There is already a post dedicated to Magento security patches in our blog. SUPEE-6482, SUPEE-6285, SUPEE-5994, SUPEE-5344, and others are described here: Magento critical security patches. And since it includes too much information, we’ve decided to create a new one which sheds light on the latest patch – SUPEE-8788. The new security improvement is vital since it fixes lots of vulnerabilities. Although most of them haven’t been utilized in attacks, it’s not the reason to ignore SUPEE-8788.
So, what does the SUPEE-8788 Magento security patch do? It is mainly aimed at fixing Zend framework and payment vulnerabilities. Its next important goal is to ensure sessions are invalidated after a user logs out. Besides, the patch removes compatibility issues with SUPEE-1533 and SUPEE-3941 (both may be experienced in case of EE 1.13 and CE 1.8 or their earlier releases). We should also mention that the SUPEE-8788 Magento security patch resolves some checkout issues with 3rd party payment methods. There are 17 APPSEC updates included! Pay attention to the version of SUPEE-8788. Currently, there are SUPEE-8788 v1 and SUPEE-8788 v2.
- Revert SUPEE-1533 (if it is installed).
- Deploy SUPEE-3941 (if it is not installed).
- Install SUPEE-8788 v2.
Note that the SUPEE-8788 security patch already includes SUPEE-1533, so you don’t have to reinstall it.
In case you’ve already insatlled SUPEE-8788 v1, you should revent it and then do the aforementioned actions.
Alternatively, you can use Automatic patch applying tool. Magento SUPEE-8788 Patcher automates the process required for applying the SUPEE-8788 security patch. Download the tool
Besides, you can update Magento to the latest version that already includes all patches.
The full list of SUPEE-8788 is posted on magento.stackexchange by
- Due to the Mage_Uploader module, the Flash support is now droped (there is no Mage_Adminhtml_Block_Media_Uploader, but there is Mage_Uploader_Block_Multiple instead of it).
- Thus, the Mage_Downloadable module exists in refactored state. Now, it is able to handle the new non flash uploader. Mage_Uploader_Block_Single is used instead of templates as the upload block.
- The following SWF files are deleted:
- There is also an improvement related to the address deletion controller. It is protected with form key. Furthermore, everything happens from Mage_Customer_Block_Address_Book directly via the getDeleteUrl.
- The same is about the wishlist item removal controller, but via the getRemoveUrl from Mage_Wishlist_Helper_Data
- Paypal Express payment method has been revamped as well: the new user is created before processing the new quote.
- The payment methods that use cURL/HTTP Client have been also changed (check StackExchange for further information).
- Product picture max dimensions can be now changed in the config.
For further information, follow this link:
All patches can be downloaded here:
Have any questions? Let us know in comments: our team or other readers will help you.