Magento 2.2.5和2.1.14安全性更新
Magento商業版, 社群版2.2.5和2.1.14包含多個安全增強功能,可以幫助關閉經過身分驗證的管理員用戶遠端執行代碼(RCE),跨站請求偽造(CSRF)和其他漏洞,之前尚未下載過Magento 2版本的使用者請直接進入Magento商業版或社群版2.2.5進行操作,有關如何保護您網站的其他相關信息,請參閱最佳安全做法。
請從以下選項中,選擇適合的更新版本來進行本次安全性更新:
Magento夥伴:
| Magento Commerce 2.2.5 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.5 |
| Magento Commerce 2.1.14 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.14 |
| Magento Commerce 2.2.5 and 2.1.14 (New composer installations) | https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html |
| Magento Commerce 2.2.5 and 2.1.14 (Composer upgrades) | https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html |
Magento商業版:
| Magento Commerce 2.2.5 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.5 |
| Magento Commerce 2.1.14 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.14 |
| Magento Commerce 2.2.5 and 2.1.14 (New composer installations) | https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html |
| Magento Commerce 2.2.5 and 2.1.14 (Composer upgrades) | https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html |
Magento社群版:
| Magento Open Source 2.2.5 and 2.1.14 (New .zip file installations) | Magento Open Source Download Page > Download Tab |
| Magento Open Source 2.2.5 and 2.1.14 (New composer installations) | https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html |
| Magento Open Source 2.2.5 and 2.1.14 (Composer upgrades) | https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html |
| Magento Open Source 2.2.5 and 2.1.14 (Developers contributing to the Open Source code base) | https://devdocs.magento.com/guides/v2.2/install-gde/install/cli/dev_options.html |
本次更新項目有:
APPSEC-2014: Authenticated Remote Code Execution (RCE) through the Magento admin panel (swatches module)
APPSEC-2054: Remote Code Execution (RCE) via product import
APPSEC-2042: PHP Object Injection and RCE in the Magento 2 EE admin panel (Commerce Target Rule module)
APPSEC-2055: PHP Object Injection and RCE in the Magento 2 Commerce admin panel (Schedule Import/Export Configuration)
APPSEC-2048: SQL Injection through API
APPSEC-2025: Arbitrary File Delete via Product Image
APPSEC-2044: Cross-Site Scripting (XSS) through B2B quote
APPSEC-2026: Authenticated Remote Code Execution (RCE) through the Magento admin panel (currency configuration)
APPSEC-2070: Directory Traversal in Product Import
APPSEC-2062: Remote Code Execution (RCE) through dev tools
APPSEC-2027: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
APPSEC-2010: Cross-Site Request Forgery + Frontend Stored XSS (Design Configuration)
APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
APPSEC-2030: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
APPSEC-1716: X-Frame-Options missing from templates
APPSEC-1993: IP Spoofing
如欲瞭解更多訊息,請參考Magento官方說明。
想看更多Magento 2 消息,別忘了訂閱我們的電子報,以及追蹤我們的Facebook粉絲專頁唷!
我要留言