Magento Enterprise Edition (EE) Release Notes (1.14 and later)
These Release Notes contain the following information:
SUPEE-8788 Security Patch Advisory
The SUPEE-8788 security patch released in October 2016 has potential issues for certain Magento EE versions. See How to Apply the SUPEE-8788 Patch.
Important Upgrade Information
Important: Use EE 220.127.116.11 or later for all new EE installations and upgrades to get the latest fixes, features, and security updates.
Magento EE 18.104.22.168 Release Notes
See the following sections for information about this release:
- Security Enhancements
- Check for
.swf File After Upgrade
- Backward-Incompatible Changes
Magento Enterprise Edition 1.14.3 delivers more than 120 quality improvements, as well as support for PHP 5.6 in addition to PHP 5.4 and 5.5.
We addressed the following security issues in this release:
General security enhancements
For more information about these security enhancements, see our Security Center article.
Patches for major security issues in earlier versions of the Magento software are available in the Magento EE customer portal.
Details about security fixes:
- Resolved a potential SQL injection (Zend Framework issue)
- Resolved a cache poisoning issue
- We now provide better protection against path exploits.
- Resolved a potential cross-site scripting (XSS) vulnerability when adding a category.
- Resolved a potential XSS vulnerability that affected the Magento server's request URI.
- Resolved a potential XSS vulnerability in invitations.
- You can no longer cause out-of-memory errors on the Magento server by flooding it with images that have incorrect dimensions.
- The Magento Admin Panel login page now renders in HTTPS if you configured the Magento server for HTTPS.
- We added the
nosniff header to our
- Magento no longer uses Adobe Flash for uploads.
- Fixed several potential issues indicated by static code scans.
- Resolved a potential man-in-the-middle vulnerability.
- Resolved a potential PHP security vulnerability.
- An administrative user is no longer able to create a potential security vulnerability that used the block cache.
- Resolved a potential cross-site request forgery (CSRF) vulnerability involving the wishlist.
- Resolved a potential remote code excecution exploit.
- It is no longer possible to log in to a store as an existing customer using only an e-mail address.
- A user can reset a password only after receiving an e-mail. In addition, we introduced the following configuration settings:
- Limit the number of forgotten password requests from one IP address to five times per hour.
- Limit the number of forgotten password requests from one e-mail address to five times per 24 hours.
- Limit the number of forgotten password requests to no more than once ever 10 minutes per e-mail address.
- The forgot password link expires after the first use or two hours (by default).
- When a user changes their e-mail address, they are required to provide their password and to acknowledge the change from the previous address.
- We now ignore leading and trailing spaces in a user's password.
- The new customer e-mail now includes the customer's password.
- Resetting a password using a password recovery e-mail succeeds.
.swf Files After Upgrade
If you upgraded to Magento EE 1.14.3 after applying the SUPEE-8788 patch, make sure the following files have been deleted:
If the files are present, delete them to avoid a potential security exploit. As of Magento EE 22.214.171.124, we no longer distribute
.swf files with the Magento software.
The following backward-incompatible changes were made in this release:
Mage_Adminhtml_Block_Cms_Wysiwyg_Images_Content_Uploader: Parent class was removed.
Mage_Uploader_Model_Config_Abstract: Overrides the magic method
__call and its behavior can be inconsistent. For example:
The following sections discuss other fixes in this release:
Tax Calculation Fixes
- The subtotal including tax on an invoice is calculated correctly.
Shopping cart and checkout fixes
- One product displays one time in a cart even if the product was added once as a guest and another time as a logged-in user.
- Bundled products now display properly in the mini cart as well as the shopping cart.
- Moving a configurable product to a shopping cart in the Admin Panel functions normally.
- Shipping discount coupons are now based correctly on a customer's shipping address.
- First Class Mail letter now displays as a shipping option in the shopping cart.
- You can now pay for a product using both store credit and reward points.
- An exception no longer displays when a customer uses a gift card in an invalid transaction (such as an incorrect payment card number).
- We added validation so a special price must be less than the actual price.
- Exceptions no longer display when a customer checks out.
- Fixed a programming issue that prevented serializing and unserializing values in the shopping cart.
- Magento recovers from payment processor unavailability properly; the customer is charged and the item is shipped.
- You can no longer order an empty product; that is, a product with no options.
- A configurable product with decimal quantity less 1 now displays the proper quantity in the catalog.
- Configurable products are now sorted by attribute, not by product ID.
- Errors no longer display when you use
Mage_Catalog_Block_Product_List on a product detail page.
- Removed the undefined variable
Price rule fixes
- A catalog price rule that targets a bundled product by percentage calculates the price properly.
- A shopping cart price rule that includes tax now calculates properly.
- With the flat product catalog enabled, a catalog price rule with multi-select attributes works properly.
- Errors no longer display when two users add a product at the same time. Magento thanks Babenko eCommerce for contributing this fix.
- You can now add configurable products to the shopping cart after configuring a shopping cart rule.
Visual Merchandiser fixes
- We bundled the following fixes in a patch:
- The value of Attribute in the Smart Category section displays the entire category name.
- We reduced the frequency of rebuilding the Visual Merchandiser index to improve efficiency and performance.
- Duplicate products no longer display when you choose to hide not-visible products.
- Reapplied patches for various functions like indexing.
- Improved the display of the out of items message.
Configurable swatches fixes
- Fixed a memory leak in the configurable swatches module.
- Configurable swatches for out-of-stock products now display consistently in layered navigation, the category view page, and the product view page.
- Resolved performance issues.
- Swatch images for configurable products display properly.
- We bundled the following fixes in a patch:
- Exporting a large number of products no longer results in an out-of-memory error.
- You can import into multiple stores if some stores are set to be replaced.
- Re-importing customers that have a multi-select attribute preserves the attribute.
- File uploads are processed properly.
- Fixed broken help links in the Magento Admin Panel.
- Importing products no longer consumes an excessive amount of memory.
- Coupon reports exported as
.csv now display the correct totals.
- With flat category tables enabled, reindexing no longer removes the category class tag.
- Resolved errors with the Product Flat Index not completely indexing a large number of changes.
- All indexes now reindex when set to update when scheduled.
- Improved performance of the category indexers. Magento thanks Vaimo for contributing this fix.
- Categories saved with a
/ character as the suffix display properly.
- Applied United States Postal Service API changes for January 17, 2016.
- Default variable values now save normally.
- The WYSIWYG editor handles XHTML tags like
- The configuration setting Allow HTML Tags on Frontend is honored.
- Orders created using the Magento Admin now display on the Orders and Returns page on the storefront.
- On a mobile device when the Magento storefront uses an RWD theme, the Filter bar displays one time only.
- The Magento Connect Manager downloader's
.htaccess file is no longer overwritten when the downloader component is updated.
- The configuration cache is no longer corrupted under heavy load.
- Order update e-mails are sent only once.
- A SOAP API call to
/api/soap/?wsdl returns normally.
- A value that contains special characters is handled without errors by the SOAP API.
- Fixed the untranslatable
- Magento now stores two-digit birth years properly (for example,
80 is stored as
- HTTP 200 (OK) status codes are returned for pages after a session expires.
- You can view a disabled product without errors if compilation is enabled.
- A Value Added Tax (VAT) ID now validates properly. If the customer specifies an invalid ID, the customer is notified they will be charged VAT tax.
- Listing shipments no longer displays an exception.
- You can filter associated products for a group product without errors.
- When you manage product attributes, selecting an action from Actions works properly.
- You can now add a configurable product by SKU to an order using the Admin Panel.
- You can now save a product's weight attribute.
- You can now save changes to a CMS page hierarchy when hierarchy metadata is disabled.
- You can now save a banner after upgrading.
- Using a Portable Network Graphics (
.png) image on a CMS page no longer results in a
HEADERS_ALREADY_SENT message to be logged.
- Fixed an exception related to an unknown database table.
- You can now print 10 or more shipping labels without issues.
- A PHP notice no longer occurs when you log the Magento Admin Panel IP address in the event log.
- A SQL error no longer displays when you create a new floating point product attribute programmatically.
- Added a missing image to the codebase.
- The expression
Mage::getModel('core/variable')->addValuesToResult() returning a collection with column
html_value now returns a collection with columns
- Payment no longer results in the exception
ERR (3): Notice: Undefined offset: 1 in app/code/core/Mage/Sales/Model/Order.php on line 1258.
- The correct telephone number displays in transactional e-mails. We changed the variable
store_phone. Magento thanks Classy Llama Studios for contributing this fix.
- The Google sitemap now lists store URLs properly.
- Implemented search query caching, which speeds up search results.
- After a customer submits an order, the following error should not display:
SQLSTATE: Integrity constraint violation: 1062 Duplicate entry 'ECO0000148' for key 'UNQ_SALES_FLAT_ORDER_INCREMENT_ID'.
- With flat category enabled, you no longer see errors due to an undefined method call.
- Case-sensitive variations of URL rewrites work as expected.
- The cron-related error
Warning: shell_exec() has been disabled for security reasons... has been resolved. Magento thanks Stefan Hagspiel for reporting this issue.
- cron no longer runs multiple times unnecessarily.
- Cached static blocks now display properly.
Magento EE 126.96.36.199 Release Notes
Magento EE 188.8.131.52 Release Notes are in the User Guide.
Magento EE 184.108.40.206 Release Notes
Magento EE 220.127.116.11 Release Notes are in the User Guide.
Magento EE 18.104.22.168 Release Notes
EE 22.214.171.124 resolves the following issues:
- Customers can no longer apply a coupon from an inactive shopping cart price rule to a purchase.
- Customers using a smartphone or other small viewport can expand subcategories in the web store that uses the new responsive theme.
Note: The patches discussed in this section are built in to EE 1.14.1; you need to get them only if you're running an earlier EE version.
We'd like to draw your attention to several new patches that were recently posted to the Partner Portal and Support Center. These patches deliver important improvements, such as enabling several concurrent administrators to work with the product catalog, and to make it easier to install community-created translation packages.
Details about the patches follow. To install these patches, see How to Get Patches For Magento EE.
General Magento Connect Patches
Patch name: PATCH_SUPEE-3941_EE_126.96.36.199_v1-2014-08-12-12-10-06.sh
- When you install a community-created translation package, the translation provided by the package overwrites any existing translations for the same items. This enables you to more easily install packages with translations.
- To improve security, Magento Connect now uses HTTPS by default to download extensions, rather than FTP.
- Extension developers can now create an extensions with a dash character in the name. Merchants can install those extensions without issues.
- Magento administrators who attempt to install an extension with insufficient file system privileges are now informed. Typically, the Magento Admin Panel runs as the web server user. If this user has insufficient privileges to the your Magento install dir
/app/code/community directory structure, the Magento administrator sees an error message in the Magento Connect Manager.
To set file system permissions appropriately, see After You Install Magento: Recommended File System Ownership and Privileges.
Magento Install Page Displays After SOAP v2 Index Page Refresh
Patch name: PATCH_SUPEE-3762_EE_188.8.131.52_v1.sh. Refreshing the SOAP v2 index page (
http://your-magento-host-name/index.php/api/v2_soap/index/) results in all administrators and customers viewing the Magento installation page.
Multiple Simultaneous Magento Administrators
Patch name: PATCH_SUPEE-3819_EE_184.108.40.206_v1.sh. Multiple Magento administrators can simultaneously add new products; or edit descriptions, edit prices, or edit stock quantities of existing products without causing deadlocks, key violations, or critical data errors. Together with applying the patch, you must set all indexers to Update when scheduled as follows:
- Log in to the Magento Admin Panel as an administrator.
- Click System > Configuration.
- In the left navigation bar, from the ADVANCED group, click Index Management.
- Expand Indexing Options.
- From each list, click Update when scheduled.
- Click Save Config in the upper right corner of the page.
How to Get Patches For Magento EE
This section discusses how to get patches referenced in these Release Notes. Magento has other patches available from the EE support portal and the partner portal; you can use the following instructions to install any of those patches as well.
To get patches for Magento EE:
- Log in to www.magentocommerce.com.
- In the left pane, click Downloads.
- In the right pane, click Magento Enterprise Edition.
- Follow the prompts on your screen to download a patch for your version of EE.
- Apply the patch as discussed in How to Apply and Revert Magento Patches.
Magento EE 220.127.116.11 Release Notes
See the following sections for information about changes in this release:
This section lists the key new features in Magento EE 1.14. For more information about these new features, see the Magento User Guide.
- The default theme in Magento EE 1.14 uses Responsive Web Design principles to provide a better experience for users of mobile devices in particular. Benefits include:
- You can get a tablet and smart phone friendly responsive site in about half the time as before, speeding time to market and freeing up resources for other projects.
- Your responsive site makes you better able to participate in the fast growing mobile commerce space, gives you the ability to more easily adapt to new opportunities, and is less expensive to maintain. A responsive site also offers potential search engine optimization (SEO) benefits because it uses Google's preferred approach to mobile-optimizing sites.
- Magento EE 1.14 now supports Solr versions up to 3.6.2 natively (that is, without a patch). Catalog indexing happens efficiently and automatically in the background, with no manual intervention required, resulting in better administrative performance.
For more information about using Solr with Magento EE, see the Magento User Guide.
Note: If you're using the Solr search engine with EE versions 1.13.1 or earlier, you must perform an additional step during upgrade due to the fact that the Solr schema changes in EE 1.14. You must copy two files to your Solr server—
solrconfig.xml. For details, see the section on upgrading Solr in the Magento upgrade guide.
- Cross-border trade: (Also referred to as pricing consistency.) We support European Union (EU) merchants operating across regions and geographies who want to show their customers a single price. Pricing is clean and uncluttered regardless of tax structures and rates that vary from country to country.
To enable cross-border trade in the Admin Panel, click System > Configuration > SALES > Tax > Calculation Settings, option Enable Cross Border Trade.
- Supports PHP 5.4. For more information, see the PHP changelog.
- The Zend Framework has been upgraded to version 1.12.3
- Checkout improvements:
- You can capture up to 18% more sales by providing customers access to financing using the Bill Me Later service at no additional cost to you.
- You can offer your customers a smoother, more streamlined PayPal Express Checkout experience, which tries alternative payment options when a customer's credit card is rejected
- Improve the PayPal Express checkout experience by eliminating the following steps in the checkout process:
- The order review page can be enabled or disabled
- Eliminate the necessity of clicking Update Order before Place Order
(Conversion means helping customers stay interested and complete their purchases.)
- Addressed a potential cross-site scripting (XSS) vulnerability while creating configurable product variants.
- Addressed a potential security issue that could result in displaying information about a different order to a customer.
- Users can no longer change the currency if the payment method PayPal Website Payments Standard is used.
- Removed an
.swf file from the Magento distribution because of security issues.
- Improved file system security.
- Enhanced the security of action URLs, such as billing agreements.
- Addressed a potential session fixation vulnerability during checkout.
- Improved the security of the Magento randomness function.
Tax Calculation Fixes
- Fixed price and dynamic price bundled products where the price is configured to include tax display prices correctly regardless of tax settings. (For example, customer's default tax rate is different from the origin tax rate.)
- Resolved a one-cent rounding issue when Fixed Product Tax (FPT) is enabled and the option Apply Discount to FPT is set to Yes. (These options are available in the Admin Panel by going to System > Configuration > SALES > Tax > Fixed Product Taxes.)
- Resolved issues with calculating the credit memo amount when FPT is discounted and the customer purchases more than one item.
Fixes in this release can be divided into the following categories:
Web Store and Shopping Cart Fixes
- With full page caching enabled:
- Customers can no longer see each other's wish list or previously viewed products.
- Related products set to not rotate display on the web store. (In other words, an administrator set System > Configuration > CATALOG > Catalog > Rule-Based Product Relations, option Rotation Mode for Products in Related Product List set to Do not rotate.)
- The product ratings block refreshes on the storefront after a new rating has been approved.
- Tier pricing is calculated properly.
- Resolved a 404 (Not Found) error navigating from a product in one category to an upsell product in a different category.
- A customer can update quantities of items in their mini shopping cart from their My Account page.
- The Minimum Advertised Price pop-up works properly in the web store. When the customer clicks Click for price, the price displays as expected.
- The "customer since" date is correct.
- Switching stores when viewing a product with store-scoped URL keys works as expected.
- Setting System > Configuration > CATALOG > Inventory, option Display Out of Stock Products to Yes no longer causes all products to appear as out of stock.
- Entering accented characters in the zip code field during checkout results in a validation error instead of an exception message.
- Gift card codes are sent only after an item is purchased.
- A customer who attempts to log in as another customer with incorrect credentials is denied.
- Resolved issues with applying a 100% discount to an order.
- Customers are no longer redirected to the home page when they have permission to view a category.
- Discount amount displays correctly for products with custom options.
- Issues with placing PayPal Payments Advanced or PayPal Payflow Link orders using Internet Explorer 9 have been resolved.
Promotional Price Rule Fixes
The following fixes relate to administering and using shopping cart price rules and catalog price rules:
- Shopping cart price rules apply properly to grouped products.
- Two catalog price rules applied to the same product work properly.
- The setting Stop Further Rules Processing is honored.
- A user with read-only privileges in the Admin Panel cannot save changes to a price rule.
- Applying a shopping cart price rule does not display an exception.
- Coupon codes apply only to products eligible for the price rule.
Administrative Ordering, Invoicing, Credit Memo Fixes
- An administrative user with access to only one website from which a product was deleted no longer sees a stack trace when attempting to create an RMA for that product. In other words, after a customer placed an order for a product on Website1, an administrator with privileges to all websites removes the product. Later, when an administrator with access to only Website1 attempts to create an RMA for the deleted product, that administrator no longer sees an error message; instead, they see an expected
Access Denied message.
- Resolved an issue with incorrectly calculating the amount of an invoice when some items were discounted by a shopping cart price rule.
- Credit memo amount is calculated correctly when processing a partial invoice with a discount.
- Making comments in a credit memo no longer returns items to stock. (Prerequisite: an administrator set System > Configuration > CATALOG > Inventory > Product Stock Options, option Automatically Return Credit Memo Item to Stock set to Yes.)
- A product with a custom attribute set imports successfully.
- A fatal error caused by
Mage_ImportExport_Model_Scheduled_Operation was fixed.
Magento thanks Tim Bezhashvyly for contributing to this fix.
Payment Method Fixes
- If guest checkout is disabled, a customer must log in to check out with PayPal Express.
- Eliminated errors in the logs when an administrator clicks System > Configuration > SALES > Payment Methods.
- You can now use New Zealand dollars as the base currency with the eWAY Direct payment bridge.
- Store credit is applied correctly when using Website Payments Pro Hosted Solution.
- If the merchant country is Germany (DE), disabled guest checkout for the express checkout method and PayPal Website Payments Standard.
Solr Search Engine Fixes
- Eliminated a spurious error from the logs when Solr is enabled as the search engine.
- Solr sorts search results by score.
- A quick search by SKU works with the Solr search engine if the SKU contains hyphen characters.
- Solr search works properly if you set
allow_url_fopen = Off in
- Using layered navigation filtering no longer returns the wrong results. (For example, filtering by brand works properly.)
- Resolved an issue where search results don't display correctly after a Magento upgrade.
- Catalog navigation works properly.
- Products display as expected in categories if the products have a Date attribute with the option Used for Sorting in Product Listing set to Yes. There are no exceptions in Magento logs after reindexing.
- Corrected the sort order of products searched by SKU.
- Search results of products with names and/or SKUs that contains numbers, letters, and a hyphen character (-) are as expected.
- Resolved issues with search results for products in a locale other than en_US with numeric SKUs.
- Resolved issues with Solr not returning product search results.
- Search results no longer include products that are either Disabled or Out of Stock.
- Restored images on a customer's Reward Points page.
- Categories on the storefront now display with spaces between category names for cached and non-cached pages.
- A customer can now initiate a return from the storefront.
- An administrative user can subscribe to low stock RSS feeds without errors.
- Category URLs work as expected, regardless of the setting of Create Custom Redirect for old URL for the category's URL key.
allow_url_fopen = Off in
php.ini has no effect on the CMS WYSIWYG editor.
- No fatal error displays when a role-restricted user previews a newsletter in the Admin Panel.
- Google Sitemap files now include the
.html suffix for category and product URLs.
- Customers can use advanced search on your storefront if Magento EE is configured to use the default MySQL Fulltext search engine and the server uses MySQL 5.6.
- A role-restricted user can preview a newsletter in the Admin Panel to which the user has privileges.
- After synchronizing media files with the database,
media/customer/.htaccess is present with the correct data. (Prerequisite: an administrator set System > Configuration > ADVANCED > System > Storage Configuration for Media set to Database).
- cron now restarts indexers if they previously failed to run.
- You can save changes to a category that has more than 1,000 products.
- Deactivating one of several banners no longer causes exceptions in
- Resolved issues with the WSDL cache.
- Improved the efficiency of product searches.
- Resolved issues with the full page cache crawler.
- Resolved issues with the DHL International shipping method.
- Resolved 404 (Not Found) errors in layered navigation.
- Resolved a SQL error when attempting to assign a bundled product to another website.
- Rules-based product relations perform as expected after being saved.
- Resolved an issue with sending duplicate
Content-Type headers when using
mod_fastcgi with the Apache web server.
Open Source Software Licensing Agreements
Some versions of Magento EE use open source software licensing. Following are license agreements for that software.
Touch punch: This code is dual licensed under the MIT or GPL Version 2 licenses and is therefore free to use, modify and/or distribute, but if you include Touch Punch in other software packages or plugins, please include an attribution to the original software and a link to this Touch Punch website.