Magento Community Edition 2.1.2 Now Available

Magento Community Edition 2.1.2

We are pleased to present Magento Community Edition 2.1.2. This release includes security enhancements and several functional fixes.

Backward-incompatible changes are documented in Magento 2.1 backward incompatible changes.

Highlights

Magento 2.1.2 contains multiple bug fixes and enhancements, including

  • Support for PHP 7.0.4 and 5.6.5. (This release supports PHP 5.6.5 and above instead of 5.6.x.)
  • Compatible with MySQL 5.7.
  • Two new web APIs (or service contracts) for the Sales module that incorporate functionality into the Sales API that is currently available in the Admin interface. After you install this patch, you’ll be able to use the Sales API ShipOrder and InvoiceOrder methods to capture payment and ship product. See Module Reference Guide for information on using the ShipOrder and InvoiceOrder interfaces.

Why are we adding new APIs in a patch release?

These new interfaces will not break any existing customizations or extensions. See Alan Kent’s blog about Magento for more information about these features and Magento’s use of semantic versioning.

Security enhancements

This release includes enhancements to improve the security of your Magento software. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento software to the latest version as soon as possible.

The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.

General security

  • Fixed issue with using the Magento Enterprise Edition invitations feature to insert malicious JavaScript and subsequently execute it in the Admin context.
  • You can no longer change or fake a product price from the Magento storefront and then complete an order with that faked price.
  • Fixed issue with arbitrary PHP code execution during checkout.
  • Fixed issue with retrieving potentially sensitive information through the use of backend media.
  • Fixed issue with running cron jobs less frequently than specified by the application cron setting.
  • Sessions now expire as expected after logout.
  • Removed potential for exploitation of guest order view feature to harvest order information.
  • Kount and 3D Secure now work as expected for Braintree Vault.
  • You can no longer delete a currently logged-in user.
  • A user with lesser privileges can no longer force an Admin user to add his private or public key using a JSON call.

Denial-of-service (DoS) attacks and brute force attacks

  • The Guest order view protection code is no longer vulnerable to brute force attacks.
  • You can no longer manipulate the full page cache to store incorrect pages under regular page URL entries.

Cross-Site Request Forgery (CSRF)

  • Fixed issue with potential storage of malicious XSS code in the body of an email template. (A malicious user could use this this script to steal user information and cookies, or to bypass cross-site request forgery protection.)
  • Fixed issue with cross-site scripting reflected in loading section of request.

SQL injection

  • Fixed issue with potential SQL injection through the Zend framework through ordering or grouping parameters.

Functional fixes and enhancements

We address the following functional issues in this release.

Sales API enhancements

  • We’ve added the ability to change the status of a shipment through the web API. The new ShipOrder interface supports tasks you can already do through the Admin dashboard, including the ability to:
    • create a shipment document (full or partial)
    • add details about shipped items into an order
    • change status and state of an order according to performed actions
    • notify customer about new shipment document
  • We’ve added the ability to change the status of an invoice through the web API. The new InvoiceOrder interface supports tasks you can already do through the Admin dashboard, including the ability to:
    • create an invoice document (full or partial)
    • capture money placed with order payment
    • notify a customer about document creation
    • change order status and state

For more information on these API enhancements, see Magento Sales API.

  • We’ve fixed an issue with using the REST API to link simple products to configurable ones. (GITHUB-5243)
  • You can now use the REST API to create a configurable product with a linked child product. (GITHUB-5243)

Cart and checkout

  • Magento now updates order status as expected after a shipment or invoice has been created through the API.
  • Magento now updates the mini cart as expected when you reorder an item. Previously, Magento added the reordered items to the shopping cart, but the mini cart did not update its item count. (GITHUB-6121)

Tracking and shipping

  • Magento no longer throws an exception if you enter an invalid FedEx shipment tracking number.
  • Changing the city field of an order now affects the shipping rate as expected. Previously, the shipping rate did not update when you changed the city field.

Upgrade

  • You can now save simple products created in 2.0.x environments after upgrading to environments running Magento 2.1.x. Previously, you could not successfully save the opened product after upgrading.

General fixes

  • Magento 2.1.2 now supports PHP 7.0.4.
  • The Product page scope selector now displays all related websites associated with a restricted user.
  • We’ve resolved an issue with the get active payment methods (getActiveMethods). (GITHUB-5413)
  • Magento now correctly renders HTML tags on the Sales Order page price field.
  • Visual swatches are now displayed in search results.
  • Magento now factors in the Weight attribute as expected when you use advanced search on grouped products.
Posted in

Baycentric