cancel
Showing results for 
Search instead for 
Did you mean: 

Does CE 1.9.3.1 contain security fixes that 1.9.3.0 does not?

Does CE 1.9.3.1 contain security fixes that 1.9.3.0 does not?

We updated all of our stores to 1.9.3.0 the day it came out. This caused lots of headaches when APIs broke, but we got everything stabilized.

 

We're thinking about waiting to update to 1.9.3.1, assuming that it only fixes some issues that we've already remedied in other ways, but I wanted to make sure that there aren't any critical security updates in there that will leave us vulnerable.

 

Does 1.9.3.1 only fix these things that 1.9.3.0 broke, or does it also contain new security updates that 1.9.3.0 did not?

 

Side note: The release notes mention that 1.9.3.1 "Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront." but they don't specifically mention "Security Enhancements" (like 1.9.3.0 did).

 

Thanks!

1 REPLY

Re: Does CE 1.9.3.1 contain security fixes that 1.9.3.0 does not?

Hi @Eric Seastrand,

 

I guess that you are talking about something taht was discussed yesterday at the Slack channel. Piotr Kaminski (from Magento) said:

 

so the XSS thing is an additional case we've seen after 8788/1.9.3.0

given that it requires admin access and is not obvious to trigger, it doesn't really require a separate patch in our opinion. There are worse things you can do if you have admin access.

That change was made only for EE versión, into the module CatalogEvent.

 

Is this useful?

--
If you've found one of my answers useful, please give "Kudos" or "Accept as Solution"