Oct 8, 2019
SUPEE-11219, Magento Commerce 220.127.116.11 and Open Source 18.104.22.168 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
I realize this patch is very new. But how long should we expect a SUPEE to be out, and not installed, before it triggers an alert on the scan? Can the the scan be trusted? I have seen this before with lack of installed SUPEEs not triggering any sort of alert.
Sorry, wasn't clear. I am talking about the Magento tool (https://magento.com/security). Seems like oftentimes obvious missing patches don't trigger and failed scan or alert. Here is what mine said this morning...
Magento Security Scan:
No New Issues Detected
We have finished a Magento Security Scan of your site:
and we have not noticed any new threats or security issues. Congratulations!
Note: While we strive to perform as comprehensive a scan as possible, we cannot identify all issues. Please note that issues that existed prior to the initial scan, and atypical attacks, might escape our scan. Always update your Magento installation and server, as well as follow Magento Security Best Practices.
The Magento Security Team
You are receiving this email because you signed up for the Magento Security Scan service. Unsubscribe.
If you've received it in error, please contact us at email@example.com
I wonder if there is anyone from Magento that can tell us how long it takes, so we know when it can be trusted. I ran into this with Magereport. It's best effort and sometimes they just don't always test for critical updates. I stopped using it because I couldn't trust it. Same with Magento Security Scan?
We are working on it.
The new checks are planned to publicly appear next Thursday.
Still not showing up in the scan. Our site still says "No New Issues Detected". Looks like the Magento Security Scan cannot be trusted.
Sorry didn't see your response from last Thursday. Looks like scanner should catch up this week. Thanks.
Looks like the work isn't finished yet? Still missing any notification that 11219 is not present.