|Today, Magento is releasing a new security patch (SUPEE-6788), Enterprise Edition 220.127.116.11 and Community Edition 18.104.22.168 to address over 10 issues identified through our comprehensive security program, including remote code execution and information leak vulnerabilities. This patch is unrelated to the recent Guruincsite malware issue. There are no confirmed reports of attacks related to these issues to-date, but it is important that you deploy the patch in order to protect your store. More information about the patch is provided in the Magento Security Center and in the Magento Enterprise Edition and Magento Community Edition release notes.
This patch breaks backward compatibility in ways that can affect your extensions or customizations (see notes for details). For example, certain updates to admin routing can make improperly coded extensions and customizations inaccessible from the admin panel. We expect that many extensions and customizations will be affected by this change, so we are releasing the patch with it included, but turned off. This lets you immediately benefit from the rest of the patch, while also giving you time to update your code before turning on the admin routing change.
Magento recommend that you first test the code in a non-production environment with the admin routing change turned on. If it works, deploy the fully-enabled patch to production. If you discover issues with accessing extensions or customizations from the admin panel, deploy the patch with the admin routing change disabled. Then work with your developer and extension providers to update impacted customizations and extensions. Magento urge you to turn on the admin routing change as soon as possible to protect your site from automated attacks, like the malware issue we recently experienced.
DOWNLOADING THE SECURITY PATCH
Patches are available for Magento Enterprise Edition 1.7 and later releases and Magento Community Edition 1.4 and later releases. Before implementing this new security patch (SUPEE-6788), you must first implement all previous security patches. This will ensure that the patch works properly.
To download the patch, choose from the following options:
- Partners: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled “Security Patches – October 2015.”
- Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – October 2015.” Merchants can also upgrade to Enterprise Edition 22.214.171.124 and receive the security update as part of the core code.
- Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-6788). Merchants can also upgrade to Community Edition 126.96.36.199 and receive the security update as part of the core code.
Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.