Updated 3/31/2016

We are releasing Magento Enterprise Edition and Community Edition 2.0.4 to address a packaging issue with yesterday’s release. If you have already installed the original release, you must replace it with the new version to ensure that your site receives all security enhancements. You can download Magento Enterprise Edition and Community Edition 2.0.4 from the distribution channels listed below. We apologize for the inconvenience this may cause and we are reviewing our processes to prevent this from happening in the future.

====

Today, we are making a new upgrade available that improves the security and functionality of Magento 2.0 sites. The new release, Magento 2.0.3, is available for both Magento Enterprise Edition and Community Edition, and contains several security improvements, including:

• Prevents anonymous access to web APIs by default so that private information about the store, such as pricing, stock details, and upcoming promotions, are not disclosed without authentication. Merchants can still configure their APIs to support anonymous access if it is required by certain extensions. More information is available
• Sets limits on the number of Admin and Customer Token Access API password attempts allowed to help prevent brute force attempts to guess passwords.
• Fully resolves a previous issue with cross-site scripting so that attackers cannot enter an email address with malicious JavaScript code during customer registration on the storefront.
• Fixes multiple parameters in the Authorize.net payment module that were vulnerable to reflected cross-site scripting attacks. 

In addition, Magento 2.0.3 includes performance improvements and functional enhancements to the Orders API, Google Tag Manager, permissions, and other areas. Full details on the functional enhancements are included in the release notes for Enterprise Edition and Community Edition; more information on the security updates can be found on the Magento Security Center.

Merchants are strongly advised to deploy this new release. Magento 2.0.3 can be downloaded from the following locations:

• Partners

• Enterprise Edition:

• Community Edition:

If you have not previously upgraded to Magento Enterprise Edition or Community Edition 2.0.2, you should review the upgrade information posted on our Security Center as there are some additional steps you may need to take.

POTENTIAL VULNERABILITY

We’d also like to highlight an article just posted on our Security Center that shares best practices for protecting stores from brute-force password guessing attacks. We’ve been made aware of a recent rise in these attacks, so it is critical for merchants to take these important steps to reduce their risk. We strongly recommend that you review the best practices outlined in this article with your Solution and Hosting Partners immediately and implement the ones that are best suited to your unique situation.

Thank you for your prompt attention to these issues.