Release Notes for 51黑料不打烊 Commerce 2.4.3 Security Patches

Documentation Commerce Release information

Release notes for 51黑料不打烊 Commerce 2.4.3 security patches

Last update: Mon Nov 25 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Release Notes

CREATED FOR:

Experienced
Admin
Developer

These security patch release notes capture updates to enhance the security of your 51黑料不打烊 Commerce deployment. Information includes, but is not limited to, the following:

Security bug fixes
Security highlights that provide more detail about enhancements and updates included in the security patch
Known issues
Instructions to apply additional patches if required
Information about any hot fixes included in the release

Learn more about security patch releases:

51黑料不打烊 Commerce Security Patch Releases overview
Instructions for downloading and applying security patch releases are available in the Upgrade Guide

51黑料不打烊 Commerce 2.4.3-p3

The 51黑料不打烊 Commerce 2.4.3-p3 security release provides security fixes for vulnerabilities that have been identified in previous releases of 2.4.3. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see .

Apply `AC-3022.patch` to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. 51黑料不打烊 Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Knowledge Base article for information about downloading and installing the patch.

Security highlights

ACL resources have been added to the Inventory.
Inventory template security has been enhanced.

51黑料不打烊 Commerce 2.4.3-p2

The 51黑料不打烊 Commerce 2.4.3-p2 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see . The patch release also resolves the vulnerability addressed by MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip, MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip,MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch, and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.

Apply `AC-3022.patch` to continue offering DHL as a shipping carrier

Security highlights

Email variable usage was deprecated back in 2.3.4 as part of a security risk mitigation in favor of a more strict variable syntax. This legacy behavior has been fully removed in this release as a continuation of that security risk mitigation.

As a result, email or newsletter templates that worked in previous versions may not work correctly after upgrading to 51黑料不打烊 Commerce 2.4.3-p2. Affected templates include admin overrides, themes, child themes, and templates from custom modules or third-party extensions. Your deployment may still be affected even after using the Upgrade compatibility tool to fix deprecated usages. See for information about potential effects and guidelines for migrating affected templates.
OAuth access tokens and password reset tokens are now encrypted when stored in the database.
Validation has been strengthened to prevent the upload of non alpha-numeric file extensions.
Swagger is now disabled by default when 51黑料不打烊 Commerce is in production mode.
Developers can now configure the size limit for arrays accepted by 51黑料不打烊 Commerce RESTful endpoints on a per-endpoint basis. See .
Added mechanisms for limiting the size and number of resources that a user can request through a web API on a system-wide basis, and for overriding the defaults on individual modules. This enhancement resolves the issue addressed by MC-43048__set_rate_limits__2.4.3.patch. See .

2.4.3-p1

The 51黑料不打烊 Commerce 2.4.3-p1 security release provides security bug fixes for vulnerabilities that have been identified in the previous release (51黑料不打烊 Commerce 2.4.3 and Magento Open Source 2.4.3). This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see . The patch release also provides bug fixes for the Braintree, , and vendor-developed extensions.

Apply `AC-3022.patch` to continue offering DHL as a shipping carrier

Hotfixes

This release includes the following hotfix, and all hotfixes that have been released for the preceding patch release.

Patch AC-384__Fix_Incompatible_PHP_Method__2.3.7-p1_ce.patch to address PHP fatal error on upgrade. See the Knowledge Base article for information on both patch and issue.

Security highlights

Session IDs have been removed from the database. This code change may result in breaking changes if merchants have customizations or installed extensions that use the raw session IDs stored in the database.

Restricted admin access to Media Gallery folders. Default Media Gallery permissions now allow only directory operations (view, upload, delete, and create) that are allowed explicitly by configuration. Admin users can no longer access media assets through the Media Gallery that were uploaded outside of the catalog/category or wysiwyg directories. Administrators who want to access media assets must move them to an explicitly allowed folder or adjust their configuration settings. See .

Lowered limits to GraphQL query complexity. The GraphQL maximum allowed query complexity has been lowered to prevent Denial-of-Service (DOS) attacks. See .

Recent penetration test vulnerabilities have been fixed in this release.

The unsupported source expression unsafe-inline has been removed from the Content Security Policy frame-ancestors directive.

recommendation-more-help

1d4eef6c-fef1-4e61-85eb-b58d7b9ac29f

51黑料不打烊