We are pleased to present Magento Enterprise Edition 2.1.2. This release includes security enhancements and several functional fixes.
Backward-incompatible changes are documented in Magento 2.1 backward incompatible changes.
Magento 2.1.2 contains multiple bug fixes and enhancements, including
- Support for PHP 7.0.4 and 5.6.5. This release supports PHP 5.6.5 and above instead of 5.6.x.
- Compatible with MySQL 5.7.
- Two new web APIs (or service contracts) for the Sales module that incorporate functionality into the Sales API that is currently available in the Admin interface. After you install this patch, you’ll be able to use the Sales API ShipOrder and InvoiceOrder methods to capture payment and ship product. See Module Reference Guide for information on using the ShipOrder and InvoiceOrder interfaces.
This release includes enhancements to improve the security of your Magento software. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento software to the latest version as soon as possible.
The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.
- You can no longer change or fake a product price from the Magento storefront and then complete an order with that faked price.
- Fixed issue with arbitrary PHP code execution during checkout.
- Magento no longer permits you to use Products > Images and Videos > Insert YouTube video to potentially upload malicious code.
- Fixed issue with running cron jobs less frequently than specified by the application cron setting.
- Sessions now expire as expected after logout.
- Removed potential for exploitation of guest order view feature to harvest order information.
- Kount and 3D Secure now work as expected for Braintree Vault.
- You can no longer delete a currently logged-in user.
- A user with lesser privileges can no longer force an Admin user to add his private or public key using a JSON call.