Magento 2.1.14
28 June 2018
Magento version 2.1.14 is now available (security release).
Upgrading to Magento 2.1.14
Magento 2.1.14 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Magento updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Magento install to test the 2.1.14 upgrade prior to applying it live. Get started managing your Magento installations with Installatron
What's New in Magento 2.1.14
This release includes multiple enhancements to product security plus bug fixes and enhancements.
Highlights
Magento 2.1.14 contains 38 security fixes and enhancements. The enhancements help close stored XSS, SQL injection, and cross-site request forgery (CSRF) vulnerabilities. See Magento Security Center for more information.
Bug Fixes
- The magento cron:run command now runs scheduled jobs as expected. Previously, cron generated only one job, no matter how many jobs were scheduled.
- The misspelling in the name of the namespace in Magento\Cron\Observer\ProcessCronQueueObserver.php has been fixed. Previously, this misspelling resulted in a fatal error when this class was instantiated and run.
- The magento setup:di:compile command now supports quoting for base paths. Previously, this command tried to exclude paths from the compilation process via regex in the excludedPathsList property. However, that property does not use quoting but instead contains the full path to Magento, which resulted in the failure to exclude some paths (for example,/var/www/magento (1)/).
- Store getConfig() now respects valid false return values. Previously, the system represented the no setting as a string value of 0 (and 0 equals false), and as a result, this method fetched the default configuration values when a configuration value was set to no.
- All console commands now return status.
- We’ve added the web/unsecure/base_url config to both website and store scopes.
- Magento now checks if storeId is not null rather than checking if it is empty. Previously, when storeId 0 is_empty returned true, Magento could not create a CMS page for all store views.
- Magento no longer displays HTML tags in product meta descriptions.
- The layout of catalog_rule_promo_catalog_edit.xml has been changed to adjust sidebar settings. Specifically, the layout attribute value has been changed from admin-2columns-left to admin-1column.
- The Catalog Price rule’s contains condition now works as expected when the contains condition allows multiple options.
- Enhancements to LESS code include moving several LESS variables to .lib-dropdown() variables and adding font-weight variable to navigation.less.
- We’ve improved the display of the Payment Methods section of the checkout page on mobile devices. Previously, the layout of page elements was not correctly spaced.
- You can now successfully override settings in module-directory/etc/zip_codes.xml. Previously, when you tried to override these settings, Magento displayed only the last pattern from the module’s zip_codes.xml.
- Magento now displays accurate configurable product prices in multi-store environments. Previously, Magento displayed the same configurable product prices for all stores after the first store emulation.
- You can now successfully save an address with a blank address field. Previously, when you saved an address that contained no text in an optional address field, Magento threw this error, 'Exception' with message 'Notice: Array to string conversion on line 2903 in lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php will be raised.
- We’ve removed <title>Billing Agreements</title> from the customer_account.xml file in the PayPal module.
- The color of the button on the email template when a user hovers over it has been changed from @button-primary__color to @button-primary__hover__color.
- We’ve added JSON and XML support to the post method in the \Magento\Framework\HTTP\Client\Socket class.
- Navigation menus without the display: inline-block setting now work as expected on deployments running on Internet Explorer 11.x. Previously, after a page refresh, navigation menus on pages running Luma or Blank themes would not work.
- You can now successfully prevent the removal of a block or container by setting the remove attribute to false. Previously, setting this attribute to false did not cancel the removal of a block or container.
- String type was added to \Magento\Framework\HTTP\Client\Curl to support sending JSON or XML requests.
- We’ve improved the ability to store passwords using different hashing algorithms. These improvements include changes to \Magento\Framework\Encryption\Encryptor::getHash, which previously ignored the specified hashing algorithm version that was supplied.
- You can now cancel the removal of a block or container from a layout by setting the remove attribute value to false.
- You can now add an XML comment node as a parameter when adding a new widget declaration to widget.xml. Previously, if you added a comment as a parameter to a widget declaration, Magento displayed a 500 error.
- The setAttributeFilter method now specifies the relevant table when calling the addFieldToFilter method. This method is called as part of the process of adding a field to the filter for the collection Eav/Model/ResourceModel/Entity/Attribute/Option/Collection.php. Previously, Magento displayed an error (ambiguous column name) when you joined tables containing column attribute_id.
- We’ve added a CodeTriage badge to the magento/magento2 GitHub repository. See CodeTriage for more information.
- The catalog gallery allowfullscreen setting In the theme’s view.xml file now works as expected. Previously, when you set the gallery’s allowfullscreen variable to false, Magento displayed a white page (instead of the product page) when a customer tapped on a product image while using a mobile device.
- We’ve removed the ability of the Magento Framework to explicitly set file and directory permissions from the default cache backend. Removing this functionality allows permissions to be inherited properly from the file system, and respects SETGID bit and Magento umask settings.
- Magento now installs the AdminGws module after it installs Magento_Authorization.
- We added a RewriteBase directive template to the .htaccess file in the pub/static folder. Previously, if you set this directive in the .htaccess file in your Magento root directory, the Apache web server would miss files.
- The robots.txt response header content type is now plain text.
- Load query no longer uses requireJS to print.
- You can now use a parameter to change the store code in Swagger, which makes it possible to test API calls in Swagger for different storeviews.
- You can now use JavaScript mixins to extend swatch functionality in all supported browsers.
- You can now translate the text associated with rating stars in product reviews.
- We’ve fixed issues with the JavaScript translation regex file that previously led to untranslatable strings or parts of strings.
- We’ve added a mage/translate component to the customer AJAX login action component, which enables the translation of the message that Magento displays if an AJAX call fails (Could not authenticate. Please try again later). Previously, Magento printed that message in English only, regardless of the storefront’s language setting.