With these statistics and trends in mind, 2019 has been our year of security. Our engineers have been hard at work for the last 8 months making Magento Commerce 2 more secure by reducing our security issue backlog by over 93%. In Q2, we shipped 139 security fixes across all active Magento Commerce and Magento Open-source versions. In our upcoming Q3 release we'll ship a record number of 157 fixes! We’ve doubled our prior year’s investment in security and are changing our approach to security work by making broader strategic changes that improve M2 security posture across the board. We have a roadmap for more of these changes in 2020 as we continue our increased investment in security.
But wait, there's more! We listened to you at Magento Live, Imagine, and other events, and now we're making it easier to pick up security fixes. In Q3 we'll be shipping a security patch release for Magento Commerce and Open-source 2.3.2. The release will be called "2.3.2-p1". It will give you the option to get just the security fixes you need for Black Friday, but delay the less time-sensitive quality, performance, and other changes until later.
You might have noticed the unusual naming scheme for the security patch release, especially since it’s being released next to the 2.3.3 release. That's because the security patch will be based on the latest prior full patch release on our most recent release line to give you a possible upgrade path like this:
This flexible scheme gives you the familiar continuous path to functional and security fixes, or the option to take a lighter security patch release when you need to, which lets you remain secure for as long as six months before picking up a full release.
Edit 28 Sept 2020 - Please note the security releases also includes quality hot fixes since Magento has determined they are critical to run Magento effectively.
Here are a few examples to help illustrate your options:
Example 1 – A full upgrade:
Example 2 – Security now, full service later:
Example 3 – Security now, then the functional change you really need:
Example 4 – Security update to security update:
Enough chit-chat! How can you get your hands on this security patch? We will release it in late September to our technology partners and Commerce customers as a Composer package.
We're committed to making our commerce products the most robust and secure choice out there, so give us your feedback. Let us know how we're doing and what you'd like to see more of.
*Note that you would be taking on an additional upgrade during this span.
**Note that we will do its best to support security patch release to security patch release configurations, but we will not fully validate this upgrade path as part of our patch release process.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.