Magento Commerce 2.1.14 Release Notes
- Fixed issues
- Community contributions
- System requirements
- Migration toolkits
Patch code and release notes were published on June 27, 2018.
We are pleased to present Magento Open Source 2.1.14. This release includes multiple enhancements to product security plus bug fixes and enhancements. Check out the many community-contributed fixes!
Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.
See Magento Security Center for a comprehensive discussion of these issues.
Magento 2.1.14 contains 38 security fixes and enhancements. The enhancements help close stored XSS, SQL injection, and cross-site request forgery (CSRF) vulnerabilities. See Magento Security Center for more information.
In addition to security enhancements, this release contains the following functional fixes.
magento cron:runcommand now runs scheduled jobs as expected. Previously, cron generated only one job, no matter how many jobs were scheduled. Fix submitted by Sergey P in pull request 14096. GitHub-4173
- The misspelling in the name of the namespace in
Magento\Cron\Observer\ProcessCronQueueObserver.phphas been fixed. Previously, this misspelling resulted in a fatal error when this class was instantiated and run. Fix submitted by Sergey P in pull request 13949. GitHub-4173
magento setup:di:compilecommand now supports quoting for base paths. Previously, this command tried to exclude paths from the compilation process via regex in the
excludedPathsListproperty. However, that property does not use quoting but instead contains the full path to Magento, which resulted in the failure to exclude some paths (for example,
/var/www/magento (1)/). Fix submitted by Ethan Yehuda in pull request 13806.
Store getConfig()now respects valid false return values. Previously, the system represented the no setting as a string value of 0 (and 0 equals false), and as a result, this method fetched the default configuration values when a configuration value was set to no. Fix submitted by Jeroen in pull request 13654.
- All console commands now return status. Fix submitted by Sergey P in pull request 14480.
- We’ve added the
web/unsecure/base_urlconfig to both website and store scopes. Fix submitted by Jeroen in pull request 13658.
- Magento now checks if
storeIdis not null rather than checking if it is empty. Previously, when
storeId 0 is_emptyreturned
true, Magento could not create a CMS page for all store views. Fix submitted by Tommy Quissens in pull request 14505.
- Magento no longer displays HTML tags in product meta descriptions. Fix submitted by Victor Seager in pull request 14436.
- The layout of
catalog_rule_promo_catalog_edit.xmlhas been changed to adjust sidebar settings. Specifically, he tlayout attribute value has been changed from
admin-1column. Fix submitted by Karla Saaremäe in pull request 14022.
- The Catalog Price rule’s
containscondition now works as expected when the
containscondition allows multiple options. Fix submitted by Pieter Hoste in pull request 13546. GitHub-7723
Cart and checkout
- Enhancements to LESS code include moving several LESS variables to
.lib-dropdown()variables and adding
navigation.less. Fix submitted by Karla Saaremäe in pull request 13987.
- We’ve improved the display of the Payment Methods section of the checkout page on mobile devices. Previously, the layout of page elements was not correctly spaced. Fix submitted by Marcin Kwiatkowski in pull request 13980. GitHub-13315
- You can now successfully override settings in
module-directory/etc/zip_codes.xml. Previously, when you tried to override these settings, Magento displayed only the last pattern from the module’s
zip_codes.xml. Fix submitted by Sergey P in pull request 14117. GitHub-6694
- Magento now displays accurate configurable product prices in multi-store environments. Previously, Magento displayed the same configurable product prices for all stores after the first store emulation. Fix submitted by Sergey P in pull request 14479.
- You can now successfully save an address with a blank address field. Previously, when you saved an address that contained no text in an optional address field, Magento threw this error,
'Exception' with message 'Notice: Array to string conversion on line 2903 in lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php will be raised. Fix submitted by Sergey P in pull request 14115.
- We’ve removed
<title>Billing Agreements</title>from the
customer_account.xmlfile in the PayPal module. Fix submitted by Mike Whitby in pull request 14323.
- The color of the button on the email template when a user hovers over it has been changed from
@button-primary__hover__color. Fix submitted by Karla Saaremäe in pull request 14497.
- We’ve added JSON and XML support to the post method in the
\Magento\Framework\HTTP\Client\Socketclass. Fix submitted by Sergey P in pull request 14348.
- Navigation menus without the
display: inline-blocksetting now work as expected on deployments running on Internet Explorer 11.x. Previously, after a page refresh, navigation menus on pages running Luma or Blank themes would not work. Fix submitted by Sergiy in pull request 14332.
- You can now successfully prevent the removal of a block or container by setting the
removeattribute to false. Previously, setting this attribute to false did not cancel the removal of a block or container. Fix submitted by Tommy Quissens in pull request 14198. GitHub-1931
Stringtype was added to
\Magento\Framework\HTTP\Client\Curlto support sending JSON or XML requests. Fix submitted by Sergey P in pull request 14151. GitHub-3489
- We’ve improved the ability to store passwords using different hashing algorithms. These improvements include changes to
\Magento\Framework\Encryption\Encryptor::getHash, which previously ignored the specified hashing algorithm version that was supplied. Fix submitted by Mads Nielsen in pull request 13886. GitHub-5463
- You can now cancel the removal of a block or container from a layout by setting the
removeattribute value to
- You can now add an XML comment node as a parameter when adding a new widget declaration to
widget.xml. Previously, if you added a comment as a parameter to a widget declaration, Magento displayed a 500 error. Fix submitted by Pieter Hoste in pull request 14219. GitHub-3882
setAttributeFiltermethod now specifies the relevant table when calling the
addFieldToFiltermethod. This method is called as part of the process of adding a field to the filter for the collection
Eav/Model/ResourceModel/Entity/Attribute/Option/Collection.php. Previously, Magento displayed an error (
ambiguous column name) when you joined tables containing column
Fix submitted by Pierre Le Maguer in pull request 14596. GitHub-14572
- We’ve added a CodeTriage badge to the
magento/magento2GitHub repository. See CodeTriage for more information. Fix submitted by Eugene Shakhsuvarov in pull request 1454.
- The catalog gallery
allowfullscreensetting In the theme’s
view.xmlfile now works as expected. Previously, when you set the gallery’s
allowfullscreenvariable to false, Magento displayed a white page (instead of the product page) when a customer tapped on a product image while using a mobile device. Fix submitted by Sergey P in pull request 14098. GitHub-5808
- We’ve removed the ability of the Magento Framework to explicitly set file and directory permissions from the default cache backend. Removing this functionality allows permissions to be inherited properly from the file system, and respects SETGID bit and Magento umask settings. Fix submitted by Doug in pull request 14417. GitHub-11930, GitHub-10700
- Magento now installs the AdminGws module after it installs
Magento_Authorization. Fix submitted by Anton Evers in pull request 58.
- We added a RewriteBase directive template to the
.htaccessfile in the
pub/staticfolder. Previously, if you set this directive in the
.htaccessfile in your Magento root directory, the Apache web server would miss files. Fix submitted by Cristiano Casciotti in pull request 13812.
robots.txtresponse header content type is now plain text. Fix submitted by Pieter Hoste in pull request 13550. GitHub-13214
- Load query no longer uses requireJS to print. Fix submitted by Pieter Hoste in pull request 13545.
- You can now use a parameter to change the store code in Swagger, which makes it possible to test API calls in Swagger for different storeviews. Fix submitted by Jeroen in pull request 13486. GitHub-13474
- You can now translate the text associated with rating stars in product reviews. Fix submitted by Karla Saaremäe in pull request 14524.
- We’ve added a
mage/translatecomponent to the customer AJAX login action component, which enables the translation of the message that Magento displays if an AJAX call fails (
Could not authenticate. Please try again later). Previously, Magento printed that message in English only, regardless of the storefront’s language setting. Fix submitted by Cristiano Casciotti in pull request 14168.
We are grateful to the wider Magento community and would like to acknowledge their contributions to this release.
Individual contributor contributions
The following table identifies contributions from our community members. This table lists the external pull requests, the GitHub issue number associated with it (if available), and the community member who contributed the pull request.
|Pull request||Related GitHub issue||Contributing community member|
|14596||14572||Pierre Le Maguer|
The following table highlights contributions made by Partners. This table lists the Partner who contributed the pull request, the external pull request, and the GitHub issue number associated with it (if available).
|Contributing Partner||Pull Request||Related GitHub issue|
|Convert||14479, 14348, 14480, 14151, 14117, 14098, 14096, 13806||4173, 5808, 6694, 3489|
|H&O||13654, 13658, 13486||13474|
Our technology stack is built on PHP and MySQL. For more information, see System Requirements.
See How to get the Magento software for comprehensive information about Magento 2.1.x installation and setup.
The Magento Data Migration Tool helps transfer existing Magento 1.x store data to Magento 2.x. This command-line interface includes verification, progress tracking, logging, and testing functions. For installation instructions, see Install Data Migration Tool. Consider exploring or contributing to the Magento Data Migration repository.
An updated version of this toolkit is typically available several days after the patch release.
The Code Migration Toolkit helps transfer existing Magento 1.x store extensions and customizations to Magento 2.0.x. The command-line interface includes scripts for converting Magento 1.x modules and layouts.
Dear community members, thank you for your suggestions, bug reports and code contributions.