Hosting Magento

2.2.3
 (security release)
28 February - 450MBThis release includes 35 enhancements to product security, a change to the Magento Admin to support recent USPS shipping changes, and a copyright update.



Highlights

Enhancements that help close cross-site request forgery (CSRF), unauthorized data leaks, and authenticated Admin user remote code execution vulnerabilities.

Support for Elasticsearch 5.x. See Install and configure Elasticsearch for more information about using Elasticsearch with Magento.

Change to Magento Admin to support recent USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied. If you require USPS postage printing capabilities, please visit Magento Shipping to learn more, and explore various shipping extensions on Magento Marketplace.

New layers of control for cache management tasks managed through the Magento Admin. This release introduces finer permissions for cache management tasks such as flushing cache storage, flushing the Magento cache, and refreshing cache types.

Updated copyright to 2018.

Read more: http://devdocs.magento.com/guides/v2.2/release-notes/ReleaseNotes2.2.3CE.html






2.2.2

11 February - 450MBHighlights

Significant new features that streamline the customer experience and provide merchants with greater insight into their online business.

Numerous fixes and enhancements to core features, including significant improvements to the payment process.

Over one hundred community-submitted bug fixes and multiple pull requests.



New Features

Advanced Reporting powered by Magento Business Intelligence. Access easy-to-use order, product, and customer reports right from the Magento Admin to gain new insights and enable data-driven decision making.

Magento Shipping (powered by Temando). This new feature provides integrated advanced multi-carrier shipping and fulfillment.

Streamlined Instant Purchase checkout (contributed by Creatuity). Our new streamlined Instant Purchase option uses previously stored payment credentials and shipping information to bypass steps in the checkout process.

Integrated dotmailer marketing automation software. Magento is one of the first ecommerce solutions to include the dotmailer marketing automation with their core product.

Magento Functional Testing Framework. The Magento Functional Testing Framework (MTFT) is our open-source, cross-platform testing solution. Its purpose is to facilitate functional testing and minimize efforts to perform regression testing.



Bug Fixes

Significant enhancements for payment methods. We’ve added support for the Indian Rupee (INR) to PayPal Express Checkout. We’ve also added a fix for an issue where some Braintree refunds did not work.

Improvements to multi-storeview sites. Switching store views multiple times no longer results in an error on the storefront.

New functionality for the command-line interface. We’ve added interactivity to the admin:user:create command and added the ability to handle CLI setup interactively (with prompts).

You can now use the Enter key (in addition to a mouse click) to search tables in the Admin.

Magento no longer creates duplicate shipments when merchants create shipments with bundled products via API.



This release also includes dozens of bug fixes plus a substantial number of contributions from the wider Magento community.
Read more: http://devdocs.magento.com/guides/v2.2/release-notes/ReleaseNotes2.2.2CE.html






2.2.1
 (security release)
7 November 2017 - 450MBThese releases contain almost 15 security changes that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. They also contain over 40 functional enhancements, including significant contributions from community members.



Highlights

Integrated Signifyd Fraud Protection is now available in Magento Open Source. See Signifyd fraud protection for more information.

Ability to implement translations from themes. We've also significantly reduced JavaScript-related translation issues.

Improvements to how the PayPal Express Checkout payment method processes virtual products.

Multiple enhancements to product security. See Magento Security Center for more information.

Twenty-two community-submitted bug fixes and multiple pull requests.



Security

Magento 2.2.1 includes multiple security enhancements. Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.






2.2.0
 (major version)
30 October 2017 - 450MBThis release includes hundreds of functional fixes plus a wealth of new features: a bundled extension, upgraded technology stack, performance gains from improvements in indexing, cart, and cache operation, and significant enhancements in platform security and developer experience.



Highlights

Bundled extensions. This release of Magento includes the first third-party extension that we are bundling with Magento Commerce – Magento Social. This extension establishes a connection between your store and your corporate Facebook account, and creates a page with products from your catalog. When shoppers click a product, they are redirected to the corresponding product page in your Magento store.

Significant enhancements in platform security and developer experience. Security improvements include the removal of unserialize calls and protection of this functionality to increase resilence against dangerous code execution attacks. We have also continued to review and improve our protection against Cross-Site Scripting (XSS) attacks.

Upgraded technology stack. We’ve dropped support for PHP 5.6, and Varnish 3. We now support PHP 7.1 Varnish 5, and MySQL 5.7. All third-party libraries have been upgraded to the latest stable version.

Pipeline deployment, a new deployment process, enables build and deployment stages to minimize production system downtime for site updates. Resource-intensive processes can run on the build server. Pipeline deployment supports easy management of configuration between environments, too. Read more about pipeline deployment here.

Performance gains from improvements in indexing, cart, and cache operations. Customers can browse and shop on a storefront while indexers are running with no visible impact to their experience. Additionally, long-running indexers operate in batches to better manage memory and run times. Cart improvements enable a buyer to create a cart with more than 300 line items, and merchants can process a cart with at least 300 line items. Varnish cache configuration now includes saint and grace mode to ensure Varnish is always presenting a cached page to a shop’s customers. Enhancements to cache invalidation logic and optimization of edge side include blocks for frequently changing data that significantly boost cache hit ratios.

Substantial contributions from our Community members. Our Community Engineering Team has been working with skilled and enthusiastic community members, and together they’ve added hundreds of pull requests to the Magento code base. For more information about our Community Engineering Team. see Magento Community Engineering.



display more versions




2.1.12
 (security release)
28 February - 450MBThis release contains 38 security fixes and enhancements.



Highlights

Enhancements that help close authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities.

Change to Magento Admin to support upcoming USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied. If you require USPS postage printing capabilities, please visit Magento Shipping to learn more, and explore various shipping extensions on Magento Marketplace.

Updated copyright to 2018.

Read more: http://devdocs.magento.com/guides/v2.1/release-notes/ReleaseNotes2.1.12CE.html






2.1.11
 (security release)
11 January - 450MBThis release includes multiple security enhancements. Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.



2.1.11



Highlights

Significant enhancements for payment methods. We’ve fixed an issue where some Braintree refunds did not work. Braintree online refunds now work when you are using two Braintree accounts on two separate websites.

Corrected sitemap generation. Magento no longer generates the sitemap in the wrong directory when vhost is connected to /pub. Previously, Magento generated the sitemap in the root folder instead of the pub folder. GitHub-2802

When a simple child product on a configurable product has a lower price (either regular, or special price) than the other options (variations), the configurable product without any selected options now indicates that the price could be “As low as” = . Previously, if a simple child product has a price that is lower than the other options, and no options on the configurable product have been selected yet, the configurable product will be shown with with the lowest available price.

You can now add a configurable product to your cart from the Category page. Previously, you had to review the product on the Product page before adding it to your cart.



New Features

Support for the Indian Rupee (INR) in PayPal Express Checkout

New commands and functionality for the command-line interface. We’ve added interactivity to the admin:user:create command, and added the ability to handle CLI setup interactively (with prompts).



This release also includes dozens of bug fixes plus a substantial number of contributions from the wider Magento community.



2.1.10



Highlights

Significant reduction in JavaScript-related translation issues.

Improvements to how the PayPal Express Checkout payment method processes virtual products.

Multiple enhancements to product security. See Magento Security Center for more information.

Forty-four community-submitted bug fixes and multiple pull requests. These pull requests feature improvements in cacheing for configurable products (pull request 9809) and enhancements to the URL rewrite mechanism (pull request 10164).

Support for management of multiple instances in the same crontab. These two new CLI commands (cron:install and cron:remove) were submitted by community member adrian-martinez-interactiv4.



This release also includes dozens of bug fixes and multiple security fixes.
Read more: http://devdocs.magento.com/guides/v2.1/release-notes/ReleaseNotes2.1.11CE.html






2.1.9

30 September 2017 - 450MBMagento 2.1.9 contains almost 40 security fixes and enhancements.



Highlights

Enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. See Magento 2.0.16 and 2.1.9 Security Patches for a comprehensive discussion of these issues.

Support for changes to the USPS API that USPS implemented on September 1, 2017

Fixed issue with logging information about exceptions caused by payment failures

Change to how Magento displays status updates during upgrade.






2.1.8

1 September 2017 - 438MBMagento 2.1.8 contains over 100 functional fixes and enhancements as well as pull requests from the community. Look for the following highlights in this release:



Highlights

Multiple enhancements to static content deployment and generation

Improvements to indexing of large catalogs, cache tuning, and **URL re-writes

Reduction in the amount of memory that mass actions require, and performance optimization

Faster deployments for multi-language sites






2.1.7
 (security release)
1 June 2017 - 438MBMagento 2.1.7 contains over 15 security enhancements as well as critical enhancements to the security of your Magento software.



Highlights

Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN), and this release of Magento provides support for transactions made with cards using these new BINs. MasterCard describes the issue here.

Resolution of multiple high priority and critical security issues. These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. See Magento 2.0.14 and 2.1.7 Security Patches for a comprehensive discussion of these issues.

Reversion of the changes to image resizing that we introduced in 2.1.6. Certain image resizing changes introduced unanticipated problems. We have reverted these changes in this release, and will provide improvements to image resizing in a future product update.






2.1.6
 (major version)
27 April 2017 - 438MBHighlights

PayPal enhancements include PayPal in-context checkout and saved credit cards. In-context checkout helps to increase conversion rates 69 bps by allowing shoppers to pay with PayPal without leaving the merchant’s site. PayPal saved credit cards boost repeat purchases by allowing merchants to securely store credit card information with PayPal so customers do not need to re-enter it in checkout or when reordering items from the Admin interface.

Braintree Hosted Fields securely collect all sensitive payment information in checkout so merchants can qualify for the simplest set of PCI compliance requirements. Merchants retain complete control over their checkout style and layout because Braintree gathers credit card data using small, transparent iframes that replace individual payment fields. Braintree settlement reports are now also conveniently available within the Magento Admin.

Improved management interfaces make it faster and easier to search for information in the Admin, set up global search synonyms, and create new product, category, and CMS content.






2.0.18
 (security release)
28 February - 310MBThis release includes 35 enhancements to product security, a change to the Magento Admin to recent upcoming USPS shipping changes, and a copyright update.



Highlights

Enhancements that help close authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities.

Change to Magento Admin to support upcoming USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied. If you require USPS postage printing capabilities, please visit Magento Shipping to learn more, and explore various shipping extensions on Magento Marketplace.

Updated copyright for 2018.






2.0.17
 (security release)
7 November 2017 - 310MBMagento 2.0.17 contains almost 40 security fixes and enhancements.



Highlights

Ability to implement translations from themes. We've also significantly reduced JavaScript-related translation issues.

Improvements to how the PayPal Express Checkout payment method processes virtual products.

Multiple enhancements to product security. See Magento Security Center for more information.



Security

Magento 2.0.17 includes multiple security enhancements. Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.






2.0.16
 (security release)
15 September 2017 - 310MBMagento 2.0.16 contains almost 40 security fixes and enhancements.



Highlights

enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. See Magento 2.0.16 and 2.1.9 Security Patches for a comprehensive discussion of these issues.

support for changes to the USPS API that USPS implemented on September 1, 2017

change to how Magento displays status updates during upgrade.






2.0.15

18 July 2017 - 310MBMagento 2.0.15 includes only one enhancement: Support for changes in PayPal's Instant Payment Notification (IPN) service.





2.0.14
 (security release)
1 June 2017 - 310MBMagento 2.0.14 contains over 15 security enhancements as well as critical enhancements to the security of your Magento software.



Highlights

Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN), and this release of Magento provides support for transactions made with cards using these new BINs. MasterCard describes the issue here.

Resolution of multiple high priority and critical security issues. These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. See Magento 2.0.14 and 2.1.7 Security Patches for a comprehensive discussion of these issues.






2.0.13

17 April 2017 - 310MBMagento 2.0.13 updates the copyright date in every file. It does not contain any functional changes or security improvements. Isolating these changes in a single release is intended to simplify future updates and developer workflow.





2.0.12
 (major version) (security release)
7 February 2017 - 310MBMagento 2.0.12 contains more than 20 functional fixes and enhancements and one security enhancement.



Highlights

Removal of vulnerability with the Zend framework Zend_Mail library. 

Updates to the catalog, payment, and sales modules.



Security

his release includes an important enhancement to the security of your Magento software. While there are no confirmed attacks related to the Zend framework Zend_Mail library vulnerability to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento software to the latest version as soon as possible.






2.0.10
 (security release)
26 October 2016 - 310MBSecurity

You can no longer delete a currently logged-in user.

Fixed issue that occurred during update with disclosure of the application's internal path.

Fixed issue that occurred during setup with disclosure of the application's internal path.

Sessions now expire as expected after logout.

Fixed issue with using the Magento Enterprise Edition invitations feature to insert malicious JavaScript and subsequently execute it in the Admin context.

You can no longer change or fake a product price from the Magento storefront and then complete an order with that fake price.

A user with lesser privileges can no longer use a JSON call to force an Admin user to add his private or public key.

Fixed remote code execution issue in checkout.

Upgrade now places stores in maintenance mode as expected. (GITHUB-3191)

Resolved issue with potential SQL injection through the use of the ordering or grouping parameters.

Fixed issue with retrieving potentially sensitive information through the use of backend media.

The Guest order view protection code is no longer vulnerable to brute force attacks.

Fixed vulnerability to DoS attacks by full page cache poisoning.

Removed vulnerability in cart checkout experience by enhancing server-side CSRF validation.

Resolved a potential vulnerability in which customer addresses could be deleted. You can no longer deceive a user into deleting his store address book entries.

Fixed issue with XSS reflection in the loading section of REST requests.

Fixed issue with potential storage of malicious XSS code in the body of an email template. (A malicious user could use this this script to steal user information and cookies, or to bypass cross-site request forgery protection.)



Sales API enhancements

We've added the ability to change the status of a shipment through the web API. The new ShipOrder interface support tasks you can already do through the Admin dashboard, including the ability to: create a shipment document (full or partial); add details about shipped items into an order; change status and state of an order according to; performed actions; notify customer about new shipment document.

We've added the ability to change the status of an invoice through the web API. The new InvoiceOrder interface supports tasks you can already do through the Admin dashboard, including the ability to: create an invoice document (full or partial); capture money placed with order payment; notify a customer about document creation; change order status and state.



Performance

We've improved the load speed of the configurable product form.

We've improved the load speed of the review step for the wizard used to create a configurable product.



Tracking and shipping

Changing the city field of an order now affects the shipping rate as expected. Previously, the shipping rate was not updated when you changed the city on your order form.

Magento now returns UPS shipping rates for Puerto Rico.

Magento no longer throws an exception if you enter an invalid FedEx shipment tracking number.



Cart and checkout

Magento now updates the mini cart as expected when you reorder an item. Previously, Magento added the reordered items to the shopping cart, but the mini cart did not update its item count. (GITHUB-6121)

You can now use an alternative Merchant Account ID when using Braintree as a payment method. (GITHUB-5910)



General fixes

Magento now returns you to the Admin dashboard after you've successfully changed your Admin password. Previously, Magento prompted you to change your password even after you just successfully changed it. (GITHUB-4331)

You can now update multiselect attribute values for multiple products from the server side. (GITHUB-5459)

State/Province field is now displayed as required on the Add New Address page. (GITHUB-5279)

Maestro credit card now passes validation.

The cursor now appears as expected when you edit a product description.

Visual swatches are now displayed when in search results.

GiftRegistry *.less file is not properly packaged in the composer package

Delete paging functionality for configurable product variations.

The order comment timestamp now correctly reflects the time that the comment was submitted, not when the page was last refreshed. (GITHUB-5719), (GITHUB-5890)



Known issues

Issue: Logo Email for transactional emails can not be uploaded successfully (GITHUB-6275). Workaround: Create a header template and reference the image location absolutely.

Issue: Cannot save a custom transactional email logo. Workaround: None.

Issue: The scope selector on the Product page does not display all websites associated with a restricted user. Workaround: None.






2.0.9

15 August 2016 - 310MBFixed issues

Shopping cart: Magento no longer displays an incorrect price in the shopping cart when using multiple shipping addresses.
The Minicart Maximum Display Recently Added Item setting now works as expected. Previously, Magento displayed all the items in the shopping cart, even when the number of items exceeded this limit. (GITHUB-4750)
Performance: We've improved storefront performance when you use many variations of a configurable product.
Cart Price Rules are now applied as expected to Payment method conditions. Previously, discounts set in Cart Price Rules were not applied during checkout.
You can now save a product for which you've entered no Swatch attribute value when this attribute is not required. Previously, during product creation, Magento would not save the product unless you added a value to the swatch attribute even with "Values Required" set to No.
Attributes of the salesInvoiceRepository methods are now correctly type cast. (The datatype is now a float – not nullable float.) Previously, due to the use of an incorrect data type cast, Magento would produce an error when calling the salesInvoiceRepositoryV1GetList methods. (GITHUB-3605)
We've renamed the Tier Price option on the Advanced Pricing tab to Customer Group Price option.
Tier pricing now works correctly with full page cache. (GITHUB-5364)


Known issue

The Sales API does not currently support all the update operations on objects that you can execute from the Admin panel. (Objects in this context include orders, invoices, shipments, credit memos, and return merchandise authorizations.)






2.0.7

21 June 2016 - 310MBFixed

The payment gateway now works as expected in a Magento installation running PHP 7.0.3. Previously, when you would place an order in an installation running PHP 7.0.3, the checkout page would become unresponsive, and the transaction would not appear in the payment gateway. (GITHUB-2984, GITHUB-2878, GITHUB-3305, GITHUB-4076).






2.0.5

28 April 2016 - 310MBSecurity

Issue with persistent cross-site scripting through a user account has been resolved.
Magento now supports setting limits on password attempts. Previously, Admin and Customer Token API access did not limit the number of attempts to enter a password, inadvertently allowing brute force attempts to guess passwords.
APIs that previously granted access to anonymous users are now configured to require a higher permission level. Default product behavior does not permit anonymous access to Catalog, Store and CMS APIs. However, if you would like to allow anonymous access, you can change this setting.
Magento now prevents the arbitrary execution of PHP code through the language package CSV file.
The encryption keys that are generated in System > Manage Encryption Key have been strengthened.
Reflected XSS can no longer occur through the Authorizenet module's redirect data.


Upgrade and Installation

Magento no longer creates store data inconsistently during installation.
During upgrade, the setup:config:set script no longer deletes values in the env.php file.


Import

Magento now successfully imports existing products as well as products that use custom URLs.
Product import now works successfully in a multi-store environment. Previously, Magento would display the following error message, "URL key for specified store already exists", when importing products into a multi-store configuration.


Export

Export performance has been enhanced. Pages no longer hang randomly, and CPU usage is no longer pegged. (GITHUB-3217)


APIs

The Orders API now exposes the shipping address. This corrects an issue with using this API to integrate with third-party systems.
The SOAP API now returns attributes of type "text swatch" and "visual swatch" when you use the API to add attribute options. Previously, this feature did not work for these attribute types.


PHP

Magento now allows you to use arguments of url type in nested arrays. Previously, you could pass route parameters only if the url argument was declared at the top level.


Database

Magento no longer duplicates queries to the database from the Catalog page. Instead, if Magento has already loaded specific data during request processing, it re-uses it instead of duplicating the query.
Magento no longer duplicates SQL queries on CMS and Category pages. Previously, significant duplications occurred.


Miscellaneous

Magento no longer displays HTML tags in messages.
Product performance has been enhanced when loading catalog products with multiple color swatches.
Magento now successfully saves and displays new customer attributes.
Magento performance has been improved by the removal of redundant get requests that previously occurred during shopping cart refresh.
Selecting the Use Aggregated Data option now correctly displays Dashboard data. (GITHUB-3459)
Magento now displays the expected color swatch when you select a color swatch for a configurable product. Previously, Magento did not change the color when you selected a swatch.
HTML template minification now properly handles commented code.
Deleting one of several custom options no longer deletes all options. Previously, deleting one option from the Product page also deleted all other custom options. (GITHUB-2989)
When Full Page Cache (FPC) is enabled, the CAPTCHA image differs for every user. Previously, the CAPTCHA image on the registration page remained the same for every customer after FPC was enabled.
Google no longer indexes the Admin URL. Previously, Google indexed the Admin side meta tag. The frontend meta tag was not affected.
Magento no longer sends a subscription success email whenever a customer enters his email address to subscribe to a newsletter. Users receive a "thank you for your subscription" message and a subscription success email only when registering for the first time.
Guests can now successfully click on the product page link for any item in an emailed shared wishlist.
Custom customer attributes are now saved at checkout.






2.0.2

3 February 2016 - 310MBThis release resolves issues that some users encountered while upgrading from Magento 2.0.0 to Magento 2.0.1.





2.0.1
 (major version) (security release)
26 January 2016 - 310MBWe are pleased to present Magento Community Edition 2.0.1, the next generation of the world’s leading digital commerce platform. This patch release contains several important functional updates, including official support for PHP 7.0.2. This release also includes numerous enhancements to improve the security of your Magento 2.0 installation. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. 



PHP 7 Compatibility

Magento 2.0.1 adds support for PHP 7.0.2, which provides dramatic performance improvements, drastically reduces memory consumption, and supports new PHP language features.


USPS API Changes

On January 17, 2016, USPS made several changes to their services, rates, and package names. The updates are reflected in this release, and include the following changes: Standard Post renamed "Retail Ground", Flat Rate Box for Priority Mail Express Eliminated


Security Enhancements

SQL injection
Persistent XSS vulnerability for order comments made from Admin
Ability to save XSS code into database
Reflected XSS in cookie HTTP header
CSRF vulnerability on cart checkout
Ability for users to bypass filter by editing inline translations
Ability to access core system information using CMS blocks and cache entries
Ability to save XSS code through custom options
Ability to bypass Magento storefront CAPTCHA
Persistent XSS using customer name
Ability for unauthenticated users to delete any product review from the storefront
Attackers able to access order information in the store
Lack of password quality enforcement when changing admin passwords


General

Catalog price rule when specifying subproduct discounts.
Shopping cart for a registered user not returning a full list of selected products. The shopping cart of a registered user now operates as expected.
Failure to update minicart after completing an order using PayPal. Magento now clears the minicart as expected after you complete a purchase with PayPal.
Customer Edit form not appearing when you create a new Customer using a customer attribute. The Customer Edit form now appears as expected.
Sending messages using the wrong AMQP connection alias. Messages are now sent as expected.
Redundant calls to plugin methods.
Cart subtotal not including custom option prices in order calculations for configurable product. Shopping cart subtotal calculations now include custom option prices.
Catalog price rule not applied to the product created through the web API. Magento now applies the catalog price rule as expected.
Inconsistent application of discounts across all relevant configurable products. Magento now correctly displays discounts for all relevant options of a configurable product.
Incomplete display of category fields when working in store view scope. Magento now displays all scope information as expected.
Inability to create and save a new Content block. You can now add new blocks from the Admin.
Issue with checkbox component behavior. Checkbox component now displays expected behavior. Magento sends the checkbox input value (original) data only if the checkbox is checked upon form submission.
Selected country information not appearing at checkout.
Not all classes able to be intercepted in early stages of application life cycle.
JavaScript errors when loading product tables on a catalog page.
Failure during creation when Google experiments is enabled.
Unspecified resetting of product assignments after applying a filter from a category product listing.
Incorrect target for the "Learn More" link on the Payment Methods Configuration page.
Changes in the USPS API to match updated USPS method names.
Prices incorrect on product page for configurable product when catalog prices include tax.
Synonyms not working.
Orders not created when Include Tax in Order Total is set to "Yes."
Shipping address in the Orders API now exposes the shipping address value.
The Replace feature of the Import Product works in a multistore environment.
Magento now displays product tables correctly when an administrator navigates to Product > Inventory > Catalog after either of these two actions: 1) first time after product installation; 2) clearing cache and static file directories.
Creating a product with an empty file as a custom file option now works correctly.
Added autoload functionality instead of direct paths to load dependent files.
Product URL rewrites now works correctly when accessed from a Category page.


Import

Error during product import. Validation now works correctly.
Container components not disabled during import.


Testing

Legacy tests fail due to obsolete paths. References to classes in the legacy build removed.
Integration tests fail on Magento 2.0.


Performance

Redundant executions of MessageBox plugin.
Redundant executions of StoreCookie plugin.
Catalog pages in Magento installations running Varnish.
Swatch module on a category product listing page.
Large stores with a significant number of customers.


Installation and Upgrade

Issue with precompilation.
Product performance after an upgrade that modifies the database schema.
Accessing sample data after deploying Magento with composer create-project.
Travis Cl build failures due to authentication to repo.magento.com.


PHP

PHP syntax error prevents the collection of all phrases for translation.
Magento tries to save twice when a product is added to the catalog.
Code Migration tool randomly hangs and terminates with an error.






2.0.0
 (major version)
24 November 2015 - 310MBThe new Magento 2 platform empowers brands, retailers, and businesses across B2C and B2B industries to quickly and cost-effectively deliver engaging omnichannel shopping experiences. Magento 2 also offers enhanced performance and scalability,  new features to boost conversion rates, and business agility and productivity improvements. The new platform also builds on our open source heritage and offers unmatched flexibility and innovation opportunities to our global ecosystem of partners and developers.





1.9.3.8
 (security release)
12 March - 150MBMagento 1.9.3.8 provides resolution of multiple critical security issues. These critical security issues include authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities. We recommend upgrading your Magento store to this latest version.



Highlights

Changed Magento Admin to support recent USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied.

Updated copyright to 2018.



Notes

If you try to import products that contain HTML tags in the SKU attribute, Magento displays this error at the data validation stage (that is, when you click Check data): Invalid value in SKU column. HTML tags are not allowed.

If you try to create or edit a product in the Admin panel and the product’s SKU attribute value contains HTML tags, Magento throws this error when you try to save the product: HTML tags are not allowed in SKU attribute.

Read more: http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html






1.9.3.7
 (major version) (security release)
29 November 2017 - 150MBMagento 1.9.3.7 fixes multiple critical security issues. These issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version.



Highlights

Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin.

The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: No payment information required. Magento versions prior to 1.14.3.3 included this message, but it was missing from v1.14.3.3.

We’ve fixed a typo in the patch header information. (autocomplete="new-pawwsord” is now autocomplete="new-password”.) 



Notes

We no longer support custom file extensions for Mage::log(). Supported file extensions include .log, .txt, .html, .csv. For more information, navigate to Developers > Log Settings from the Admin. Magento displays this comment: Logging from Mage::log(). File is located in /var/log. Allowed file extensions: log, txt, html, csv.

Passwords for new users are now limited to 256 characters. If a new user enters a password that exceeds 256 characters, Magento displays this message: Please enter a password with at most 256 characters.

Read more: http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html






1.9.3.6
 (major version) (security release)
27 September 2017 - 150MBMagento 1.9.3.6 provides resolution of multiple critical security issues and several functional fixes. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.



Highlights

Fixed an issue where uploaded images were twice their original size after you applied SUPEE-9767 v2.

Read more: http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html






1.9.3.4
 (major version) (security release)
13 July 2017 - 150MBMagento 1.9.3.4 addresses both security and functional issues discovered when using the SUPEE-9767 patch. We recommend upgrading.



Highlights

We've restored missing strip_tags functionality in the checkout JavaScript.

We've changed how Magento validates form keys during the generic five-step checkout process. Previously, customer registration failed during standard checkout processing if form key authentication was enabled.

Magento now displays the Allow_symlinks message in the Admin message area as expected.

Magento now preserves the background transparency of uploaded images as expected. Previously, transparency was lost after the image was uploaded, resulting in an unusable image.

You can now use Checkout with Multiple Addresses when checkout form validation is enabled.






1.9.3.3
 (major version) (security release)
1 June 2017 - 150MB
Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788, SUPEE-9652, SUPEE-8167, SUPEE-9767

There are known issues in this release: https://magento.com/security/patches/supee-9767






1.9.3.2
 (security release)
7 February 2017 - 150MB
Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788, SUPEE-9652






1.9.3.1

21 November 2016 - 150MB
Search results return all store products
Some integrations using Magento APIs no longer work
Bundled product prices do not update
Store-specific attribute labels disappear
Auto generated passwords do not work for some customers
Exceptions appear for stores with disabled breadcrumbs
Shipping rules may not be calculated correctly in some cases
PHP warnings occur with the session timestamp variable
CSRF form key is not changed after logout
Login attempts log protection table is not cleaned properly






1.9.3.0
 (security release)
26 October 2016 - 150MBIncludes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788





1.9.2.4

26 February 2016 - 150MBThis release bundles improvements for issues reported by our merchants after installing the latest patch SUPEE-7405 (provided by version 1.9.2.3).



Bugfixes

Cart Merge Patch (SUPEE-7978): Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly.The cart now includes only one item, and the total is correct.
SOAP API Patch (SUPEE-7822): The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.
PHP 5.3 Compatibility (SUPEE-7882): The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. The issue experience by merchants was inability to view sales information in the Admin.
Upload File Permissions: The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch cause many merchants not to be able to view uploaded product images, depending on hosting provider configuration.






1.9.2.3
 (security release)
20 January 2016 - 150MBSecurity Enhancements

Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405






1.9.2.2
 (security release)
27 October 2015 - 150MBSecurity Enhancements

Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788






1.9.2.1
 (security release)
4 August 2015 - 150MBSecurity Enhancements

SUPEE-6482 - This patch addresses two issues related to APIs and two cross-site scripting risks.






1.9.2.0
 (security release)
7 July 2015 - 150MBSecurity Enhancements

SUPEE-6285 - This patch provides protection against several types of security-related issues, including information leaks, request forgeries, and cross-site scripting.






1.9.1.1-2
 (security release)
15 May 2015 - 150MBSecurity Enhancements

SUPEE-5994 - This patch addresses multiple security vulnerabilities in Magento Community Edition software, including issues that can put customer information at risk.






1.9.1.1

2 May 2015 - 150MBApplications:

This is Magento's official release to patch the SUPEE-5344 issue which was previously patched by Applications with the release of Magento 1.9.1.0-2.






1.9.1.0-2
 (security release)
24 April 2015 - 150MBSecurity Enhancements

SUPEE-5344 - Addresses a potential remote code execution exploit


Changes

SUPEE-4829 - This patch fixes an issue in which product images become larger when a shopper selects a swatch on a search result page.






1.9.1.0
 (security release)
24 November 2014 - 150MBHighlights

Configurable Swatches: Configurable swatches help you optimize the way products are presented on your site. New "swatch" capabilities make products more appealing—and boost conversion rates—by offering shoppers quick access to information, like available colors, fabrics, sizes, and more. Clicking on a swatch automatically updates the product image so shoppers see exactly what a color or fabric looks like, giving them confidence to proceed with their purchase.
Responsive Design Improvements: It has never been easier to create a mobile-friendly site now that Magento's responsive design reference theme includes all core Magento features, including gift registries, downloadable products, multiple wish lists, add-to-cart by SKU, and private sales. It even boasts responsive default email templates so customers can read your order confirmation emails and newsletters on any device.
Technology Updates: Magento Community Edition boosts performance and security by adding support for MySQL 5.6 and PHP 5.5. With MySQL 5.6, you benefit from improved site speed and scalability, reduced memory usage on the database server, and enhanced debugging tools. PHP 5.5 provides security improvements and ensures you have continued access to code updates. And, for those of you who haven't already upgraded from PHP 5.3, there are potential performance improvements—up to 25% based on reports from some customers. Magento Community Edition 1.9.1 has been updated to support Universal Analytics, the new standard for Google Analytics. With this update, merchants can define more custom dimensions and metrics for tracking, incorporate offline and mobile app interactions, and gain access to ongoing feature updates that will only be available on Universal Analytics.
Other Improvements: Magento CE 1.9.1 includes updates to promotions, product import/export capabilities, security, and other features as part of our commitment to continually improve product quality.


Security Enhancements

SUPEE-1533 - Addresses two potential remote code execution exploits
Resolved potential issues as discussed in Resolving a Remote Code Execution Exploit.
Magento thanks Matt Barrah for contributing to this fix.
To change their password, a Magento administrator must first enter their existing password.
Resolved a potential XML External Entity Processing (XXE) exploit with the potential to cause a Denial of Service attack.
Customer passwords are no longer stored in clear text during registration.
Storefront users no longer see each others' user names in certain circumstances.
To change an administrator password using the Admin Panel, you must first enter your existing password.
Added a secure cookie flag for the storefront to prevent man-in-the-middle attacks. Configuration options haven't changed; they are still under System > Configuration > GENERAL > Web, option groups Secure and Unsecure.


Changes

Changed the following PayPal Express Checkout configuration options (System > Configuration > SALES > Payment Methods, PayPal Express Checkout):
Shortcut on Shopping Cart renamed to Display on Shopping Cart and moved from Basic to Advanced.
The recommended Display on Shopping Cart option is now worded Yes (PayPal recommends this option).
It's more important than ever for you to configure a Magento cron job. In addition to indexing and other core functions, all Magento e-mails (including order confirmation and transactional) are now queued and sent according to your configured cron schedule.
The PayPal Bill Me Later logo and name has been replaced by PayPal Credit.
Bill Me Later options now display only in U.S. stores.
The Zend Framework version has been updated to 1.12.7.
Check out with PayPal and PayPal Credit buttons now display on product pages for gift cards and dynamic bundled products.
Updated PayPal buttons for US-based stores.
Orders with PayPal viewed on the Admin Panel have a link that enables a Magento administrator to view the order on the PayPal site.
Magento thanks Florinel Chis of Elastera for contributing to this fix.
The PayPal Standard API has been replaced with the newer PayPal Express Checkout API.
Magento CE and EE now use Google Universal Analytics.
When defining a tax rate, you can now use a wildcard character for State in any locale.
Implemented responsive transactional e-mails.

Read more: http://magentocommerce.com/knowledge-base/entry/ce19-later-release-notes#ce19-1910






1.9.0.1

16 May 2014 - 150MBFixed:

Customers can no longer apply a coupon from an inactive shopping cart price rule to a purchase.
Customers using a smartphone or other small viewport can expand subcategories in the web store that uses the new responsive theme.

Read more: http://magentocommerce.com/knowledge-base/entry/ce-19-and-ee-114-documentation-home






1.9.0.0
 (major version)
14 May 2014 - 150MBA new responsive design reference theme makes it easier and less costly for merchants to delight customers using mobile devices, and new payment options help merchants improve conversion and sales. Merchants also benefit by being better able to support customers across geographies, and from improvements in product quality, search and security.



Key benefits

Merchants can get a tablet and smart phone friendly responsive site in about half the time as before, speeding time to market and freeing up resources for other projects.

With a responsive site, merchants will be better able to participate in the fast growing mobile commerce space, and will have a site that is more easily adapted to new opportunities and less expensive to maintain. A responsive site also offers potential SEO benefits from using Google's preferred approach to mobile-optimizing sites.

Merchants can capture up to 18% more sales by providing customers access to financing through the Bill Me Later service. And they can offer their customers a smoother, more streamlined PayPal Express Checkout experience, which tries alternative payment options when a customer's credit card is rejected.

Updates available in Magento Enterprise Edition 1.14, give shoppers access to fresher search results because search indexing is performed automatically as the product catalog changes. Improved indexing also helps merchants work more efficiently, because incremental index updates no longer require manual intervention and admin performance is faster.

Merchants operating across regions and geographies can show their customers a single price. Pricing is clean and uncluttered regardless of tax structures and rates that vary from country to country.

Merchants benefit from greater security and ongoing support updates.

Read more: http://magentocommerce.com/knowledge-base/entry/ce-19-and-ee-114-documentation-home






1.8.1.0-2
 (security release)
24 April 2015 - 218MBSecurity Enhancements

SUPEE-5344 - Addresses a potential remote code execution exploit
SUPEE-1533 - Addresses two potential remote code execution exploits






1.8.1.0
 (security release)
11 December 2013 - 218MBMagento CE 1.8.1.0 helps advance overall product quality and ease operations by providing significant tax calculation improvements, a wide range of bug fixes, and several security enhancements.
Read more: http://magentocommerce.com/knowledge-base/entry/ce-18-later-release-notes






1.8.0.0
 (major version)
25 September 2013 - 218MBThis new edition improves tax calculations, boosts product quality and stability, enhances performance, and advances security for the rapidly growing Magento community.



Highlights

Major overhaul of tax calculation formulas, correction of rounding errors, and additional assistance with configuration.
Optimized cache adapters for single-server systems
Upgraded Redis cache adapters for multi-server systems.
To set up and use Redis with Magento, see Using Redis with Magento Community Edition (CE) and Enterprise Edition (EE).
Eliminated many types of database deadlocks.

Read more: http://magentocommerce.com/knowledge-base/entry/ce-18-later-release-notes






1.7.0.2

5 July 2012 - 218MB





1.7.0.1

20 June 2012 - 218MB





1.7.0.0
 (major version)
24 April 2012 - 218MB





1.6.2.0

11 January 2012 - 200MB





1.6.1.0

19 October 2011 - 200MB





1.6.0.0

18 August 2011 - 200MB





1.5.1.0

27 April 2011 - 175MB





1.5.0.1

10 February 2011 - 175MB





1.5.0.0

9 February 2011 - 175MB





1.4.2.0

9 December 2010 - 160MB





1.4.1.1

27 July 2010 - 160MB





1.4.1.0

12 June 2010 - 150MB





1.4.0.1

22 February 2010 - 135MB





1.4.0

13 February 2010 - 135MB





1.3.2.4

25 September 2009 - 125MB





1.3.2.3

23 July 2009 - 125MB





1.3.2.2

3 July 2009 - 125MB





1.3.2.1

2 June 2009 - 125MB





1.3.2

30 May 2009 - 125MB





1.3.1.1

20 May 2009 - 55MB





1.3.1

18 April 2009 - 55MB





1.3.0

31 March 2009 - 55MB





1.2.1.2

3 March 2009 - 55MB





1.2.1.1

23 February 2009 - 55MB





1.2.1

2 February 2009 - 55MB





1.2.0.3

24 January 2009 - 55MB





1.2.0.2

13 January 2009 - 55MB





1.2.0.1

31 December 2008 - 55MB





1.2.0

30 December 2008 - 55MB





1.1.8

26 November 2008 - 55MB





1.1.7

20 November 2008 - 55MB





1.1.6

28 October 2008 - 55MB