Magento 2.2.1, 2.1.10與2.1.17開源碼安全性加強更新通知
Magento 最新釋出的 2.2.1, 2.1.10和2.0.17包含多個安全增強功能,可以幫助關閉跨網站指令碼 (XSS)與本地文件(LFI),經驗證過的管理用戶可以透過遠端(RCE)方式進行執行與刪除任何具有漏洞的文件。
以前沒有下載過Magento 2版本的使用者則可以直接進行Magent商業版開源碼2.2.1的載點即可。
有關如何保護您的網站的其他信息,請參閱安全最佳做法。
要下載版本,請從以下選項中進行選擇:
合作夥伴:
| Magento Commerce 2.2.1 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.1 |
| Magento Commerce 2.1.10 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.10 |
| Magento Commerce 2.0.17 (New .zip file installations) | Partner Portal > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.17 |
| Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (New composer installations) | https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html |
| Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (Composer upgrades) | https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html |
Magento 社群版:
| Magento Commerce 2.2.1 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.1 |
| Magento Commerce 2.1.10 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.10 |
| Magento Commerce 2.0.17 (New .zip file installations) | My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.17 |
| Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (New composer installations) | https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html |
| Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (Composer upgrades) | https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html |
Magento 開源碼:
| Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (New .zip file installations) | Magento Open Source Download Page > Download Tab |
| Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (New composer installations) | https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html |
| Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (Composer upgrades) | https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html |
| Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (Developers contributing to the Open Source code base) | https://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html |
本次更新項目有:
- APPSEC-1325: Stored XSS in Billing Agreements
- APPSEC-1825: PHP Object Injection in E-mail templates leading to Remote Code Execution
- APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
- APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
- APPSEC-1881: PHP Object Injection in Downloadable Products leading to Remote Code Execution
- APPSEC-1893: PHP Object Injection in product metadata leading to Remote Code Execution
- APPSEC-1900: Remote Code Execution by leveraging 1st stage unsanitized form input
- APPSEC-1910: Local File Inclusion (LFI) in Import History
- APPSEC-1930: PHP Object Injection in Widgets leading to Remote Code Execution
- APPSEC-1931: PHP Object Injection in Zend Framework leading to Arbitrary File Deletion
如欲瞭解更多訊息,請參考Magento官方說明:
https://magento.com/security/patches/magento-221-2110-and-2017-security-update
我要留言