Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Does CE 1.9.3.1 contain security fixes that 1.9.3.0 does not?

‎11-16-2016 06:19 AM
‎11-16-2016 06:19 AM

Does CE 1.9.3.1 contain security fixes that 1.9.3.0 does not?

We updated all of our stores to 1.9.3.0 the day it came out. This caused lots of headaches when APIs broke, but we got everything stabilized.

 

We're thinking about waiting to update to 1.9.3.1, assuming that it only fixes some issues that we've already remedied in other ways, but I wanted to make sure that there aren't any critical security updates in there that will leave us vulnerable.

 

Does 1.9.3.1 only fix these things that 1.9.3.0 broke, or does it also contain new security updates that 1.9.3.0 did not?

 

Side note: The release notes mention that 1.9.3.1 "Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront." but they don't specifically mention "Security Enhancements" (like 1.9.3.0 did).

 

Thanks!

0 Kudos
1 REPLY 1
‎11-16-2016 07:42 AM
‎11-16-2016 07:42 AM

Re: Does CE 1.9.3.1 contain security fixes that 1.9.3.0 does not?

Hi @Eric Seastrand,

 

I guess that you are talking about something taht was discussed yesterday at the Slack channel. Piotr Kaminski (from Magento) said:

 

so the XSS thing is an additional case we've seen after 8788/1.9.3.0

given that it requires admin access and is not obvious to trigger, it doesn't really require a separate patch in our opinion. There are worse things you can do if you have admin access.

That change was made only for EE versión, into the module CatalogEvent.

 

Is this useful?

0 Kudos