Magento Open Source Release Notes (1.9 and later)
These Release Notes contain the following information:
Important Upgrade Information
Important: Use Magento Open Source 188.8.131.52 or later for all new Magento Open Source installations and upgrades to get the latest fixes, features, and security updates.
Magento Open Source 184.108.40.206 Release Notes
This version (or patch SUPEE-10570, which applies to older versions of Magento) provides resolution of multiple critical security issues. These critical security issues include authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.
Fixed issues and enhancements
- Changed Magento Admin to support recent USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied.
- Updated copyright to 2018.
These two known issues are associated with the use of HTML tags within a product’s SKU attribute:
- If you try to import products that contain HTML tags in the SKU attribute, Magento displays this error at the data validation stage (that is, when you click Check data):
Invalid value in SKU column. HTML tags are not allowed.
- If you try to create or edit a product in the Admin panel and the product’s SKU attribute value contains HTML tags, Magento throws this error when you try to save the product:
HTML tags are not allowed in SKU attribute.
Magento Open Source 220.127.116.11 Release Notes
This patch (SUPEE-10415) provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.
- Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin.
- The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: No payment information required. Magento versions prior to 18.104.22.168 included this message, but it was missing from v22.214.171.124.
- We’ve fixed a typo in the patch header information. (
autocomplete="new-pawwsord” is now
Issue: Magento displays a "404: Page Not Found" error from the
errors/ directory after upgrading to SUPEE-10415. This issue occurs only in Magento installations that run certain third-party extensions.
Description: Magento is not properly logging PHP warnings that occur early during page initialization. Instead, of logging the error and continuing operation, Magento generates a 404 page. (Previously, Magento logged these warnings in the system.log file, and execution would continue as usual.)
Workaround: Confirm that there are no PHP warnings generated by any of the extensions or customizations.
- We no longer support custom file extensions for
Mage::log(). Supported file extensions include
.csv. For more information, navigate to Developers > Log Settings from the Admin. Magento displays this comment: Logging from Mage::log(). File is located in /var/log. Allowed file extensions: log, txt, html, csv.
- Passwords for new users are now limited to 256 characters. If a new user enters a password that exceeds 256 characters, Magento displays this message: Please enter a password with at most 256 characters.
Magento Open Source 126.96.36.199 Release Notes
This patch (SUPEE-10266) provides resolution of multiple critical security issues and several functional fixes. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.
We’ve also fixed an issue where uploaded images were twice their original size after you applied SUPEE-9767 v2.
Magento Open Source 188.8.131.52 Release Notes
We have skipped release 184.108.40.206.
Magento Open Source 220.127.116.11 Release Notes
This patch addresses both security and functional issues discovered when using the
SUPEE-9767 patch. We recommend upgrading your Magento store to this latest version.
Here are your upgrade options:
See Magento Security Center for a comprehensive discussion of these security issues.
- Upgrade to Magento Open Source 18.104.22.168. You don’t need to revert any patches or install SUPEE-9767 version 2 as version 2 is already included in the Open Source 22.214.171.124 release.
- If you’ve already installed SUPEE-9767 version 1, you can either:
- Upgrade to Magento Open Source 126.96.36.199, or
- revert SUPEE-9767 version 1, then install SUPEE-9767 version 2.
- If you haven’t installed SUPEE-9767 version 1, you can either:
- Upgrade to Magento Open Source 188.8.131.52, or
- install SUPEE-9767 version 2.
This release also provides support for the following functional issues:
- We’ve restored missing
- We’ve changed how Magento validates form keys during the generic five-step checkout process. Previously, customer registration failed during standard checkout processing if form key authentication was enabled.
- Magento now displays the
Allow_symlinks message in the Admin message area as expected.
- Magento now preserves the background transparency of uploaded images as expected. Previously, transparency was lost after the image was uploaded, resulting in an unusable image.
- You can now use Checkout with Multiple Addresses when checkout form validation is enabled.
This patch is available from Magento Tech Resources.
- The Allow symlinks option is now disabled during installation or upgrade processes. Previously, when you changed the Allow symlinks setting to true in the database before upgrading and then installing the patch, this option remained enabled, but you could no longer access it from the Admin panel.
Magento Open Source 184.108.40.206 Release Notes
This patch provides resolution of multiple critical security issues. These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. See Magento Security Center for a comprehensive discussion of these issues.
This release also provides support for the following issue:
Support for PayPal's update to its Instant Payment Notification (IPN) server URL. PayPal provides more information about this feature in IPN Verification Postback to HTTPS Microsite. This update is essential for retaining uninterrupted service after June 30.
SUPEE-8167, an older patch that also contains this fix, was added on May 8, 2017, and is available from Magento Tech Resources.
This patch/release has known issues. Please see SUPEE-9767 for updates.
Note: Before applying this patch or updating to this release, disable the Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. If the Symlinks setting is enabled, it will override your configuration file settings. If that override occurs, you will need to directly modify the database to change those settings.
Magento Open Source 220.127.116.11 Release Notes
This patch addresses the following issues:
- Removal of vulnerability with the Zend framework
Zend_Mail library. For more information, see Magento Security Center.
- Updated the copyright year to 2017.
Magento Open Source 18.104.22.168 Release Notes
This patch addresses the following issues:
- We restored the old tax calculation algorithm for shipping charges. The patch to apply new calculation will be available on request.
- Resolved an issue with setting the session lifetime to 0.
- The monthly cron job that cleans up the table that contains IP addresses and passwords runs properly.
- All configurable product images are imported.
- You no longer get an exception due to an undefined
addCrumbs() method call.
- Resolved the error
Notice: Undefined index: session_expire_timestamp when accessing the storefront.
- Values for drop-down label values are saved correctly.
- The "Price as configured" for bundle products displays correctly in the shopping cart.
- Auto-generated passwords are sent to new customers as expected.
- The method
Mage_Api_Model_Server_Handler_Abstract::processingMethodResult() accepts scalar and array values.
- The default MySQL Full-Text search works as expected; it no longer returns all products.
- Prevented a potential Cross-Site Request Forgery (CSRF) vulnerability by changing the form key when a customer signs out of the storefront.
- Catalog price rules return the correct price.
- Indexers now update all products instead of skipping the last product updated.
Note: You currently cannot upgrade to this version using Magento Connect Manager. We expect to resolve this issue soon.
Magento Open Source 22.214.171.124 Release Notes
See the following sections for information about this release:
- Security Enhancements
- Check for
.swf Files After Upgrade
- Backward-Incompatible Changes
Magento Open Source 1.9.3 delivers more than 120 quality improvements, as well as support for PHP 5.6 in addition to PHP 5.4 and 5.5.
We addressed the following security issues in this release:
General security enhancements
For more information about these security enhancements, see our Security Center article.
Patches for major security issues in earlier versions of the Magento software are available on the Magento download page (look for
See How to Apply the SUPEE-8788 Patch.
- Resolved a potential SQL injection (Zend Framework issue)
- Resolved a cache poisoning issue
- We now provide better protection against path exploits.
- Resolved a potential cross-site scripting (XSS) vulnerability when adding a category.
- Resolved a potential XSS vulnerability that affected the Magento server's request URI.
- Resolved a potential XSS vulnerability in invitations.
- You can no longer cause out-of-memory errors on the Magento server by flooding it with images that have incorrect dimensions.
- The Magento Admin Panel login page now renders in HTTPS if you configured the Magento server for HTTPS.
- We added the
nosniff header to our
- Magento no longer uses Adobe Flash for uploads.
- Fixed several potential issues indicated by static code scans.
- Resolved a potential man-in-the-middle vulnerability.
- Resolved a potential PHP security vulnerability.
- An administrative user is no longer able to create a potential security vulnerability that used the block cache.
- Resolved a potential cross-site request forgery (CSRF) vulnerability involving the wishlist.
- Resolved a potential remote code excecution exploit.
- It is no longer possible to log in to a store as an existing customer using only an e-mail address.
- A user can reset a password only after receiving an e-mail. In addition, we introduced the following configuration settings:
- Limit the number of forgotten password requests from one IP address to five times per hour.
- Limit the number of forgotten password requests from one e-mail address to five times per 24 hours.
- Limit the number of forgotten password requests to no more than once ever 10 minutes per e-mail address.
- The forgot password link expires after the first use or two hours (by default).
- When a user changes their e-mail address, they are required to provide their password and to acknowledge the change from the previous address.
- We now ignore leading and trailing spaces in a user's password.
- The new customer e-mail now includes the customer's password.
- Resetting a password using a password recovery e-mail succeeds.
.swf Files After Upgrade
If you upgraded to Magento Open Source 1.9.3 after applying the SUPEE-8788 patch, make sure the following files have been deleted:
If the files are present, delete them to avoid a potential security exploit. As of Magento Open Source 126.96.36.199, we no longer distribute
.swf files with the Magento software.
The following backward-incompatible changes were made in this release:
Mage_Adminhtml_Block_Cms_Wysiwyg_Images_Content_Uploader: Parent class was removed.
Mage_Uploader_Model_Config_Abstract: Overrides the magic method
__call and its behavior can be inconsistent. For example:
The following sections discuss other fixes in this release:
Tax Calculation Fixes
- The subtotal including tax on an invoice is calculated correctly.
Shopping cart and checkout fixes
- One product displays one time in a cart even if the product was added once as a guest and another time as a logged-in user.
- Bundled products now display properly in the mini cart as well as the shopping cart.
- Moving a configurable product to a shopping cart in the Admin Panel functions normally.
- Shipping discount coupons are now based correctly on a customer's shipping address.
- First Class Mail letter now displays as a shipping option in the shopping cart.
- You can now pay for a product using both store credit and reward points.
- An exception no longer displays when a customer uses a gift card in an invalid transaction (such as an incorrect payment card number).
- We added validation so a special price must be less than the actual price.
- Exceptions no longer display when a customer checks out.
- Fixed a programming issue that prevented serializing and unserializing values in the shopping cart.
- Magento recovers from payment processor unavailability properly; the customer is charged and the item is shipped.
- You can no longer order an empty product; that is, a product with no options.
- A configurable product with decimal quantity less 1 now displays the proper quantity in the catalog.
- Configurable products are now sorted by attribute, not by product ID.
- Errors no longer display when you use
Mage_Catalog_Block_Product_List on a product detail page.
- Removed the undefined variable
Price rule fixes
- A catalog price rule that targets a bundled product by percentage calculates the price properly.
- A shopping cart price rule that includes tax now calculates properly.
- With the flat product catalog enabled, a catalog price rule with multi-select attributes works properly.
- Errors no longer display when two users add a product at the same time. Magento thanks Babenko eCommerce for contributing this fix.
- You can now add configurable products to the shopping cart after configuring a shopping cart rule.
Configurable swatches fixes
- Fixed a memory leak in the configurable swatches module.
- Configurable swatches for out-of-stock products now display consistently in layered navigation, the category view page, and the product view page.
- Resolved performance issues.
- Swatch images for configurable products display properly.
- We bundled the following fixes in a patch:
- Exporting a large number of products no longer results in an out-of-memory error.
- You can import into multiple stores if some stores are set to be replaced.
- Re-importing customers that have a multi-select attribute preserves the attribute.
- File uploads are processed properly.
- Fixed broken help links in the Magento Admin Panel.
- Importing products no longer consumes an excessive amount of memory.
- Coupon reports exported as
.csv now display the correct totals.
- With flat category tables enabled, reindexing no longer removes the category class tag.
- Resolved errors with the Product Flat Index not completely indexing a large number of changes.
- All indexes now reindex when set to update when scheduled.
- Improved performance of the category indexers. Magento thanks Vaimo for contributing this fix.
- Categories saved with a
/ character as the suffix display properly.
- Applied United States Postal Service API changes for January 17, 2016.
- Default variable values now save normally.
- The WYSIWYG editor handles XHTML tags like
- The configuration setting Allow HTML Tags on Frontend is honored.
- Orders created using the Magento Admin now display on the Orders and Returns page on the storefront.
- On a mobile device when the Magento storefront uses an RWD theme, the Filter bar displays one time only.
- The Magento Connect Manager downloader's
.htaccess file is no longer overwritten when the downloader component is updated.
- The configuration cache is no longer corrupted under heavy load.
- Order update e-mails are sent only once.
- A SOAP API call to
/api/soap/?wsdl returns normally.
- A value that contains special characters is handled without errors by the SOAP API.
- Fixed the untranslatable
- Magento now stores two-digit birth years properly (for example,
80 is stored as
- HTTP 200 (OK) status codes are returned for pages after a session expires.
- You can view a disabled product without errors if compilation is enabled.
- A Value Added Tax (VAT) ID now validates properly. If the customer specifies an invalid ID, the customer is notified they will be charged VAT tax.
- Listing shipments no longer displays an exception.
- You can filter associated products for a group product without errors.
- When you manage product attributes, selecting an action from Actions works properly.
- You can now add a configurable product by SKU to an order using the Admin Panel.
- You can now save a product's weight attribute.
- Using a Portable Network Graphics (
.png) image on a CMS page no longer results in a
HEADERS_ALREADY_SENT message to be logged.
- Fixed an exception related to an unknown database table.
- You can now print 10 or more shipping labels without issues.
- A PHP notice no longer occurs when you log the Magento Admin Panel IP address in the event log.
- A SQL error no longer displays when you create a new floating point product attribute programmatically.
- Added a missing image to the codebase.
- The expression
Mage::getModel('core/variable')->addValuesToResult() returning a collection with column
html_value now returns a collection with columns
- Payment no longer results in the exception
ERR (3): Notice: Undefined offset: 1 in app/code/core/Mage/Sales/Model/Order.php on line 1258.
- The correct telephone number displays in transactional e-mails. We changed the variable
store_phone. Magento thanks Classy Llama Studios for contributing this fix.
- The Google sitemap now lists store URLs properly.
- Implemented search query caching, which speeds up search results.
- After a customer submits an order, the following error should not display:
SQLSTATE: Integrity constraint violation: 1062 Duplicate entry 'ECO0000148' for key 'UNQ_SALES_FLAT_ORDER_INCREMENT_ID'.
- With flat category enabled, you no longer see errors due to an undefined method call.
- Case-sensitive variations of URL rewrites work as expected.
- The cron-related error
Warning: shell_exec() has been disabled for security reasons... has been resolved. Magento thanks Stefan Hagspiel for reporting this issue.
- cron no longer runs multiple times unnecessarily.
- Cached static blocks now display properly.
Magento Open Source 188.8.131.52 Release Notes
Magento Open Source 184.108.40.206 resolved the following issues:
- Customers can no longer apply a coupon from an inactive shopping cart price rule to a purchase.
- Customers using a smartphone or other small viewport can expand subcategories in the web store that uses the new responsive theme.
We'd like to draw your attention to several new patches that were recently posted to the Partner Portal and Support Center. These patches deliver important improvements, such as enabling several concurrent administrators to work with the product catalog, and to make it easier to install community-created translation packages.
Details about the patches follow. To install patches, see How to Get Patches For Magento Commerce.
Note: Some of the patches discussed in this section have
EE_220.127.116.11 in the name. These patches were all tested against Open Source 1.9.x as well.
General Magento Connect Patches
Patch name: SUPEE-3941
- When you install a community-created translation package, the translation provided by the package overwrites any existing translations for the same items. This enables you to more easily install packages with translations.
- To improve security, Magento Connect now uses HTTPS by default to download extensions, rather than FTP.
- Extension developers can now create an extensions with a dash character in the name. Merchants can install those extensions without issues.
- Magento administrators who attempt to install an extension with insufficient file system privileges are now informed. Typically, the Magento Admin Panel runs as the web server user. If this user has insufficient privileges to the your Magento install dir
/app/code/community directory structure, the Magento administrator sees an error message in the Magento Connect Manager.
To set file system permissions appropriately, see After You Install Magento: Recommended File System Ownership and Privileges.
Magento Install Page Displays After SOAP v2 Index Page Refresh
Patch name: SUPEE-3762. Refreshing the SOAP v2 index page (
http://your-magento-host-name/index.php/api/v2_soap/index/) results in all administrators and customers viewing the Magento installation page.
How to Get Patches For Magento Open Source
This section discusses how to get patches referenced in these Release Notes.
To get patches for Magento Open Source:
- Log in to www.magentocommerce.com/download.
- In the left pane, click Downloads.
li>Scroll down to the Magento Open Source Patches section.
- Follow the prompts on your screen to download a patch for your version of Magento Open Source.
- Apply the patch as discussed in How to Apply and Revert Magento Patches.
Magento Open Source 18.104.22.168 Release Notes
See the following sections for information about changes in this release:
This section lists the key new features in Magento Open Source 1.9. For more information about these new features, see the Magento User Guide.
- The default theme in Magento Open Source 1.9 uses Responsive Web Design principles to provide a better experience for users of mobile devices in particular. Benefits include:
- You can get a tablet and smart phone friendly responsive site in about half the time as before, speeding time to market and freeing up resources for other projects.
- Your responsive site makes you better able to participate in the fast growing mobile commerce space, gives you the ability to more easily adapt to new opportunities, and is less expensive to maintain. A responsive site also offers potential search engine optimization (SEO) benefits because it uses Google's preferred approach to mobile-optimizing sites.
- Cross-border trade: (Also referred to as pricing consistency.) We support European Union (EU) merchants operating across regions and geographies who want to show their customers a single price. Pricing is clean and uncluttered regardless of tax structures and rates that vary from country to country.
To enable cross-border trade in the Admin Panel, click System > Configuration > SALES > Tax > Calculation Settings, option Enable Cross Border Trade.
- Supports PHP 5.4. For more information, see the PHP changelog.
- The Zend Framework has been upgraded to version 1.12.3
- Checkout improvements:
- You can capture up to 18% more sales by providing customers access to financing using the Bill Me Later service at no additional cost to you.
- You can offer your customers a smoother, more streamlined PayPal Express Checkout experience, which tries alternative payment options when a customer's credit card is rejected
- Improve the PayPal Express checkout experience by eliminating the following steps in the checkout process:
- The order review page can be enabled or disabled
- Eliminate the necessity of clicking Update Order before Place Order
(Conversion means helping customers stay interested and complete their purchases.)
- Addressed a potential cross-site scripting (XSS) vulnerability while creating configurable product variants.
- Addressed a potential security issue that could result in displaying information about a different order to a customer.
- Users can no longer change the currency if the payment method PayPal Website Payments Standard is used.
- Removed an
.swf file from the Magento distribution because of security issues.
- Improved file system security.
- Enhanced the security of action URLs, such as billing agreements.
- Addressed a potential session fixation vulnerability during checkout.
- Improved the security of the Magento randomness function.
Tax Calculation Fixes
- Fixed price and dynamic price bundled products where the price is configured to include tax display prices correctly regardless of tax settings. (For example, customer's default tax rate is different from the origin tax rate.)
- Resolved a one-cent rounding issue when Fixed Product Tax (FPT) is enabled and the option Apply Discount to FPT is set to Yes. (These options are available in the Admin Panel by going to System > Configuration > SALES > Tax > Fixed Product Taxes.)
- Resolved issues with calculating the credit memo amount when FPT is discounted and the customer purchases more than one item.
Fixes in this release can be divided into the following categories:
Web Store and Shopping Cart Fixes
- A customer can update quantities of items in their mini shopping cart from their My Account page.
- The Minimum Advertised Price pop-up works properly in the web store. When the customer clicks Click for price, the price displays as expected.
- The "customer since" date is correct.
- Switching stores when viewing a product with store-scoped URL keys works as expected.
- Setting System > Configuration > CATALOG > Inventory, option Display Out of Stock Products to Yes no longer causes all products to appear as out of stock.
- Entering accented characters in the zip code field during checkout results in a validation error instead of an exception message.
- Gift card codes are sent only after an item is purchased.
- A customer who attempts to log in as another customer with incorrect credentials is denied.
- Resolved issues with applying a 100% discount to an order.
- Customers are no longer redirected to the home page when they have permission to view a category.
- Discount amount displays correctly for products with custom options.
- Issues with placing PayPal Payments Advanced or PayPal Payflow Link orders using Internet Explorer 9 have been resolved.
Promotional Price Rule Fixes
The following fixes relate to administering and using shopping cart price rules and catalog price rules:
- Shopping cart price rules apply properly to grouped products.
- Two catalog price rules applied to the same product work properly.
- The setting Stop Further Rules Processing is honored.
- A user with read-only privileges in the Admin Panel cannot save changes to a price rule.
- Applying a shopping cart price rule does not display an exception.
- Coupon codes apply only to products eligible for the price rule.
Administrative Ordering, Invoicing, Credit Memo Fixes
- An administrative user with access to only one website from which a product was deleted no longer sees a stack trace when attempting to create an RMA for that product. In other words, after a customer placed an order for a product on Website1, an administrator with privileges to all websites removes the product. Later, when an administrator with access to only Website1 attempts to create an RMA for the deleted product, that administrator no longer sees an error message; instead, they see an expected
Access Denied message.
- Resolved an issue with incorrectly calculating the amount of an invoice when some items were discounted by a shopping cart price rule.
- Credit memo amount is calculated correctly when processing a partial invoice with a discount.
- Making comments in a credit memo no longer returns items to stock. (Prerequisite: an administrator set System > Configuration > CATALOG > Inventory > Product Stock Options, option Automatically Return Credit Memo Item to Stock set to Yes.)
- A product with a custom attribute set imports successfully.
Payment Method Fixes
- If guest checkout is disabled, a customer must log in to check out with PayPal Express.
- Eliminated errors in the logs when an administrator clicks System > Configuration > SALES > Payment Methods.
- You can now use New Zealand dollars as the base currency with the eWAY Direct payment bridge.
- Store credit is applied correctly when using Website Payments Pro Hosted Solution.
- If the merchant country is Germany (DE), disabled guest checkout for the express checkout method and PayPal Website Payments Standard.
- Categories on the web store now display with spaces between category names for cached and non-cached pages.
- A customer can now initiate a return from the web store.
- An administrative user can subscribe to low stock RSS feeds without errors.
- Category URLs work as expected, regardless of the setting of Create Custom Redirect for old URL for the category's URL key.
allow_url_fopen = Off in
php.ini has no effect on the CMS WYSIWYG editor.
- No fatal error displays when a role-restricted user previews a newsletter in the Admin Panel.
- Google Sitemap files now include the
.html suffix for category and product URLs.
- Customers can use advanced search on your web store if Magento EE is configured to use the default MySQL Fulltext search engine and the server uses MySQL 5.6.
- A role-restricted user can preview a newsletter in the Admin Panel to which the user has privileges.
- After synchronizing media files with the database,
media/customer/.htaccess is present with the correct data. (Prerequisite: an administrator set System > Configuration > ADVANCED > System > Storage Configuration for Media set to Database).
- cron now restarts indexers if they previously failed to run.
- You can save changes to a category that has more than 1,000 products.
- Deactivating one of several banners no longer causes exceptions in
- Resolved issues with the WSDL cache.
- Improved the efficiency of product searches.
- Resolved issues with the DHL International shipping method.
- Resolved 404 (Not Found) errors in layered navigation.
- Resolved a SQL error when attempting to assign a bundled product to another website.
- Rules-based product relations perform as expected after being saved.
- Resolved an issue with sending duplicate
Content-Type headers when using
mod_fastcgi with the Apache web server.
Open Source Software Licensing Agreements
Some versions of Magento Open Source use open source software licensing. Following are license agreements for that software.
Touch punch: This code is dual licensed under the MIT or GPL Version 2 licenses and is therefore free to use, modify and/or distribute, but if you include Touch Punch in other software packages or plugins, please include an attribution to the original software and a link to this Touch Punch website.