Magento EE 1.14.2.1 Now Available

Magento Hosting

Magento Commerce Enterprise Edition (EE) Version 1.14.2.1 is now available for download and upgrade.

Magento EE 1.14.2.1 provides merchants with performance optimizations, the USPS API patch from June (SUPEE-6237), and four Magento Security Patches (SUPEE-5994, SUPEE-6285, SUPEE-6482), including the new one issued earlier this week, SUPEE-6482.

There are no confirmed reports of attacks related to these issues to-date, but it is important that you either upgrade to Magento EE 1.14.2.1 or deploy the patch immediately in order to protect your store.

Magento Enterprise Edition 1.14.2.1 include:-

  • Improvements: Addressed performance issue related to Google Tag Manager.
  • Improvements: Addressed performance issues related to logging module.
  • Fixes: Fixed an issue that caused content from a block saved in the HTML output cache to be loaded into a CMS static block.
  • SUPEE-6482 – Autoloaded File Inclusion in Magento SOAP API: Incorrect validation of a SOAP API request makes it possible to autoload code. The exploit requires the attacker to first log in with API credentials. Depending on the PHP version and/or configuration settings, code can then be loaded from a remote location.
  • SUPEE-6482 – SSRF Vulnerability in WSDL File: Incorrect encoding of API password can lead to probing internal network resources or remote file inclusion.
  • SUPEE-6482 – Cross-site Scripting Using Unvalidated Headers: Unvalidated host header leaks into response and page. Because the page can be cached, this leak poses a risk for all store customers because any HTML or JavaScript code can be injected. Such an exploit works only with specific server configurations, and allows an attacker to intercept a session or modify a page with fake credit card forms, etc.
  • SUPEE-6482 – XSS in Gift Registry Search: Cross-site scripting vulnerability affects registered users. Attack through unescaped search parameter. Risk of cookie theft and impersonating as the user.
  • SUPEE-6237 – USPS API Patch: On May 31, 2015, USPS made changes to their API that impact international shipping rate requests to and from Canada. As a result, some Canadian shipping rates are returned incorrectly, and customers are unable to see all available shipping options. The USPS API patch was released on June 18, to ensure that Canadian international shipping rates are returned correctly, and that customers can see all available shipping options during checkout. The patch is included as part of the Magento Enterprise 1.14.2.1 release.

Magento Mobile SDK for Android

The Magento Mobile Software Development Kit (SDK) for Android is also available. The Magento Mobile SDK for Android includes a library of Android resources that makes it faster and easier to create full-featured Magento mobile applications. The SDK is available only to Enterprise Edition customers, and includes a sample application that can be customized by merchants to accelerate development. With this release, Enterprise Edition merchants can more easily create both iOS and Android applications. The Mobile Software Development Kit is available for download from the Partner Portal and from the dashboard of your Magento account.

For more technical information about Magento EE 1.14.2.1, please visit the release notes.

Please Note: We do NOT recommend upgrading a production installation of Magento directly. Please backup database and all files before upgrading. Please make sure to check for compatibility of your plugins and themes before you upgrade.