Magento 2.0.10
26 October 2016
Magento version 2.0.10 is now available (security release).
Upgrading to Magento 2.0.10
Magento 2.0.10 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Magento updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Magento install to test the 2.0.10 upgrade prior to applying it live. Get started managing your Magento installations with Installatron
What's New in Magento 2.0.10
Security
- You can no longer delete a currently logged-in user.
- Fixed issue that occurred during update with disclosure of the application's internal path.
- Fixed issue that occurred during setup with disclosure of the application's internal path.
- Sessions now expire as expected after logout.
- Fixed issue with using the Magento Enterprise Edition invitations feature to insert malicious JavaScript and subsequently execute it in the Admin context.
- You can no longer change or fake a product price from the Magento storefront and then complete an order with that fake price.
- A user with lesser privileges can no longer use a JSON call to force an Admin user to add his private or public key.
- Fixed remote code execution issue in checkout.
- Upgrade now places stores in maintenance mode as expected. (GITHUB-3191)
- Resolved issue with potential SQL injection through the use of the ordering or grouping parameters.
- Fixed issue with retrieving potentially sensitive information through the use of backend media.
- The Guest order view protection code is no longer vulnerable to brute force attacks.
- Fixed vulnerability to DoS attacks by full page cache poisoning.
- Removed vulnerability in cart checkout experience by enhancing server-side CSRF validation.
- Resolved a potential vulnerability in which customer addresses could be deleted. You can no longer deceive a user into deleting his store address book entries.
- Fixed issue with XSS reflection in the loading section of REST requests.
- Fixed issue with potential storage of malicious XSS code in the body of an email template. (A malicious user could use this this script to steal user information and cookies, or to bypass cross-site request forgery protection.)
Sales API enhancements
- We've added the ability to change the status of a shipment through the web API. The new ShipOrder interface support tasks you can already do through the Admin dashboard, including the ability to: create a shipment document (full or partial); add details about shipped items into an order; change status and state of an order according to; performed actions; notify customer about new shipment document.
- We've added the ability to change the status of an invoice through the web API. The new InvoiceOrder interface supports tasks you can already do through the Admin dashboard, including the ability to: create an invoice document (full or partial); capture money placed with order payment; notify a customer about document creation; change order status and state.
Performance
- We've improved the load speed of the configurable product form.
- We've improved the load speed of the review step for the wizard used to create a configurable product.
Tracking and shipping
- Changing the city field of an order now affects the shipping rate as expected. Previously, the shipping rate was not updated when you changed the city on your order form.
- Magento now returns UPS shipping rates for Puerto Rico.
- Magento no longer throws an exception if you enter an invalid FedEx shipment tracking number.
Cart and checkout
- Magento now updates the mini cart as expected when you reorder an item. Previously, Magento added the reordered items to the shopping cart, but the mini cart did not update its item count. (GITHUB-6121)
- You can now use an alternative Merchant Account ID when using Braintree as a payment method. (GITHUB-5910)
General fixes
- Magento now returns you to the Admin dashboard after you've successfully changed your Admin password. Previously, Magento prompted you to change your password even after you just successfully changed it. (GITHUB-4331)
- You can now update multiselect attribute values for multiple products from the server side. (GITHUB-5459)
- State/Province field is now displayed as required on the Add New Address page. (GITHUB-5279)
- Maestro credit card now passes validation.
- The cursor now appears as expected when you edit a product description.
- Visual swatches are now displayed when in search results.
- GiftRegistry *.less file is not properly packaged in the composer package
- Delete paging functionality for configurable product variations.
- The order comment timestamp now correctly reflects the time that the comment was submitted, not when the page was last refreshed. (GITHUB-5719), (GITHUB-5890)
Known issues
- Issue: Logo Email for transactional emails can not be uploaded successfully (GITHUB-6275). Workaround: Create a header template and reference the image location absolutely.
- Issue: Cannot save a custom transactional email logo. Workaround: None.
- Issue: The scope selector on the Product page does not display all websites associated with a restricted user. Workaround: None.