Magento 2 Security Updates, January 2020
Version 2.3.4 of Magento 2 security updates include more than 30 security enhancements:
Cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities
- There are no records of these types of attacks to date. Magneto identified some vulnerability that can exploit and can get access to the administrative control to access customer information.
- Magento reminds users to take all necessary means to protect Admin access. (i.e. IP whitelisting, Two-Factor authentication, VPN, unique URL, and strong passwords)
Removal of custom layout updates and the deprecation of layout updates to remove the opportunity for Remote Code Execution (RCE)
- The Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages has been converted to a selector with strict naming conventions.
Redesigned content template features so that only whitelisted variables can be added to templates
- This avoids the situation where administrator-defined templates such as email, newsletters, and CMS content can include variables and directives that can directly call PHP functions on objects.
Version 2.3.4 includes the following updates to the platform:
- Magento 2 now supports the latest version of RabbitMQ (v3.8).
Caching and session storage
- Magento 2 now supports the latest version of Redis (v.5.0.6).
- Magento has improved the support to use declarative schema with both MySQL and MariaDB (10.2).
- Magento 2.3.4 has not been tested with PHP 7.1. PHP 7.1 reached EOL (End of Life) on December 1, 2019. Magento recommends updating your deployment to a supported version of PHP.
Boosts in Performance:
Version 2.3.4 includes the following performance improvements:
- The customer section invalidation mechanism has been refactored to cut redundant non-cached requests to the server.
- The ability to disable by default the statistics collection for reports. The settings are located here: System Configuration > General > Reports > General Options. For performance reasons, Magneto has recommends turning this off when not required.
There are 250 improvements to core quality for the framework, catalog, sales, PayPal, Elasticsearch, import, CMS, and B2B.
Merchant tool addition:
Adobe Magento has integrated Adobe Stock through a new bundled extension. This will allow merchants to add high quality media assets to their website content inside the Magento Admin.
Version 2.3.4 includes the following improvements to Page Builder:
Improved product sorting
- Merchants can now sort by product position in category or list of product SKUs, and sort by defined parameters such as name or stock status.
Improved product carousel
- Merchants can choose how to showcase products in their content by selecting from predefined options in Page Builder Products content type.
- The content that merchants create in Page Builder is optimized for rendering on the storefront using the Venia Theme (PWA Studio).
Inventory Management improvements:
Version 2.3.4 includes the following improvements to the inventory management:
- Resolved a known issue involving the shopping cart which causes a higher load on database servers.
- Updated the Inventory Reservations CLI command to reduce memory usage when finding and compensating for missing reservations on large catalogs.
- Resolved many quality issues, including those related to credit memos, grouped products, source and stock mass actions.
Review the inventory management notes for more details.
Version 2.3.4 includes improved Graph coverage for search, cart functionality, and layered navigation:
Guest carts can now be merged with customer carts
- Ability to transfer the contents of a guest cart into the cart of a logged-in customer.
A customer can start an order on one device and complete it on another
- Ability to link and retrieve cart on different devices.
Layered navigation can use custom filters
- With a new input object rule layered navigation on the website filter only on the attributes that you need.
You can search categories by ID, name, and/or URL key
- The categoryList query replaces the deprecated category` query.
The ProductInterface supports fixed product taxes
- Such as WEEE.
The cart object has been enhanced to include information about promotions and applied discounts at the line and cart levels
Review the GraphQL release notes for more details.
Version 2.3.4 includes the following improvements to B2B functionality:
Ability to export requisition lists into CSV format
- Batch modifications for importing into the shopping cart or importing back into the requisition list by B2B users.
Granular ACLs for B2B modules
- Merchants can now restrict access to B2B features from the Admin, controlling which employees can work with B2B items and settings.
Vendor-developed extension improvements:
Version 2.3.4 includes extensions development by 3rd-Party vendors along with quality and UX improvements.
Magento 2 version 2.3.4 provides many improvements to merchants through quality-of-life and new functionality.
Adobe Magento has provided major improvements with this release. From quality-of-life fixes to new functionality, this version will take your Magento website to the next level.
It’s encouraged to read Magento’s official release notes for Magneto 2.3.4. for the details of the specific fixes included in the new version.
If you have any specific questions about this release, it’s impact on your website, or the steps to upgrade, please reach out to us, we would be more than happy to help you.