文章彙整

Magento 2.2.5和2.1.14安全性更新

By Steffi 5 months agoNo Comments
首頁  /  Magento  /  Magento消息  /  Magento 2.2.5和2.1.14安全性更新


Magento商業版, 社群版2.2.5和2.1.14包含多個安全增強功能,可以幫助關閉經過身分驗證的管理員用戶遠端執行代碼(RCE),跨站請求偽造(CSRF)和其他漏洞,之前尚未下載過Magento 2版本的使用者請直接進入Magento商業版或社群版2.2.5進行操作,有關如何保護您網站的其他相關信息,請參閱最佳安全做法

請從以下選項中,選擇適合的更新版本來進行本次安全性更新:

Magento夥伴:

 

Magento Commerce 2.2.5 (New .zip file installations) Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.5
Magento Commerce 2.1.14 (New .zip file installations) Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.14
Magento Commerce 2.2.5 and 2.1.14 (New composer installations) https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html
Magento Commerce 2.2.5 and 2.1.14 (Composer upgrades) https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

 

Magento商業版:

 

Magento Commerce 2.2.5 (New .zip file installations) My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.5
Magento Commerce 2.1.14 (New .zip file installations) My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.14
Magento Commerce 2.2.5 and 2.1.14 (New composer installations) https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html
Magento Commerce 2.2.5 and 2.1.14 (Composer upgrades) https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

 

Magento社群版:

 

Magento Open Source 2.2.5 and 2.1.14 (New .zip file installations) Magento Open Source Download Page > Download Tab
Magento Open Source 2.2.5 and 2.1.14 (New composer installations) https://devdocs.magento.com/guides/v2.2/install-gde/prereq/integrator_install.html
Magento Open Source 2.2.5 and 2.1.14 (Composer upgrades) https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html
Magento Open Source 2.2.5 and 2.1.14 (Developers contributing to the Open Source code base) https://devdocs.magento.com/guides/v2.2/install-gde/install/cli/dev_options.html

 

本次更新項目有:

 

APPSEC-2014: Authenticated Remote Code Execution (RCE) through the Magento admin panel (swatches module)
APPSEC-2054: Remote Code Execution (RCE) via product import
APPSEC-2042: PHP Object Injection and RCE in the Magento 2 EE admin panel (Commerce Target Rule module)
APPSEC-2055: PHP Object Injection and RCE in the Magento 2 Commerce admin panel (Schedule Import/Export Configuration)
APPSEC-2048: SQL Injection through API
APPSEC-2025: Arbitrary File Delete via Product Image
APPSEC-2044: Cross-Site Scripting (XSS) through B2B quote
APPSEC-2026: Authenticated Remote Code Execution (RCE) through the Magento admin panel (currency configuration)
APPSEC-2070: Directory Traversal in Product Import
APPSEC-2062: Remote Code Execution (RCE) through dev tools
APPSEC-2027: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
APPSEC-2010: Cross-Site Request Forgery + Frontend Stored XSS (Design Configuration)
APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
APPSEC-2030: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
APPSEC-1716: X-Frame-Options missing from templates
APPSEC-1993: IP Spoofing

如欲瞭解更多訊息,請參考Magento官方說明

想看更多Magento 2 消息,別忘了訂閱我們的電子報,以及追蹤我們的Facebook粉絲專頁唷!

更多Magento相關文章請看: Magento教學導覽

以上內容由Astralweb 歐斯瑞編寫製作

 000

推薦文章

Category:
  Magento消息

留下回應

你的電子郵件地址不會被公開.

取得獨家電子商務祕技

建立更好的策略靈感

跟上全球的網路趨勢

絕佳的電商解決方案

電子商務戰略全指南

每月發送電商戰略指南,只要填寫E-mail即可訂閱!

請到您的信箱確認,即可完成訂閱。