Adobe Commerce 2.3.7-p1 is a security-only release that provides 17 security fixes that enhance your Magento 2.3.7 deployment. Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release provides. Patch 2.3.7-p1 is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Adobe Commerce 2.3.7 and Magento Open Source 2.3.7.
PHP 7.3 reaches end of support in December 2021, and Adobe Commerce 2.3.x reaches end of support in April 2022. We strongly recommend planning your upgrade now to Adobe Commerce 2.4.x or Magento Open Source 2.4.x and PHP 7.4.x to help maintain PCI compliance.
Apply MC-43048__set_rate_limits__2.3.7-p1.patch to address issue with API rate limiting
This hotfix provides a solution for the issue where Web APIs cannot process requests that contain more than 20 items in an array. This issue affects deployments running Magento Open Source 2.4.3, Adobe Commerce 2.4.3, or Adobe Commerce 2.3.7-p1. Built-in rate limiting was added to these releases to prevent denial-of-service (DoS) attacks, and the default maximum was set to 20. This patch reverts the default limit to a higher value. If you suspect that your store is experiencing a DoS attack, Adobe recommends lowering the default input limits to a lower value to restrict the number of resources that can be requested. See the Web API unable to process requests with more than 20 items in array Knowledge Base article.
Apply AC-384__Fix_Incompatible_PHP_Method__2.3.7-p1_ce.patch to address PHP fatal error on upgrade
The following fatal error can occur during upgrade to Adobe Commerce 2.3.7-p1:
1 PHP Fatal error: Uncaught Error: Call to undefined function Magento\Framework\Filesystem\Directory\str_contains() in [...]/magento/vendor/magento/framework/Filesystem/Directory/DenyListPathValidator.php:74
This error results from the use of the
str_contains function, which is an PHP 8.x function. Adobe Commerce 2.3.7-p1 does not support PHP 8.x. This hotfix replaces this function with a supported PHP 7.x function. See the Adobe Commerce upgrade 2.4.3, 2.3.7-p1 PHP Fatal error Hotfix Knowledge Base article.
What’s in this release?
Seventeen security fixes and one security enhancement are included in this security patch. Fifteen of these fixes have been backported from Magento 2.4.3, and two fixes are specific to the 2.3.x product line. See Adobe Security Bulletin.
Rate limiting is now built in to Magento APIs to prevent denial-of-service (DoS) attacks. Web APIs now impose restrictions on the size or number of resources (the default limit is set to 20 and can be configured to a different value based on business need) that can be requested by a client. See Rate limiting for information about configuring these restrictions.
Security-only patches typically include all hotfixes that have been released for the preceding complete release. However, no hot fixes have been released for Adobe Commerce 2.3.7 and Magento Open Source 2.3.7.
Issue: Previously placed order price is displayed when a shopper tries to place an order with a different product using the PayPal payment method. Magento displays an incorrect order price when a shopper tries to use PayPal to pay for an order after first purchasing a different product. Shoppers can successfully place the first order, but during checkout for the second order, Magento displays the first order’s total price instead of the second order’s correct total. See Adobe Commerce 2.3.7-p1 known issue: outdated order total for PayPal.
Installation and upgrade instructions
For instructions on downloading and applying security-only patches (including patch 2.4.2-p1), see Quick start install.
For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release.