is not included in release 1.14.3.6. However, in some cases, SUPEE-10266 can cause issues in the checkout process. Specifically, if a customer enables the Add gift options checkbox during checkout, the checkout process will not progress beyond the payments step.

Note: We’ve released patch SUPEE-10348 to address issues with checkout that some users experienced after applying SUPEE-10266. SUPEE-10348 must be applied on top of SUPEE-10266. Note that if you are experiencing issues in checkout when using gift options, SUPEE-10348 should resolve these issues.

If you are currently affected by this issue, you can workaround this issue by restore these two files to the pre-patch versions:

 

app/design/frontend/enterprise/default/template/giftcardaccount/onepage/payment/scripts.phtml

app/design/frontend/rwd/enterprise/template/giftcardaccount/onepage/payment/scripts.phtml

We’ve also fixed an issue where uploaded images were twice their original size after you applied SUPEE-9767 v2.

Magento Commerce 1.14.3.5 Release Notes

We have skipped release 1.14.3.5.

Magento Commerce 1.14.3.4 Release Notes

This patch (SUPEE-9767 version 2) addresses both security and functional issues discovered when using the SUPEE-9767 patch. We recommend upgrading your Magento store to this latest version.

Here are your upgrade options:

See Magento Security Center for a comprehensive discussion of these security issues.

This release also provides support for the following functional issues:

General fixes

Installation

This patch is available from Magento Tech Resources.

Magento Commerce 1.14.3.3 Release Notes

This patch provides resolution of multiple critical security issues. These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. See Magento Security Center for a comprehensive discussion of these issues.

This release also provides support for the following issue:

Support for PayPal's update to its Instant Payment Notification (IPN) server URL. PayPal provides more information about this feature in IPN Verification Postback to HTTPS Microsite. This update is essential for retaining uninterrupted service after June 30.

SUPEE-8167, an older patch that also contains this fix, was added on May 8, 2017, and is available from Magento Tech Resources.

Known Issues

This patch/release has known issues. Please see SUPEE-9767 for updates.

Note: Before applying this patch or updating to this release, disable the Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. If the Symlinks setting is enabled, it will override your configuration file settings. If that override occurs, you will need to directly modify the database to change those settings.

Magento Commerce 1.14.3.2 Release Notes

This patch addresses the following issues:

Magento Commerce 1.14.3.1 Release Notes

This patch addresses the following issues:

noteNote: You currently cannot upgrade to this version using Magento Connect Manager. We expect to resolve this issue soon.

Magento Commerce 1.14.3.0 Release Notes

See the following sections for information about this release:

Check for .swf Files After Upgrade

If you upgraded to Magento Commerce 1.14.3 after applying the SUPEE-8788 patch, make sure the following files have been deleted:

skin/adminhtml/default/default/media/flex.swf
skin/adminhtml/default/default/media/uploader.swf
skin/adminhtml/default/default/media/uploaderSingle.swf

If the files are present, delete them to avoid a potential security exploit. As of Magento Commerce 1.14.0.0, we no longer distribute .swf files with the Magento software.

Backward-Incompatible Changes

The following backward-incompatible changes were made in this release:

Mage_Adminhtml_Block_Cms_Wysiwyg_Images_Content_Uploader: Parent class was removed.

Mage_Uploader_Model_Config_Abstract: Overrides the magic method __call and its behavior can be inconsistent. For example:

->setData('underscore_key', 1)
->getUnderscoreKey() //null

Fixes

The following sections discuss other fixes in this release:

Tax Calculation Fixes

Shopping cart and checkout fixes

Catalog fixes

Price rule fixes

Visual Merchandiser fixes

Configurable swatches fixes

Import/export fixes

Indexer fixes

Other fixes

Magento Commerce 1.14.2.0 Release Notes

Magento Commerce 1.14.2.0 Release Notes are in the User Guide.

Magento Commerce 1.14.1.0 Release Notes

Magento Commerce 1.14.1.0 Release Notes are in the User Guide.

Magento Commerce 1.14.0.1 Release Notes

Magento Commerce 1.14.0.1 resolves the following issues:

Recent Patches

noteNote: The patches discussed in this section are built in to Commerce 1.14.1; you need to get them only if you're running an earlier Commerce version.

We'd like to draw your attention to several new patches that were recently posted to the Partner Portal and Support Center. These patches deliver important improvements, such as enabling several concurrent administrators to work with the product catalog, and to make it easier to install community-created translation packages.

Details about the patches follow. To install these patches, see How to Get Patches For Magento Commerce.

General Magento Connect Patches

Patch name: PATCH_SUPEE-3941_EE_1.14.0.1_v1-2014-08-12-12-10-06.sh

Magento Install Page Displays After SOAP v2 Index Page Refresh

Patch name: PATCH_SUPEE-3762_EE_1.14.0.1_v1.sh. Refreshing the SOAP v2 index page (http://your-magento-host-name/index.php/api/v2_soap/index/) results in all administrators and customers viewing the Magento installation page.

Multiple Simultaneous Magento Administrators

Patch name: PATCH_SUPEE-3819_EE_1.14.0.1_v1.sh. Multiple Magento administrators can simultaneously add new products; or edit descriptions, edit prices, or edit stock quantities of existing products without causing deadlocks, key violations, or critical data errors. Together with applying the patch, you must set all indexers to Update when scheduled as follows:

  1. Log in to the Magento Admin Panel as an administrator.
  2. Click System > Configuration.
  3. In the left navigation bar, from the ADVANCED group, click Index Management.
  4. Expand Indexing Options.
  5. From each list, click Update when scheduled.
  6. Click Save Config in the upper right corner of the page.

How to Get Patches For Magento Commerce

This section discusses how to get patches referenced in these Release Notes. Magento has other patches available from the Commerce support portal and the partner portal; you can use the following instructions to install any of those patches as well.

To get patches for Magento Commerce:

  1. Log in to www.magentocommerce.com.
  2. In the left pane, click Downloads.
  3. In the right pane, click Magento Commerce.
  4. Follow the prompts on your screen to download a patch for your version of EE.
  5. Apply the patch as discussed in How to Apply and Revert Magento Patches.

Magento Commerce 1.14.0.0 Release Notes

See the following sections for information about changes in this release:

Highlights

This section lists the key new features in Magento Commerce 1.14. For more information about these new features, see the Magento User Guide.