Magento is releasing new versions of our Magento Open Source (formerly Community Edition) and Magento Commerce (formerly Enterprise Edition) products to improve product security:
These releases contain almost 40 security changes and enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities.
We’ve also updated the USPS API in Magento 2.x to support service changes that USPS enacted on September 1, 2017. After installing or upgrading to this release, the discontinued “First-Class Mail Parcel” service will change to “First-Class Package Service – Retail.” Patches are also available for Magento 1.x versions. More information about this change is available in our Technical Bulletin.
We strongly recommend that all merchants upgrade to these versions as soon as is reasonably possible.
Download and install Magento Commerce updates by logging into My Account and navigating to the version you want to download. Magento Open Source software is available from the Open Source download page. (See How to get the Magento software for a discussion of Magento 2.x installation procedures, and How to Apply and Revert Magento Patches for Magento 1.x instructions.)
More information about the security changes is available on the Magento Security Center:
Full details are available in the Magento release notes:
Magento Open Source 2.1.9 Release Notes
Magento Open Source 2.0.16 Release Notes
Magento Open Source Release Notes (1.9 and later)
Magento Commerce 2.1.9 Release Notes
Magento Commerce 2.0.16 Release Notes
Magento Commerce Release Notes (1.14 and later)
Thank you for taking prompt action to deploy these updates and secure your site.