Yesterday Magento announced release of Magento Community Edition 1.9.2.2 and Magento Enterprise Edition 1.14.2.2
There are no new features added this time; the theme of this release is Security.
The list of improvements that makes it harder for criminals to hack Magento based online stores includes such areas as:
- Cross-site Scripting through Unvalidated Headers
- Magento Configuration Exposure in Error Messages
- Access to Protected Data via Email templates
- XXE/XEE Attack on via API calls
- Potential SQL Injection in Magento Core Model Base Classes
- Potential Remote Code Execution via Cron (Shellshock)
- Remote Code Execution through File Custom Option
- Cross-site Scripting with Error Messages
- Potential Remote Code Execution Using Error Reports and Downloadable Products
- Admin Path Disclosure
- Better Protection of Password Reset Process
- Hardening Dev Folder access
Full information is available at in the official release notes for Magento Community
If you are prefer to stay on your current version of Magento, there is a patch available that solves the issues listed above. It is called SUPEE-6788 and available for download from Magento website.
Important note, that part of the security improvements (namely Admin Path Disclosure) doesn’t have back compatibility, hence it may break some (actually quite many) of your extensions. There is a community support list of the extension that need to be modified before applying part of SUPEE-6788 patch that changes admin path, you can have a look and very likely see there some of the extension used on your website.
So upgrade to new versions of Magento or patch with SUPEE-6788 with care or ask for professional help.
