Hi all, current ETA for the 1.4 & 1.5 patches is late next week.
I realize upgrading from these versions to a recent version is a massive task, but I would like to emphasize again that these are very outdated (2010-2011) versions of Magento and it's definitely highly reccomended to upgrade to a new version.
how is 1.5 affected?
as far as I can see, its not that bad.
Customer Information Leak via RSS and Privilege Escalation
Request Forgery in Magento Connect Leads to Code Execution
Cross-site Scripting in Wishlist
Cross-site Scripting in Cart
Store Path Disclosure
Permissions on Log Files too Broad
Cross-site Scripting in Admin
Cross-site Scripting in Orders RSS
RSS module and Downloadables module add extra overhead if you don't need them, I've had them disabled by their respective XML files in app/etc/modules since back in 1.4.x.x going forward to 1.7.x.x
<Mage_Rss> <active>false</active> <codePool>core</codePool> <depends> <Mage_Catalog/> <Mage_CatalogInventory/> <Mage_Sales/> <Mage_SalesRule/> <Mage_Wishlist/> </depends> </Mage_Rss>
No module load, no exploit. The RSS feed is able to squitter out a lot of sensitive information on it's admin feeds with absolutely no authentication.
Some of the other items are actually quite bad, just nobody knows who's going to become a future statistic yet.
Thanks for the update Sherrie, we've got a few old clients still running 1.4 and 1.5, so getting the patch installed for them would be excellent. We've actually used this opportunity to reach out to these clients to talk about upgrading to 1.9.
Hey, thanks for the update post.
And a note to all, if you're running 18.104.22.168 and previous, time is ticking on getting your sites upgraded. The next major issue, you might find you're running Windows XP in a Windows 10 world. Not good for your customers...
I've noticed there isn't a patch for 22.214.171.124. Will a patch be released or does anyone running 126.96.36.199 need to use another patch?