I just discovered something that has me fuming, please correct me if I'm wrong. Back in March of '18 we installed the first version of SUPEE 10570 (v2 wasn't released yet and I didn't even know it existed until recently). About a year later in March of '19 we upgraded to version 1.9.4.1. The description of the 1.9.4.1 install says, "Includes patch SUPEE-11086 as well as all previous security patches and PHP 7.2 compatibility patch". But, thing is, no, it does not. SUPEE 10570 v2 contained an important fix to session validation bugs introduced in 10570 v1, and those have not been addressed as far as I'm aware. In the last year we've started to notice session issues, random logouts, dumped carts, etc, and couldn't figure it out. I started digging into it today and realized that an entire block of code that was supposed to be removed after 10570 v2 was still there in the 1.9.4.1 upgrade.
Please tell me I'm missing something, because if I'm not, Magento is building installs without all the previous patches as they claim to be. That's bad news! What else is missing???
Vimal,
I appreciate you taking the time to respond, but this is not accurate information, as I pointed out in my OP. Version 1.9.4 and higher are not included in the list of supported versions for patch 10570, which makes sense since 1.9.4 is supposed to have that patch rolled in. But patch 10570 version 2 came out a month after 10570 version 1 and that patch is NOT included in 1.9.4. This means that, if I install the latest version of Magento, I don't get all the patches and my store is still vulnerable to login failures and session issues. This is a serious issue IMO.
Brian
Hi @bcp_vps,
This particular issue was spotted later and should be included in 1.9.4.2. For 1.9.4.1, if you go to the downloads page and open the dropdown for SUPEE-10570, there is an item called invalid_session_fix.patch that should address this issue.
Cheers,
Sherrie