cancel
Showing results for 
Search instead for 
Did you mean: 

Patch 10570 and CE v1.9.4

Patch 10570 and CE v1.9.4

I just discovered something that has me fuming, please correct me if I'm wrong.  Back in March of '18 we installed the first version of SUPEE 10570 (v2 wasn't released yet and I didn't even know it existed until recently).  About a year later in March of '19 we upgraded to version 1.9.4.1.  The description of the 1.9.4.1 install says, "Includes patch SUPEE-11086 as well as all previous security patches and PHP 7.2 compatibility patch".  But, thing is, no, it does not.  SUPEE 10570 v2 contained an important fix to session validation bugs introduced in 10570 v1, and those have not been addressed as far as I'm aware.  In the last year we've started to notice session issues, random logouts, dumped carts, etc, and couldn't figure it out.  I started digging into it today and realized that an entire block of code that was supposed to be removed after 10570 v2 was still there in the 1.9.4.1 upgrade.

 

Please tell me I'm missing something, because if I'm not, Magento is building installs without all the previous patches as they claim to be.  That's bad news!  What else is missing???

3 REPLIES 3

Re: Patch 10570 and CE v1.9.4

Hi @bcp_vps,

Magento always released new version including all previous patches. Right now magento latest version is 1.9.4.2 ( included all security patches)

Magento releases notes:
https://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html#ce19-1940

Make sure that not any core file is overrides in custom module or in local folder. If exists then update these files as well with latest files.

I hope it will help you.

Re: Patch 10570 and CE v1.9.4

Vimal,

 

I appreciate you taking the time to respond, but this is not accurate information, as I pointed out in my OP.  Version 1.9.4 and higher are not included in the list of supported versions for patch 10570, which makes sense since 1.9.4 is supposed to have that patch rolled in.  But patch 10570 version 2 came out a month after 10570 version 1 and that patch is NOT included in 1.9.4.  This means that, if I install the latest version of Magento, I don't get all the patches and my store is still vulnerable to login failures and session issues.  This is a serious issue IMO.

 

Brian

 

Re: Patch 10570 and CE v1.9.4

Hi @bcp_vps

 

This particular issue was spotted later and should be included in 1.9.4.2. For 1.9.4.1, if you go to the downloads page and open the dropdown for SUPEE-10570, there is an item called invalid_session_fix.patch that should address this issue.

 

Cheers,

Sherrie

--

Developer Relations, Adobe Experience Cloud
Problem solved? Click Accept as Solution!
Still stuck? Check out our documentation: https://magento.com/resources/technical