Magento SUPEE-8788, Enterprise Edition 1.14.3 and Community Edition 1.9.3

SUPEE-8788, Enterprise Edition 1.14.3 and Community
Edition 1.9.3 address Zend framework and payment
vulnerabilities, ensure sessions are invalidated after a
user logs out, and make several other security
enhancements that are detailed below.

Information on additional functional enhancements
available the new 1.14.3 and 1.9.3 releases is available
in the ENTERPRISE EDITION and COMMUNITY EDITION RELEASE NOTES.

Patches and upgrades are available for the following
Magento versions:

Enterprise Edition 1.9.0.0-1.14.2.4:
SUPEE-8788 or upgrade to Enterprise Edition 1.14.3
Community Edition 1.5.0.1-1.9.2.4:
SUPEE-8788 or upgrade to Community Edition 1.9.3

To download a patch or release, choose from the following
options:

Partners:

Enterprise Edition 1.14.3	PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3
SUPEE-8788	PARTNER PORTAL > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – October 2016

Enterprise Edition Merchants:

Enterprise Edition 1.14.3	MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3
SUPEE-8788	MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – October 2016

Community Edition Merchants:

Magento CE 1.9.3.0 Release Notes

See the following sections for information about this release:

Highlights

Magento Community Edition 1.9.3 delivers more than 120 quality
improvements, as well as support for PHP 5.6 in addition to PHP
5.4 and 5.5.

Security Enhancements

We addressed the following security issues in this release:

General security enhancements

For more information about these security enhancements,
see our Security Center article.

Patches for major security issues in earlier versions of the
Magento software are available on the Magento download page (look for
SUPEE-8788.)

Resolved a potential cross-site scripting (XSS) vulnerability when
adding a category.
Resolved a potential XSS vulnerability that affected the
Magento server’s request URI.
Resolved a potential XSS vulnerability in invitations.
You can no longer cause out-of-memory errors on the
Magento server by flooding it with images that have incorrect
dimensions.
The Magento Admin Panel login page now renders in HTTPS
if you configured the Magento server for HTTPS.
We added the nosniff header to our
.htaccess files.
Magento no longer uses Adobe Flash for uploads.
Fixed several potential issues indicated by static code
scans.
Resolved a potential man-in-the-middle vulnerability.
Resolved a potential PHP security vulnerability.
An administrative user is no longer able to create a
potential security vulnerability that used the block cache.
Resolved a potential cross-site request forgery (CSRF)
vulnerability involving the wishlist.
Resolved a potential remote code excecution exploit.
It is no longer possible to log in to a store as an
existing customer using only an e-mail address.

Password enhancements

A user can reset a password only after receiving an
e-mail. In addition, we introduced the following
configuration settings:
- Limit the number of forgotten password requests from
  one IP address to five times per hour.
- Limit the number of forgotten password requests from
  one e-mail address to five times per 24 hours.
- Limit the number of forgotten password requests to no
  more than once ever 10 minutes per e-mail address.
The forgot password link expires after the first use or
two hours (by default).
When a user changes their e-mail address, they are
required to provide their password and to acknowledge the
change from the previous address.
We now ignore leading and trailing spaces in a user’s
password.
The new customer e-mail now includes the customer’s
password.
Resetting a password using a password recovery e-mail
succeeds.

Backward-Incompatible Changes

The following backward-incompatible changes were made in this
release:

Mage_Adminhtml_Block_Cms_Wysiwyg_Images_Content_Uploader:
Parent class was removed.

Mage_Uploader_Model_Config_Abstract: Overrides the
magic method __call and its behavior can be
inconsistent. For example:

->setData('underscore_key', 1)
->getUnderscoreKey() //null

Fixes

The following sections discuss other fixes in this release:

Tax Calculation Fixes

The subtotal including tax on an invoice is calculated
correctly.

Shopping cart and checkout fixes

One product displays one time in a cart even if the product
was added once as a guest and another time as a logged-in user.
Bundled products now display properly in the mini cart as
well as the shopping cart.
Moving a configurable product to a shopping cart in the
Admin Panel functions normally.
Shipping discount coupons are now based correctly on a
customer’s shipping address.
First Class Mail letter now displays as a shipping option
in the shopping cart.
You can now pay for a product using both store credit and
reward points.
An exception no longer displays when a customer uses a gift
card in an invalid transaction (such as an incorrect payment
card number).
We added validation so a special price must be less than
the actual price.
Exceptions no longer display when a customer checks out.
Fixed a programming issue that prevented serializing and
unserializing values in the shopping cart.
Magento recovers from payment processor unavailability
properly; the customer is charged and the item is shipped.
You can no longer order an empty product; that is, a
product with no options.

Catalog fixes

A configurable product with decimal quantity less 1 now
displays the proper quantity in the catalog.
Configurable products are now sorted by attribute, not by
product ID.
Errors no longer display when you use
Mage_Catalog_Block_Product_List on a product
detail page.
Removed the undefined variable where from
app/code/core/Mage/CatalogSearch/Model/Resource/Fulltext.php.

Price rule fixes

A catalog price rule that targets a bundled product by
percentage calculates the price properly.
A shopping cart price rule that includes tax now calculates
properly.
With the flat product catalog enabled, a catalog price rule
with multi-select attributes works properly.
Errors no longer display when two users add a product at
the same time. Magento thanks Babenko eCommerce for
contributing this fix.
You can now add configurable products to the shopping cart
after configuring a shopping cart rule.

Configurable swatches fixes

Fixed a memory leak in the configurable swatches module.
Configurable swatches for out-of-stock products now display
consistently in layered navigation, the category view page, and
the product view page.
Configurable swatches work properly even if there is no
image (before the fix, a JavaScript error was thrown).
Resolved performance issues.
Swatch images for configurable products display properly.

Import/export fixes

We bundled the following fixes in a patch:
- Exporting a large number of products no longer results
  in an out-of-memory error.
- You can import into multiple stores if some stores are
  set to be replaced.
- Re-importing customers that have a multi-select
  attribute preserves the attribute.
- File uploads are processed properly.
- Fixed broken help links in the Magento Admin Panel.
Importing products no longer consumes an excessive amount
of memory.
Coupon reports exported as .csv now display
the correct totals.

Indexer fixes

With flat category tables enabled, reindexing no longer
removes the category class tag.
Resolved errors with the Product Flat Index not completely
indexing a large number of changes.
All indexes now reindex when set to update when scheduled.
Improved performance of the category indexers. Magento
thanks Vaimo for contributing this fix.
Categories saved with a / character as the
suffix display properly.

Other fixes

Applied United States Postal Service API changes for
January 17, 2016.
Default variable values now save normally.
The WYSIWYG editor handles XHTML tags like
cellpadding and cellspacing properly.
The configuration setting Allow HTML Tags on
Frontend is honored.
Orders created using the Magento Admin now display on the
Orders and Returns page on the storefront.
The option to merge Cascading Stylesheets (CSS) and
JavaScript now works properly with a responsive web design
(RWD) theme.
On a mobile device when the Magento storefront uses an RWD
theme, the Filter bar displays one time only.
The Magento Connect Manager downloader’s
.htaccess file is no longer overwritten when the
downloader component is updated.
The configuration cache is no longer corrupted under heavy
load.
Order update e-mails are sent only once.
A SOAP API call to /api/soap/?wsdl returns
normally.
A value that contains special characters is handled without
errors by the SOAP API.
Fixed the untranslatable
base/default/template/sales/guest/form.phtml
template.
Magento now stores two-digit birth years properly (for
example, 80 is stored as 1980).
HTTP 200 (OK) status codes are returned for pages after a
session expires.
You can view a disabled product without errors if
compilation is enabled.
A Value Added Tax (VAT) ID now validates properly. If the
customer specifies an invalid ID, the customer is notified they
will be charged VAT tax.
Listing shipments no longer displays an exception.
You can filter associated products for a group product
without errors.
When you manage product attributes, selecting an action
from Actions works properly.
You can now add a configurable product by SKU to an order
using the Admin Panel.
You can now save a product’s weight attribute.
You can now save changes to a CMS page hierarchy when
hierarchy metadata is disabled.
You can now save a banner after upgrading.
Using a Portable Network Graphics (.png) image
on a CMS page no longer results in a
HEADERS_ALREADY_SENT message to be logged.
Fixed an exception related to an unknown database table.
Fixed an issue with JavaScript merging.
You can now print 10 or more shipping labels without
issues.
A PHP notice no longer occurs when you log the Magento
Admin Panel IP address in the event log.
A SQL error no longer displays when you create a new
floating point product attribute programmatically.
Added a missing image to the codebase.
The expression
Mage::getModel('core/variable')->addValuesToResult()
returning a collection with column plain_value
andhtml_value now returns a collection with
columns plain_value and html_value.
Payment no longer results in the exception ERR (3): Notice: Undefined offset: 1 in app/code/core/Mage/Sales/Model/Order.php on line 1258.
The correct telephone number displays in transactional
e-mails. We changed the variable phone to
store_phone. Magento thanks Classy Llama Studios
for contributing this fix.
The Google sitemap now lists store URLs properly.
Implemented search query caching, which speeds up search
results.
After a customer submits an order, the following error
should not display: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'ECO0000148' for key 'UNQ_SALES_FLAT_ORDER_INCREMENT_ID'.
With flat category enabled, you no longer see errors due to
an undefined method call.
Case-sensitive variations of URL rewrites work as expected.
Resolved a JavaScript syntax error in
bundle.js.
The cron-related error Warning: shell_exec() has been disabled for security reasons... has been resolved.
Magento thanks Stefan Hagspiel for reporting this issue.
cron no longer runs multiple times unnecessarily.
Cached static blocks now display properly.