Staying updated is the need of the hour for every business out there. Especially for e-commerce business owners, it applies up to the core. Recently Magento Commerce 2.1.14 and Magento Open source 2.1.14 have been announced with enhanced multiple security features and fixes.
These improvements are helpful to close the authenticated admin user remote code execution (RCE), Cross-site scripting (XSS) and other liabilities that needed to be addressed.
The main highlights of the Magento 2.1.14 is the presence of 38 security fixes and enhancements. These enhancements are helpful to shut down stored XSS, cross-site request forgery (CSRF) vulnerabilities and SQL injection.
The Fixes and Enhancements of Magento 2.1.14
- Now it’s possible for ‘magento cron:run command to execute the scheduled jobs as per the requirement.
- Issue of the misspelling which was earlier there in the name of the namespace Magento\Cron\Observer\ProcessCronQueueObserver.php has been solved.
- The console commands now have return status.
- The command of ‘Store getConfig()’ now considers valid false return values.
- Command of ‘magento setup:di:compile’ now backs up quoting for the base paths.
- Magento 2.1.14 security made an addition of ‘web/unsecure/base_url’ to both store scopes and the website.
- There is no display of HTML tags in the product Meta descriptions.
- This version of Magento also cross checks whether the ‘storeID’ is not null apart from checking if it’s empty or not.
- The overall layout of ‘catalog_rule_promo_catalog_edit.xml’ has been altered to tune with sidebar settings.
- Now the ‘contains’ condition of the catalog price rule is compatible and functional as expected as the ‘contains’ condition permits multiple options.
- Magento 2.1.14 have bought a significant improvement in Payment methods section’s display seen on the checkout page on the mobile and other handheld devices.
- Improvements to the LESS code now includes shifting of many LESS variables to ‘.lib-dropdown()’ variables and inserts the ‘font-weight’ variable to the ‘navigation.less’.
- A blank address field can be successfully saved along with an address.
- Successful override settings can be made in ‘module-directory/etc/zip_codes.xml’.
- This newer version of Magento eliminated <title>Billing Agreements</title> from the customer_account.xml file which was present in the PayPal module.
- There has been an additional addition of JSON and XML support to the post method present in the ‘\Magento\Framework\HTTP\Client\Socket’ class.
- You can now effectively bar the removal of a block or container by making setting of the ‘remove’ command to ‘false’.
- The navigation menus devoid of the ‘display: inline-block’ setting can now function as needed on the deployments present on Internet Explorer 11.x.
- Magento 2.1.14 enhanced the function of storing passwords by using varied hashing algorithms.
- ‘String’ type was included in ‘\Magento\Framework\HTTP\Client\Curl’ for sustaining JSON or XML requests.
- Command of a block removal can be cancelled or container lying in a layout by doing setting ‘remove’ attributes value to ‘false’.
- The catalog gallery can now add ‘allowfullscreen’ setting and in the theme’s ‘view.xml’ file functions as expected.
- Relevant table is now specified by the ‘setAttributeFilter’ method at the time of addressing the ‘addFieldToFilter’ method.
- As a consideration, XML comment node can be added during addition of a new widget declaration to ‘widget.xml’.
- For printing the load query does not uses requires.
- Content type of the ‘robots.txt’ is now plain text.
- ‘Magento_Authorization’ is installed after AdminGws module.
- Magento 2.1.14 smartly removed the function of the Magento Framework to openly set file and directory permissions from the backend of default cache.
- Translation of the text in product reviews is now possible and also few other additional issues concerning translations have also been addressed.
CThe colorof the email template button has been changed from @button-primary__color to @button-primary__hover__color when a user hovers over that button.
- Wrong spelling which was present in Magento\Cron\Observer\ProcessCronQueueObserver.php has been fixed. Earlier this misspelling leaded to fatal error when it was run on the system.
- Now the magento cron:run command runs the scheduled tasks as required and set-up. Earlier only a single job was generated by this command irrespective of the number of jobs that were scheduled.
- All relieve commands now have return status.
- Web/unsecure/base_url config has been added to both store scopes and website.
- Base path is now supported by the magento setup:di:compile command. Previously the same command did not include the compilation process through regex in the excluded PathList property. Though the property does not apply quoting but has the full path to Magento that leaded to a failure of certain paths.
Before installing the Magento Commerce 2.1.14 and Magento open source 2.1.14 do not forget to take the back-up of the system. This would ensure complete safety while you update your system with this newer version of Magento with enhanced fixes and security features.