Magento Commerce 2.0.4 Release Notes
We are pleased to present Magento Commerce 2.0.4. This release includes all of the security enhancements and performance improvements of Magento 2.0.3, in improved packaging. You must download and install 2.0.4 to ensure that you receive all the security enhancements of 2.0.3.
Backward-incompatible changes are documented in Magento 2.0 Backward Incompatible Changes.
Upgrade and Installation
- Magento no longer creates store data inconsistently during installation.
- During upgrade, the
setup:config:setscript no longer deletes values in the
- Magento now successfully imports existing products as well as products that use custom URLs.
- The Orders API now exposes the shipping address. This corrects an issue with using this API to integrate with third-party systems.
- The SOAP API now returns attributes of type “text swatch” and “visual swatch” when you use the API to add attribute options. Previously, this feature did not work for these attribute types.
- Magento now allows you to use arguments of
urltype in nested arrays. Previously, you could pass route parameters only if the
urlargument was declared at the top level.
- Magento no longer displays HTML tags in messages.
- Product performance has been enhanced when loading catalog products with multiple color swatches.
- Magento now successfully saves and displays new customer attributes.
- The Google Tag Manager module now sends impressions to the Magento Data layer.
- Admin users can now view orders only from stores for which they have view permission.
- Magento performance has been improved by the removal of redundant get requests that previously occurred during shopping cart refresh.
This release includes several enhancements to improve the security of your Magento 2.0 installation. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento 2.0 installation to the latest version as soon as possible.
The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.
- Issue with persistent cross-site scripting through a user account has been resolved.
- Magento now supports setting limits on password attempts. Previously, Admin and Customer Token API access did not limit the number of attempts to enter a password, inadvertently allowing brute force attempts to guess passwords.
- APIs that previously granted access to anonymous users are now configured to require a higher permission level. Default product behavior does not permit anonymous access to Catalog, Store and CMS APIs. However, if you would like to allow anonymous access, you can change this setting.
- Magento now prevents the arbitrary execution of PHP code through the language package CSV file.
- The encryption keys that are generated in System > Manage Encryption Key have been strengthened.
- Reflected cross-site scripting (XSS) can no longer occur through the Authorizenet module’s redirect data.
We recommend that you review Magento’s Security Best Practices, and confirm that all safeguards are in place to protect your system from compromise. Use this occasion to examine your system for indications of possible attack, such as strange administrator accounts, unfamiliar files on the server, etc. To receive direct notification from our security team regarding any emerging issues and solutions, sign up for the Security Alert Registry.
Our technology stack is built on PHP and MySQL. Magento 2.0.1 and later supports PHP 5.5, 5.6, 7.0.2, and MySQL 5.6. For more information, see System Requirements.
New users can now complete a full installation of Magento Enterprise Edition 2.0.4 from an archive file.
Download a new installation
- Go to the Magento website, and click My Account. Then, log in to your account.
In the panel on the left, choose Downloads. Choose Magento Enterprise Edition 2.x, and do the following:
a. Click Magento Enterprise Edition 2.x Release.
b. In the list, choose Version 2.0.4.
c. Click Download.
- Follow the instructions to upgrade and verify your installation. If you need help, go to the Support tab of your Magento account, and Open a Ticket.
Upgrade existing installations
If you installed Magento Commerce 2.0.0 from an archive, you must perform some additional tasks before you can upgrade your installation. Current users of Magento 2.0.0/2.0.1/2.0.2/2.0.3 must first update the installer from the command line. Then, update the installation from the Web Setup Wizard or command line. For detailed instructions, see the technical bulletin.
Upgrade an existing installation from the Setup Wizard
Log in to the Admin panel with Administrator privileges.
On the Admin sidebar, click System. Under Tools, choose Web Setup Wizard.
Click System Upgrade. Follow the onscreen instructions to complete the upgrade.
For more information, see Upgrade the Magento installation and components.
Magento partners can download the release and the release notes in PDF format from the Partner Portal.
- Log in to the Partner Portal.
- Under Magento Commerce, choose Magento Commerce 2.x.
- Find the Magento Commerce 2.x Release, and choose Version 2.0.4.