Magento Open Source 2.0.6 Release Notes
We are pleased to present Magento Open Source (formerly Community Edition) 2.0.6. This release includes security enhancements as well as several functional fixes and enhancements.
2.0.6 contains important security updates. Please update to this version or use the latest available Magento version when starting a new project.
Backward-incompatible changes are documented in Magento 2.0 Backward Incompatible Changes.
- Varnish no longer returns a 400 bad request error message when clearing its cache. Previously, this issue occurred with Magento instances running on GoDaddy.
- Starting with Magento 2.0.6, Magento provides a more flexible way for you to set file ownership and permissions. Instead of setting permissions explicitly, you only need to make sure files and directories are writable for installation. We provide different suggestions for doing this, depending on whether you access your Magento server with one user account (typical of shared hosting) or two user accounts (typical of private hosting or having your own server). After installation, to further restrict access to files and directories, you can optionally create a file named
magento_umaskin your Magento root directory. By default, the
umaskis 002, which means that directories have 775 permissions and files have 664 permissions. For more details, see Magento file system ownership and permissions.
- You can now use the Redis adapter to provide session storage in Magento 2.0.6. For more information, see Redis for session storage.
This release includes enhancements to improve the security of your Magento installation. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento installation to the latest version as soon as possible.
The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.
- Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs.
- Magento no longer allows authenticated customers to change other customers’ account information using either SOAP or REST calls. Magento now confirms that the ID of the customer whose account is being edited matches the authentication token in use.
- Anonymous users can no longer retrieve the private data of registered customers. To prevent malicious attacks of this type, the
quote_id_masktable of the Quote API no longer includes a
cart id maskvalue.
- Several parameters in the Authorize.net payment module are vulnerable to reflected Cross-Site Scripting (XSS) attacks. Existing protection against such malicious parameters is not enough to stop all types of attacks.
- Magento no longer allows users with minimum privileges (for example, access to the dashboard only) to force re-installation of Magento, which could allow them to potentially execute malicious code.
- The Magento installation code is no longer accessible once the installation process has completed.
- When an integration is created, Magento now bases the OAuth consumer key expiration from when the token exchange begins instead of when the consumer key is created. (GITHUB-3449)
- Only a registered customer can assign a guest cart to himself. Previously, an anonymous user could modify the state (that is, set an active quote) of a registered customer.
- Magento no longer discloses information about its internal path during installation.
- Magento no longer discloses the administrator URL to an unauthenticated user during setup.
- Application error messages no longer include the path to the file where the error occurred.
Our technology stack is built on PHP and MySQL. Magento 2.0.1 and later support PHP 5.5, 5.6, 7.0.2, and MySQL 5.6. For more information, see System Requirements.
New users can now complete a full installation of Magento Open Source 2.0.6 from an archive file on the Download page.
Download a new installation
Go to the Magento Open Source Download page.
Under Full Release, select a format for the download archive file. Then, click Download.
Follow the Magento installation instructions.
Install a new installation with Composer
Go to the Magento Open Source Download page.
Under Download with Composer, click Download.
Follow the instructions to download Composer, and get the Magento Open Source metapackage.
Upgrade existing installations
If you installed Magento Open Source 2.0.0 from an archive, you must perform some additional tasks before you can upgrade your installation. Current users of Magento 2.0.0/2.0.1/2.0.2/2.0.3/2.0.4/2.0.5 must first update the installer from the command line. Then, update the installation from the Web Setup Wizard or command line. For detailed instructions, see the technical bulletin.
Upgrade an existing installation from the Setup Wizard
Log in to Admin with Administrator privileges.
On the Admin sidebar, click System. Under Tools, choose Web Setup Wizard.
Click System Upgrade. Follow the onscreen instructions to complete the upgrade.
For more information, see Upgrade the Magento installation and components.
Upgrade an existing installation from the GitHub repository
Developers who contribute to the Open Source code base can upgrade manually from the Magento Open Source GitHub repository.
Go to the Contributing Developers page.
Follow the instructions to pull the updates from the repository and update Composer.
The Data Migration Tool helps transfer existing Magento 1.x store data to Magento 2.x. This command-line interface includes verification, progress tracking, logging, and testing functions. For installation instructions, see Install the Data Migration Tool. Consider exploring or contributing to the Magento Data Migration repository.
The Code Migration Toolkit helps transfer existing Magento 1.x store extensions and customizations to Magento 2.0.x. The command-line interface includes scripts for converting Magento 1.x modules and layouts.