Magento Open Source 2.3.4 Release Notes
Magento Open Source 2.3.4 offers significant platform upgrades, substantial security changes, and PSD2-compliant core payment methods.
This release includes over 220 functional fixes to the core product and over 30 security enhancements. It includes resolution of over 275 contributions by our community members. These community contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.
Download and run the DB_CLEANUP_SCRIPT.php script
This hotfix addresses an issue with CVE-2019-8118 that was included in Magento 2.3.3 and 2.2.10. While the original fix for that bug stopped the logging of failed login attempts, information collected prior to updating to these current versions may still exist, and previous, unpatched versions of Magento may still have this issue. This hotfix provides a script that clears the login attempts that were previously collected. We recommend that all merchants download and run this script. See Remove failed login attempts from the database for information on how to download and run this database clean-up script.
Apply the PayPal Express Checkout issue with region patch for Magento 2.3.4 to address a critical PayPal Express Checkout issue
This issue affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page. When the customer enters a region in the text field, Magento throws this error: Error 500: NOTICE: PHP message: PHP Fatal error: Uncaught Error: Call to a member function getId() on null in httpdocs/vendor/magento/module-paypal/Model/Api/Nvp.php:1527. When the customer selects the country region from the drop-down menu when placing an order, the order is completed successfully. See Applying patches for specific instructions on downloading and applying Magento patches. Both Git-based and Composer-based patches are available. A fix for this issue will be included in Magento 2.3.5, which is scheduled for release in April 2020.
Security-only patch available
Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, Magento 2.3.4) provides. Patch 2.3.3.1 (Composer package 2.3.3-p1) is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Magento 2.3.3. All hot fixes that were applied to the 2.3.3 release are included in this security-only patch. (A hot fix provides a fix to a released version of Magento that addresses a specific problem or bug.) For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release. For instructions on downloading and applying security-only patches (including patch 2.3.3-p1), see Install Magento using Composer. Security-only patches include only security bug fixes, not the additional security enhancements that are included in the full patch.
With this quarterly release, we’ve changed how we describe these security issues. Individual issues are no longer described in the Magento Security Center. Instead, these issues are documented in an Adobe Security bulletin. Please see Security updates available for Magento APSB20-02.
Highlights
To view the content, you need to Sign In or Register.
Magento Open Source 2.3.4 offers significant platform upgrades, substantial security changes, and PSD2-compliant core payment methods.
This release includes over 220 functional fixes to the core product and over 30 security enhancements. It includes resolution of over 275 contributions by our community members. These community contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.
Download and run the DB_CLEANUP_SCRIPT.php script
This hotfix addresses an issue with CVE-2019-8118 that was included in Magento 2.3.3 and 2.2.10. While the original fix for that bug stopped the logging of failed login attempts, information collected prior to updating to these current versions may still exist, and previous, unpatched versions of Magento may still have this issue. This hotfix provides a script that clears the login attempts that were previously collected. We recommend that all merchants download and run this script. See Remove failed login attempts from the database for information on how to download and run this database clean-up script.
Apply the PayPal Express Checkout issue with region patch for Magento 2.3.4 to address a critical PayPal Express Checkout issue
This issue affects orders placed with PayPal Express Checkout where the order’s shipping address specifies a country region that has been manually entered into the text field rather than selected from the drop-down menu on the Shipping page. When the customer enters a region in the text field, Magento throws this error: Error 500: NOTICE: PHP message: PHP Fatal error: Uncaught Error: Call to a member function getId() on null in httpdocs/vendor/magento/module-paypal/Model/Api/Nvp.php:1527. When the customer selects the country region from the drop-down menu when placing an order, the order is completed successfully. See Applying patches for specific instructions on downloading and applying Magento patches. Both Git-based and Composer-based patches are available. A fix for this issue will be included in Magento 2.3.5, which is scheduled for release in April 2020.
Security-only patch available
Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, Magento 2.3.4) provides. Patch 2.3.3.1 (Composer package 2.3.3-p1) is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Magento 2.3.3. All hot fixes that were applied to the 2.3.3 release are included in this security-only patch. (A hot fix provides a fix to a released version of Magento that addresses a specific problem or bug.) For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release. For instructions on downloading and applying security-only patches (including patch 2.3.3-p1), see Install Magento using Composer. Security-only patches include only security bug fixes, not the additional security enhancements that are included in the full patch.
With this quarterly release, we’ve changed how we describe these security issues. Individual issues are no longer described in the Magento Security Center. Instead, these issues are documented in an Adobe Security bulletin. Please see Security updates available for Magento APSB20-02.
Highlights
To view the content, you need to Sign In or Register.
Content of this hidden block can only be seen by members of: Executive