Hosting Magento

2.2.5
 (security release)
28 June - 560MBThis release includes multiple enhancements to product security plus bug fixes and enhancements.



Highlights

Enhancements that help close stored XSS, SQL injection, and cross-site request forgery (CSRF) vulnerabilities. See Magento Security Center for more information.

Resolution of issues that customers were experiencing when upgrading to Magento 2.2.4 in deployments that span multiple websites. Magento multi-store installations were not using the store view-specific values from the store configuration settings if these settings differed from the global default configuration settings. Instead, Magento used the default configuration for all store views. See GitHub-15205 and GitHub-15245 for more detailed discussions of the problems some customers encountered.

Substantial improvements to indexing performance.

Over 150 community contributions.

Improvements to our core bundled extensions.

Merchants can now run the catalog search full text indexer and category product indexer in parallel mode by store view, which can significantly decrease indexer:reindex execution time when running Magento with multiple store views and shared catalogs.

Refactoring of the catalog full text indexer has improved indexing performance up to 15% for very large profiles (600,000 products) and product catalogs with many configurable options (5,000 configurable products and 500 options).

Improving the behavior of swatch product attributes has improved search result page performance up to 31% for catalogs with many configurable product options (for example, 5,000 configurable products and 500 options).

Customers can now create an account from the Order Confirmation page. Previously, a customer could not populate the required fields to create an account from this page, and Magento displayed an error.

Magento now correctly applies coupon codes that exclude bundle products. Previously, Magento applied these coupons but did not exclude bundle products as expected.

When sorting simple products, which catalog promo price rule is applied for, these products are sorted by a regular price instead disregarding the applied promo price. 


When sorting simple products with a required custom option, which catalog promo price rule is applied for, these products are sorted by a regular price instead disregarding the applied promo price.



Shipping

With core returns, merchants can select carriers to use for returns and send a return label along with forward fulfillment.

Batch processing increases automation and merchant efficiency by making it easier to process a large volume of shipments in batches.

Collection points provide the ability for customers to designate a drop point rather than residence for delivery by carrier.



Bug Fixes

Magento no longer permits you to re-run an already running cron job.

You can now successfully delete an option from a bundle product.

Magento now correctly applies coupon codes that exclude bundle products. Previously, Magento applied these coupons but did not exclude bundle products as expected.

Merchants can now run the catalog search full text indexer and category product indexer in parallel mode by store view.

The Category\Collection::joinUrlRewrite method now returns the URL of the store whose storeId is set on the collection. Previously, this method returned the name of the default store. Fix submitted by Alessandro Pagnin in pull request 13716. GitHub-13704

Sorting products by price now applies catalog rules as expected.

Sorting products with required custom options by price now works as expected.

Tier pricing for a single product unit now works as expected. If a tier price is set for one product unit, and this price is lower than the product price or special price, then the product price index table is populated with the tier price.

Magento now successfully saves products when using a locale that formats dates in this way: DD/MM/YYYY. Previously, when you tried to save a product in a locale where dates were formatted this way, Magento did not save the product, and displayed this error: Invalid input datetime format. GitHub-10485

When you import new products using a CSV file, Magento no longer lists as in stock any products whose CSV values indicate that they should be represented as out-of-stock.

When working in the media gallery, you can now successfully delete any files and folders that are symlinked in pub/media.

Magento now displays the correct status for a backordered configurable product on the order view page.

Magento now displays the correct image for a configurable product on the wishlist.

The Hide from Product Page option now works for the child product of a configurable product.

The Update on Save re-index operation now works as expected when re-indexing configurable products after changing options.

The product repository now uses store_id (if set) when saving attributes for an existing product. Previously, Magento always saved attribute values for an existing product at the default store level.

The placement of Google Tag Manager code now follows the guidelines in the Google Tag Manager Developer Guide. (Previously, the Google Tag Manager code was inserted before the dataLayer variable was defined.) 

The Related Products rule for up-sell products with customer segments set to Specified now works as expected. 

The data check on imported customer information now completes as expected. Previously, when you clicked Check Data on a large CSV file created by System > Data Transfer > Import, the request failed, and Magento displayed the timeout spinner. 

If you remove a product’s custom options from the CSV file created during product import, Magento no longer displays the custom options on the storefront. 

The search indexer is now scoped and multithreaded, which improves layered navigation, search, and indexing actions for complex sites with multiple store views and shared catalogs. 

Magento now filters recent orders by store on the customer account page as expected.

The performance and logic of Magento\Sales\Helper\Guest has been improved.

In multistore environments, Magento now retrieves the correct PayPal Payflow Pro credentials. Previously, Magento always retrieved the credentials that are configured for the default store. 

We’ve removed the count() method from the condition section for some loops in a small subset of backend files. When this method is used in a loop condition, it will be executed at every iteration, which can degrade performance.

Out-of-stock options for configurable products no longer show up in search and layered navigation results. 

Magento now caches popular search results for faster response time on popular searches. A system administrator can configure how many top search queries can be cached. 

Merchants can now choose whether to request and include tax information from UPS in the rate charged to the customer during checkout. (This permits merchants to pass on the tax costs to their customer as part of the overall shipping rate.)

Swagger now displays the text area that contains the payload structure of all POST and PUT operations. 

You can now use JavaScript mixins to extend swatch functionality in all supported browsers.

You can now use REST to update the available_payment_methods company extension attribute. Previously, Magento set to null any value you passed to the database company_payment table. 

The phpunit.xml configuration file is now blacklisted during schema validation static tests (particularly Magento/Test/Integrity/Xml/SchemaTest.php). 

The \Magento\Test\Php\LiveCodeTest::testCodeStyle method now uses whitelist files.

Magento no longer throws a 404 error when a customer navigates from the Catalog page of the default store to a custom Catalog page on a different store. 

The correct tax amount is now included as expected in the Order Total that is listed under the Order Summary section of the Orders page. Previously, the Tax amount field was missing from the Order Summary section, which resulted in an incorrect Order Total. 

The including tax and excluding tax fields on the Checkout page now contain correctly calculated prices. Previously, Magento displayed the same price in these fields. 

Magento now displays the Tax amount field in the Order Summary section of the Checkout page for orders that contain virtual products. 

Merchants can now create a Vertex invoice refund as expected after an order has been canceled. 

We’ve improved the performance of the Admin Create Order and Performance Compare Report in Plain Text - Catalog (server side) actions. 

Magento now prompts you to select order status if a customer does not select an option from the Order Status drop down list when setting the When to send Invoice to Vertex option. 

The Allow tax quote request at shopping cart page option has been removed from the Vertex Setting tab. 

Magento now disables Vertex API Status as expected when you set the Enable Vertex Tax Calculation option to no. 

Magento now displays the green checkmark and Vertex invoice has been sent message as expected when you set an order’s status to Suspected Fraud. 

Customers no longer receive a notice about negative tax amount after a merchant creates a refund on Vertex Cloud. 

We’ve improved the performance of editing or saving products in large categories (more than 18,000 products per category).

Read more: https://devdocs.magento.com/guides/v2.2/release-notes/ReleaseNotes2.2.5CE.html






2.2.4

2 May - 450MBThis release includes new tools and numerous functional fixes and enhancements, plus a substantial number of contributions from the wider Magento community.



Highlights

plugin: Amazon Pay added

plugin: Vertex added

plugin: Klarna Payments added

Numerous fixes and enhancements to the Magento Shipping and dotmailer bundled extensions. Merchants can now use dotmailer to create their own transactional email templates. Magento Shipping capabilities have been expanded, too.

Fixes and enhancements to core features, including performance improvements that enable faster shopping with image loading and search performance enhancements.

Almost 200 community bug fixes and enhancements.

Read more: http://devdocs.magento.com/guides/v2.2/release-notes/ReleaseNotes2.2.4CE.html






2.2.3
 (security release)
28 February - 450MBThis release includes 35 enhancements to product security, a change to the Magento Admin to support recent USPS shipping changes, and a copyright update.



Highlights

Enhancements that help close cross-site request forgery (CSRF), unauthorized data leaks, and authenticated Admin user remote code execution vulnerabilities.

Support for Elasticsearch 5.x. See Install and configure Elasticsearch for more information about using Elasticsearch with Magento.

Change to Magento Admin to support recent USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied. If you require USPS postage printing capabilities, please visit Magento Shipping to learn more, and explore various shipping extensions on Magento Marketplace.

New layers of control for cache management tasks managed through the Magento Admin. This release introduces finer permissions for cache management tasks such as flushing cache storage, flushing the Magento cache, and refreshing cache types.

Updated copyright to 2018.

Read more: http://devdocs.magento.com/guides/v2.2/release-notes/ReleaseNotes2.2.3CE.html






2.2.2

11 February - 450MBHighlights

Significant new features that streamline the customer experience and provide merchants with greater insight into their online business.

Numerous fixes and enhancements to core features, including significant improvements to the payment process.

Over one hundred community-submitted bug fixes and multiple pull requests.



New Features

Advanced Reporting powered by Magento Business Intelligence. Access easy-to-use order, product, and customer reports right from the Magento Admin to gain new insights and enable data-driven decision making.

Magento Shipping (powered by Temando). This new feature provides integrated advanced multi-carrier shipping and fulfillment.

Streamlined Instant Purchase checkout (contributed by Creatuity). Our new streamlined Instant Purchase option uses previously stored payment credentials and shipping information to bypass steps in the checkout process.

Integrated dotmailer marketing automation software. Magento is one of the first ecommerce solutions to include the dotmailer marketing automation with their core product.

Magento Functional Testing Framework. The Magento Functional Testing Framework (MTFT) is our open-source, cross-platform testing solution. Its purpose is to facilitate functional testing and minimize efforts to perform regression testing.



Bug Fixes

Significant enhancements for payment methods. We’ve added support for the Indian Rupee (INR) to PayPal Express Checkout. We’ve also added a fix for an issue where some Braintree refunds did not work.

Improvements to multi-storeview sites. Switching store views multiple times no longer results in an error on the storefront.

New functionality for the command-line interface. We’ve added interactivity to the admin:user:create command and added the ability to handle CLI setup interactively (with prompts).

You can now use the Enter key (in addition to a mouse click) to search tables in the Admin.

Magento no longer creates duplicate shipments when merchants create shipments with bundled products via API.



This release also includes dozens of bug fixes plus a substantial number of contributions from the wider Magento community.
Read more: http://devdocs.magento.com/guides/v2.2/release-notes/ReleaseNotes2.2.2CE.html



display more versions




2.2.1
 (security release)
7 November 2017 - 450MBThese releases contain almost 15 security changes that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. They also contain over 40 functional enhancements, including significant contributions from community members.



Highlights

Integrated Signifyd Fraud Protection is now available in Magento Open Source. See Signifyd fraud protection for more information.

Ability to implement translations from themes. We've also significantly reduced JavaScript-related translation issues.

Improvements to how the PayPal Express Checkout payment method processes virtual products.

Multiple enhancements to product security. See Magento Security Center for more information.

Twenty-two community-submitted bug fixes and multiple pull requests.



Security

Magento 2.2.1 includes multiple security enhancements. Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.






2.2.0
 (major version)
30 October 2017 - 450MBThis release includes hundreds of functional fixes plus a wealth of new features: a bundled extension, upgraded technology stack, performance gains from improvements in indexing, cart, and cache operation, and significant enhancements in platform security and developer experience.



Highlights

Bundled extensions. This release of Magento includes the first third-party extension that we are bundling with Magento Commerce – Magento Social. This extension establishes a connection between your store and your corporate Facebook account, and creates a page with products from your catalog. When shoppers click a product, they are redirected to the corresponding product page in your Magento store.

Significant enhancements in platform security and developer experience. Security improvements include the removal of unserialize calls and protection of this functionality to increase resilence against dangerous code execution attacks. We have also continued to review and improve our protection against Cross-Site Scripting (XSS) attacks.

Upgraded technology stack. We’ve dropped support for PHP 5.6, and Varnish 3. We now support PHP 7.1 Varnish 5, and MySQL 5.7. All third-party libraries have been upgraded to the latest stable version.

Pipeline deployment, a new deployment process, enables build and deployment stages to minimize production system downtime for site updates. Resource-intensive processes can run on the build server. Pipeline deployment supports easy management of configuration between environments, too. Read more about pipeline deployment here.

Performance gains from improvements in indexing, cart, and cache operations. Customers can browse and shop on a storefront while indexers are running with no visible impact to their experience. Additionally, long-running indexers operate in batches to better manage memory and run times. Cart improvements enable a buyer to create a cart with more than 300 line items, and merchants can process a cart with at least 300 line items. Varnish cache configuration now includes saint and grace mode to ensure Varnish is always presenting a cached page to a shop’s customers. Enhancements to cache invalidation logic and optimization of edge side include blocks for frequently changing data that significantly boost cache hit ratios.

Substantial contributions from our Community members. Our Community Engineering Team has been working with skilled and enthusiastic community members, and together they’ve added hundreds of pull requests to the Magento code base. For more information about our Community Engineering Team. see Magento Community Engineering.






2.1.14
 (security release)
28 June - 450MBThis release includes multiple enhancements to product security plus bug fixes and enhancements.



Highlights

Magento 2.1.14 contains 38 security fixes and enhancements. The enhancements help close stored XSS, SQL injection, and cross-site request forgery (CSRF) vulnerabilities. See Magento Security Center for more information.



Bug Fixes

The magento cron:run command now runs scheduled jobs as expected. Previously, cron generated only one job, no matter how many jobs were scheduled.

The misspelling in the name of the namespace in Magento\Cron\Observer\ProcessCronQueueObserver.php has been fixed. Previously, this misspelling resulted in a fatal error when this class was instantiated and run.

The magento setup:di:compile command now supports quoting for base paths. Previously, this command tried to exclude paths from the compilation process via regex in the excludedPathsList property. However, that property does not use quoting but instead contains the full path to Magento, which resulted in the failure to exclude some paths (for example,/var/www/magento (1)/).

Store getConfig() now respects valid false return values. Previously, the system represented the no setting as a string value of 0 (and 0 equals false), and as a result, this method fetched the default configuration values when a configuration value was set to no.

All console commands now return status.

We’ve added the web/unsecure/base_url config to both website and store scopes.

Magento now checks if storeId is not null rather than checking if it is empty. Previously, when storeId 0 is_empty returned true, Magento could not create a CMS page for all store views.

Magento no longer displays HTML tags in product meta descriptions.

The layout of catalog_rule_promo_catalog_edit.xml has been changed to adjust sidebar settings. Specifically, the layout attribute value has been changed from admin-2columns-left to admin-1column.

The Catalog Price rule’s contains condition now works as expected when the contains condition allows multiple options.

Enhancements to LESS code include moving several LESS variables to .lib-dropdown() variables and adding font-weight variable to navigation.less.

We’ve improved the display of the Payment Methods section of the checkout page on mobile devices. Previously, the layout of page elements was not correctly spaced.

You can now successfully override settings in module-directory/etc/zip_codes.xml. Previously, when you tried to override these settings, Magento displayed only the last pattern from the module’s zip_codes.xml.

Magento now displays accurate configurable product prices in multi-store environments. Previously, Magento displayed the same configurable product prices for all stores after the first store emulation.

You can now successfully save an address with a blank address field. Previously, when you saved an address that contained no text in an optional address field, Magento threw this error, 'Exception' with message 'Notice: Array to string conversion on line 2903 in lib/internal/Magento/Framework/DB/Adapter/Pdo/Mysql.php will be raised.

We’ve removed Billing Agreements from the customer_account.xml file in the PayPal module.

The color of the button on the email template when a user hovers over it has been changed from @button-primary__color to @button-primary__hover__color.

We’ve added JSON and XML support to the post method in the \Magento\Framework\HTTP\Client\Socket class.

Navigation menus without the display: inline-block setting now work as expected on deployments running on Internet Explorer 11.x. Previously, after a page refresh, navigation menus on pages running Luma or Blank themes would not work.

You can now successfully prevent the removal of a block or container by setting the remove attribute to false. Previously, setting this attribute to false did not cancel the removal of a block or container.

String type was added to \Magento\Framework\HTTP\Client\Curl to support sending JSON or XML requests.

We’ve improved the ability to store passwords using different hashing algorithms. These improvements include changes to \Magento\Framework\Encryption\Encryptor::getHash, which previously ignored the specified hashing algorithm version that was supplied.

You can now cancel the removal of a block or container from a layout by setting the remove attribute value to false.

You can now add an XML comment node as a parameter when adding a new widget declaration to widget.xml. Previously, if you added a comment as a parameter to a widget declaration, Magento displayed a 500 error.

The setAttributeFilter method now specifies the relevant table when calling the addFieldToFilter method. This method is called as part of the process of adding a field to the filter for the collection Eav/Model/ResourceModel/Entity/Attribute/Option/Collection.php. Previously, Magento displayed an error (ambiguous column name) when you joined tables containing column attribute_id.

We’ve added a CodeTriage badge to the magento/magento2 GitHub repository. See CodeTriage for more information.

The catalog gallery allowfullscreen setting In the theme’s view.xml file now works as expected. Previously, when you set the gallery’s allowfullscreen variable to false, Magento displayed a white page (instead of the product page) when a customer tapped on a product image while using a mobile device.

We’ve removed the ability of the Magento Framework to explicitly set file and directory permissions from the default cache backend. Removing this functionality allows permissions to be inherited properly from the file system, and respects SETGID bit and Magento umask settings.

Magento now installs the AdminGws module after it installs Magento_Authorization.

We added a RewriteBase directive template to the .htaccess file in the pub/static folder. Previously, if you set this directive in the .htaccess file in your Magento root directory, the Apache web server would miss files.

The robots.txt response header content type is now plain text.

Load query no longer uses requireJS to print.

You can now use a parameter to change the store code in Swagger, which makes it possible to test API calls in Swagger for different storeviews.

You can now use JavaScript mixins to extend swatch functionality in all supported browsers.

You can now translate the text associated with rating stars in product reviews.

We’ve fixed issues with the JavaScript translation regex file that previously led to untranslatable strings or parts of strings.

We’ve added a mage/translate component to the customer AJAX login action component, which enables the translation of the message that Magento displays if an AJAX call fails (Could not authenticate. Please try again later). Previously, Magento printed that message in English only, regardless of the storefront’s language setting.

Read more: https://devdocs.magento.com/guides/v2.1/release-notes/ReleaseNotes2.1.14CE.html






2.1.13

3 May - 450MBThis release includes both bug fixes and enhancements. 



Bundle

You can now specify a Bundle option title on a store-view level with changes to more than one store view. Previously, after making a change to the store view title of a second store view, the previous store view would show the default title for the store view title. 



Catalog

Magento now displays the correct final price of configurable products associated with catalog rules. Previously, the final price of a configurable product did not reflect any catalog rules associated with it. 

You can now successfully re-save a product attribute using a new name. Previously, an attempt to re-save the product attribute resulted in an error.

Magento now flushes the full page cache for all products that have been reindexed (both child and parent products). Previously, the configurable product page cache was not cleaned as expected.

Category page X-Magento-Tags headers no longer contain product cache identities when category display mode is set to Static block only.

When you set the category_ids attribute to be visible in the storefront catalog, Magento now displays catalog listings as expected. Previously, Magento threw an exception.

Magento now saves images as expected when you create a new category that contains an image, and then edit and re-save that category. Previously, it appeared that Magento saved the category as expected, but exception.log stated that there was a problem saving the images.

The category filter used for layered navigation for configurable products with no available options now counts products accurately. 

Magento now correctly displays product information after you perform an operation on more than one item. Previously, product information was not correctly aligned on the page.

The \Magento\Quote\Model\ResourceModel\Quote\Item\Collection now returns items that have existing relations only in catalog_product_entity table. 

The Hide from Product Page option now works for the child product of a configurable product. 

Product page attribute labels are now translated as expected when languages other than English are used. Previously, these fields were empty.



Cart and checkout

Magento now displays the expected state in the Multishipping New Address form when a customer enters information on the Ship to Multiple Addresses page.

When two customers check out concurrently for the same product, one of the check outs now succeeds. Previously, when two customers checked out concurrently for the same product, and the total quantity being ordered was greater than the quantity available, the stock became negative.

Display issues no longer prevent a user from adding a shipping address when checking out when running Internet Explorer 11.x. Previously, a registered user could not add a new shipping address in the shipping step of the checkout process due to display issues. 

Magento no longer caches warning messages as often as a customer clicks the Update Shopping Cart button while the shopping cart page loads. Previously, Magento cached a warning message each time a customer clicked this button while the page loaded in FireFox or Chrome, and this action resulted in multiple warning messages appearing on the top of the shopping cart page. 

You can now create unique checkbox IDs for the Terms and Conditions part of the checkout process.



Configurable products

Magento now reorders configurable attribute options as expected on the product page.

You can now disable a child product from a configurable product’s edit page. Previously, the child product’s status did not change after you selected Disable product. 

LowestPriceOptionsProvider now returns products with the tax_class_id attribute, which is used for price calculation operations such as tax adjustment.

 

Customers

window.checkout.customerLoginUrl now contains a URL that includes the referer in base64 encoding (for example, https://myshop.com/customer/account/login/referer/aHR0cHM6Ly9teXNob3AuY29tL2NoZWNrb3V0). Previously, the login URL did not include a referer (for example, https://myshop.com/customer/account/login).

Administrators can now reset customer passwords as expected when the max wait time between password resets setting has been disabled. Previously, when an administrator attempted to reset a customer’s password from the Admin, Magento displayed this error, Too many password reset requests, even when the max wait time between password resets setting had been disabled.

The Arabic language locale now uses the correct date format. Previously, when Magento was deployed using the JavaScript calendar and the Arabic (Kuwait) locale, It did not correctly display dates on the product page. (Date format was shown as 182017/05 instead of 18/05/2017.) 

Magento now refreshes customer data in localStorage upon customer log in, which results in proper loading of the customer’s cart. Previously, when a customer with existing cart items logged in using the authentication popup, the mini cart did not display her cart items.



Framework

vendor/magento/framework/composer.json now declares a dependency on magento/zendframework1. Previously, packages depending on magento/framework packages failed to execute.

configuration framework: Scope-based configuration now decrypts data as expected. Previously, scope-based configuration failed to decrypt data on the default store only.

session framework: When you add a product to your wish list after logging out, Magento now redirects you to your account wish list page and adds the product. Previously, you were redirected to your wish list page, but Magento did not add the product.

web API framework: When you used REST to create a paginated search of products, Magento now includes category_ids as expected in the custom_attributes section of listed products.

zend: We’ve upgraded the Zend framework Zend_Service component.



General

The htmlentities function has been replaced with the htmlspecialchars function. 

You can now delete more than one record using the content block manager. Previously, when working in the content block manager in the Admin, Magento threw a fatal error when you tried to delete more than one record.

The newsletter title string in the block template is no longer hardcoded.

The \Magento\Quote\Model\ResourceModel\Quote\Item\Collection now returns items that have only existing relations in catalog_product_entity table, which prevents the loading of quote items for non-existing products. 

In environments running Varnish, the menu item of the active category page is now handled as the active class as expected. Previously, activating the cache interfered with Magento setting the appropriate CSS class to active in environments where Varnish was enabled.

The currency switcher now works for widgets on the home page. Previously, if your website supported multiple currencies, the currency switcher did not update the currencies for widgets on the home page. 

Customers can now add a new address during the shipping step of the checkout process when accessing the store from Internet Explorer 11.x. Previously, when a customer tried to create a new address from the checkout page, the Add address button was not visible. 

Magento now creates a URL rewrite when you save a newly created CMS page. Previously, when you tried to access a newly created CMS page using information from the URL Key field, Magento displayed a 404 error.

You can now use the custom layout handler form (cms_page_view_id_cms_page). Previously the cms module added an additional layout update handler with an identifier on page view, and problems occurred when slashes were used in the page identifier.

Duplicate array keys in app/code/Magento/Bundle/Block/Adminhtml/Catalog/Product/Edit/Tab/Attributes/Extend.php and app/code/Magento/Downloadable/Helper/File.php have been removed.



Index

You can now view the state of the mview queue in real time, which can be useful when debugging indexing issues. You can now view how many items are in the queue pending processing, as well as view information from the mview_state table.



Newsletter

Merchants can now successfully unsubscribe customers from a newsletter from the Admin.



Order management

Invoices now display coupon code information as expected.

The cancel order and restore quote methods now accurately calculate the amount of stock to be returned to inventory when an order is canceled. Previously, when you canceled an order, some of these methods did not accurately calculate the amount of restored stock.

You can now alter the transport variable in the email_invoice_set_template_vars_before event.



Payment methods

The is_active and is_visible columns now default to true even when column default values are not set in the vault_payment_token installation script.

Magento now processes credit memos as expected when refunding an order from PayPal. Previously, when Magento refunded an order from PayPal, it created a credit memo, but the credit memo was not assigned a status (that is, the database status field is null), and the order status remained as processing. 

Administrators can now create orders in the Admin for stores other than the default when using Paypal Payflow Pro. 

You can now implement a product attribute that sets Catalog Input Type for Store Owner equal to Fixed Product Tax in a multistore environment.



Reports

When generating the output of Reports > Marketing > Products in Cart, Magento no longer calls the data of products that have been deleted from the cart.

The Admin’s Most Viewed Products tab now displays all relevant information about products, even when they are not in the default attribute set.

You can now successfully export the Ordered Products report to a CSV file. Previously, the export file contained no report data. 



Scope

Products are now activated only for specified websites after a scheduled update has run. Previously, Magento incorrectly activated the product for all websites when the scheduled update event ended. 



Search

Layered navigation now displays the correct product count. Previously, the layered navigation product count incorrectly included only in-stock products. 

When you switch between multiple currencies on the storefront, Magento now converts the product price into the correct currency.



Shipping

We’ve resolved an issue where Magento did not display applicable flat-rate USPS box methods during checkout.



Swagger

The code formatting in the Swagger block and template has been updated. 



Swatches

You can now use REST to import visual swatch attribute options. Previously, you could not add swatch options using service contracts unless a swatch option already existed for the attribute.



Translations

Inline translations and custom translators now work for knockout templates.



UI

Magento now validates XML against the schema file when saving custom layout update XML in the CMS page in production mode.

Creating a new product with a custom attribute set now works as expected.

Magento no longer displays the current date when a product’s date attribute has an empty value.



Wish list

The default value for a wish list item’s buyRequest data is now always an array. Previously, this value was set to null.

Read more: http://devdocs.magento.com/guides/v2.1/release-notes/ReleaseNotes2.1.13CE.html






2.1.12
 (security release)
28 February - 450MBThis release contains 38 security fixes and enhancements.



Highlights

Enhancements that help close authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities.

Change to Magento Admin to support upcoming USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied. If you require USPS postage printing capabilities, please visit Magento Shipping to learn more, and explore various shipping extensions on Magento Marketplace.

Updated copyright to 2018.

Read more: http://devdocs.magento.com/guides/v2.1/release-notes/ReleaseNotes2.1.12CE.html






2.1.11
 (security release)
11 January - 450MBThis release includes multiple security enhancements. Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.



2.1.11



Highlights

Significant enhancements for payment methods. We’ve fixed an issue where some Braintree refunds did not work. Braintree online refunds now work when you are using two Braintree accounts on two separate websites.

Corrected sitemap generation. Magento no longer generates the sitemap in the wrong directory when vhost is connected to /pub. Previously, Magento generated the sitemap in the root folder instead of the pub folder. GitHub-2802

When a simple child product on a configurable product has a lower price (either regular, or special price) than the other options (variations), the configurable product without any selected options now indicates that the price could be “As low as” = . Previously, if a simple child product has a price that is lower than the other options, and no options on the configurable product have been selected yet, the configurable product will be shown with with the lowest available price.

You can now add a configurable product to your cart from the Category page. Previously, you had to review the product on the Product page before adding it to your cart.



New Features

Support for the Indian Rupee (INR) in PayPal Express Checkout

New commands and functionality for the command-line interface. We’ve added interactivity to the admin:user:create command, and added the ability to handle CLI setup interactively (with prompts).



This release also includes dozens of bug fixes plus a substantial number of contributions from the wider Magento community.



2.1.10



Highlights

Significant reduction in JavaScript-related translation issues.

Improvements to how the PayPal Express Checkout payment method processes virtual products.

Multiple enhancements to product security. See Magento Security Center for more information.

Forty-four community-submitted bug fixes and multiple pull requests. These pull requests feature improvements in cacheing for configurable products (pull request 9809) and enhancements to the URL rewrite mechanism (pull request 10164).

Support for management of multiple instances in the same crontab. These two new CLI commands (cron:install and cron:remove) were submitted by community member adrian-martinez-interactiv4.



This release also includes dozens of bug fixes and multiple security fixes.
Read more: http://devdocs.magento.com/guides/v2.1/release-notes/ReleaseNotes2.1.11CE.html






2.1.9

30 September 2017 - 450MBMagento 2.1.9 contains almost 40 security fixes and enhancements.



Highlights

Enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. See Magento 2.0.16 and 2.1.9 Security Patches for a comprehensive discussion of these issues.

Support for changes to the USPS API that USPS implemented on September 1, 2017

Fixed issue with logging information about exceptions caused by payment failures

Change to how Magento displays status updates during upgrade.






2.1.8

1 September 2017 - 438MBMagento 2.1.8 contains over 100 functional fixes and enhancements as well as pull requests from the community. Look for the following highlights in this release:



Highlights

Multiple enhancements to static content deployment and generation

Improvements to indexing of large catalogs, cache tuning, and **URL re-writes

Reduction in the amount of memory that mass actions require, and performance optimization

Faster deployments for multi-language sites






2.1.7
 (security release)
1 June 2017 - 438MBMagento 2.1.7 contains over 15 security enhancements as well as critical enhancements to the security of your Magento software.



Highlights

Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN), and this release of Magento provides support for transactions made with cards using these new BINs. MasterCard describes the issue here.

Resolution of multiple high priority and critical security issues. These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. See Magento 2.0.14 and 2.1.7 Security Patches for a comprehensive discussion of these issues.

Reversion of the changes to image resizing that we introduced in 2.1.6. Certain image resizing changes introduced unanticipated problems. We have reverted these changes in this release, and will provide improvements to image resizing in a future product update.






2.1.6
 (major version)
27 April 2017 - 438MBHighlights

PayPal enhancements include PayPal in-context checkout and saved credit cards. In-context checkout helps to increase conversion rates 69 bps by allowing shoppers to pay with PayPal without leaving the merchant’s site. PayPal saved credit cards boost repeat purchases by allowing merchants to securely store credit card information with PayPal so customers do not need to re-enter it in checkout or when reordering items from the Admin interface.

Braintree Hosted Fields securely collect all sensitive payment information in checkout so merchants can qualify for the simplest set of PCI compliance requirements. Merchants retain complete control over their checkout style and layout because Braintree gathers credit card data using small, transparent iframes that replace individual payment fields. Braintree settlement reports are now also conveniently available within the Magento Admin.

Improved management interfaces make it faster and easier to search for information in the Admin, set up global search synonyms, and create new product, category, and CMS content.






2.0.18
 (security release)
28 February - 310MBThis release includes 35 enhancements to product security, a change to the Magento Admin to recent upcoming USPS shipping changes, and a copyright update.



Highlights

Enhancements that help close authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities.

Change to Magento Admin to support upcoming USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied. If you require USPS postage printing capabilities, please visit Magento Shipping to learn more, and explore various shipping extensions on Magento Marketplace.

Updated copyright for 2018.






2.0.17
 (security release)
7 November 2017 - 310MBMagento 2.0.17 contains almost 40 security fixes and enhancements.



Highlights

Ability to implement translations from themes. We've also significantly reduced JavaScript-related translation issues.

Improvements to how the PayPal Express Checkout payment method processes virtual products.

Multiple enhancements to product security. See Magento Security Center for more information.



Security

Magento 2.0.17 includes multiple security enhancements. Although this release includes these enhancements, no confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions, so we recommend that you upgrade your Magento software to the latest version as soon as possible.






2.0.16
 (security release)
15 September 2017 - 310MBMagento 2.0.16 contains almost 40 security fixes and enhancements.



Highlights

enhancements that help close cross-site request forgery (CSRF), unauthorized data leak, and authenticated Admin user remote code execution vulnerabilities. See Magento 2.0.16 and 2.1.9 Security Patches for a comprehensive discussion of these issues.

support for changes to the USPS API that USPS implemented on September 1, 2017

change to how Magento displays status updates during upgrade.






2.0.15

18 July 2017 - 310MBMagento 2.0.15 includes only one enhancement: Support for changes in PayPal's Instant Payment Notification (IPN) service.





2.0.14
 (security release)
1 June 2017 - 310MBMagento 2.0.14 contains over 15 security enhancements as well as critical enhancements to the security of your Magento software.



Highlights

Support for MasterCard BIN number expansion. MasterCard recently added a new series of Bank Identification Numbers (BIN), and this release of Magento provides support for transactions made with cards using these new BINs. MasterCard describes the issue here.

Resolution of multiple high priority and critical security issues. These critical issues include remote code execution for authenticated Admin users, access control bypass, and cross-site request forgery issues. See Magento 2.0.14 and 2.1.7 Security Patches for a comprehensive discussion of these issues.






2.0.13

17 April 2017 - 310MBMagento 2.0.13 updates the copyright date in every file. It does not contain any functional changes or security improvements. Isolating these changes in a single release is intended to simplify future updates and developer workflow.





2.0.12
 (major version) (security release)
7 February 2017 - 310MBMagento 2.0.12 contains more than 20 functional fixes and enhancements and one security enhancement.



Highlights

Removal of vulnerability with the Zend framework Zend_Mail library. 

Updates to the catalog, payment, and sales modules.



Security

his release includes an important enhancement to the security of your Magento software. While there are no confirmed attacks related to the Zend framework Zend_Mail library vulnerability to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento software to the latest version as soon as possible.






2.0.10
 (security release)
26 October 2016 - 310MBSecurity

You can no longer delete a currently logged-in user.

Fixed issue that occurred during update with disclosure of the application's internal path.

Fixed issue that occurred during setup with disclosure of the application's internal path.

Sessions now expire as expected after logout.

Fixed issue with using the Magento Enterprise Edition invitations feature to insert malicious JavaScript and subsequently execute it in the Admin context.

You can no longer change or fake a product price from the Magento storefront and then complete an order with that fake price.

A user with lesser privileges can no longer use a JSON call to force an Admin user to add his private or public key.

Fixed remote code execution issue in checkout.

Upgrade now places stores in maintenance mode as expected. (GITHUB-3191)

Resolved issue with potential SQL injection through the use of the ordering or grouping parameters.

Fixed issue with retrieving potentially sensitive information through the use of backend media.

The Guest order view protection code is no longer vulnerable to brute force attacks.

Fixed vulnerability to DoS attacks by full page cache poisoning.

Removed vulnerability in cart checkout experience by enhancing server-side CSRF validation.

Resolved a potential vulnerability in which customer addresses could be deleted. You can no longer deceive a user into deleting his store address book entries.

Fixed issue with XSS reflection in the loading section of REST requests.

Fixed issue with potential storage of malicious XSS code in the body of an email template. (A malicious user could use this this script to steal user information and cookies, or to bypass cross-site request forgery protection.)



Sales API enhancements

We've added the ability to change the status of a shipment through the web API. The new ShipOrder interface support tasks you can already do through the Admin dashboard, including the ability to: create a shipment document (full or partial); add details about shipped items into an order; change status and state of an order according to; performed actions; notify customer about new shipment document.

We've added the ability to change the status of an invoice through the web API. The new InvoiceOrder interface supports tasks you can already do through the Admin dashboard, including the ability to: create an invoice document (full or partial); capture money placed with order payment; notify a customer about document creation; change order status and state.



Performance

We've improved the load speed of the configurable product form.

We've improved the load speed of the review step for the wizard used to create a configurable product.



Tracking and shipping

Changing the city field of an order now affects the shipping rate as expected. Previously, the shipping rate was not updated when you changed the city on your order form.

Magento now returns UPS shipping rates for Puerto Rico.

Magento no longer throws an exception if you enter an invalid FedEx shipment tracking number.



Cart and checkout

Magento now updates the mini cart as expected when you reorder an item. Previously, Magento added the reordered items to the shopping cart, but the mini cart did not update its item count. (GITHUB-6121)

You can now use an alternative Merchant Account ID when using Braintree as a payment method. (GITHUB-5910)



General fixes

Magento now returns you to the Admin dashboard after you've successfully changed your Admin password. Previously, Magento prompted you to change your password even after you just successfully changed it. (GITHUB-4331)

You can now update multiselect attribute values for multiple products from the server side. (GITHUB-5459)

State/Province field is now displayed as required on the Add New Address page. (GITHUB-5279)

Maestro credit card now passes validation.

The cursor now appears as expected when you edit a product description.

Visual swatches are now displayed when in search results.

GiftRegistry *.less file is not properly packaged in the composer package

Delete paging functionality for configurable product variations.

The order comment timestamp now correctly reflects the time that the comment was submitted, not when the page was last refreshed. (GITHUB-5719), (GITHUB-5890)



Known issues

Issue: Logo Email for transactional emails can not be uploaded successfully (GITHUB-6275). Workaround: Create a header template and reference the image location absolutely.

Issue: Cannot save a custom transactional email logo. Workaround: None.

Issue: The scope selector on the Product page does not display all websites associated with a restricted user. Workaround: None.






2.0.9

15 August 2016 - 310MBFixed issues

Shopping cart: Magento no longer displays an incorrect price in the shopping cart when using multiple shipping addresses.
The Minicart Maximum Display Recently Added Item setting now works as expected. Previously, Magento displayed all the items in the shopping cart, even when the number of items exceeded this limit. (GITHUB-4750)
Performance: We've improved storefront performance when you use many variations of a configurable product.
Cart Price Rules are now applied as expected to Payment method conditions. Previously, discounts set in Cart Price Rules were not applied during checkout.
You can now save a product for which you've entered no Swatch attribute value when this attribute is not required. Previously, during product creation, Magento would not save the product unless you added a value to the swatch attribute even with "Values Required" set to No.
Attributes of the salesInvoiceRepository methods are now correctly type cast. (The datatype is now a float – not nullable float.) Previously, due to the use of an incorrect data type cast, Magento would produce an error when calling the salesInvoiceRepositoryV1GetList methods. (GITHUB-3605)
We've renamed the Tier Price option on the Advanced Pricing tab to Customer Group Price option.
Tier pricing now works correctly with full page cache. (GITHUB-5364)


Known issue

The Sales API does not currently support all the update operations on objects that you can execute from the Admin panel. (Objects in this context include orders, invoices, shipments, credit memos, and return merchandise authorizations.)






2.0.7

21 June 2016 - 310MBFixed

The payment gateway now works as expected in a Magento installation running PHP 7.0.3. Previously, when you would place an order in an installation running PHP 7.0.3, the checkout page would become unresponsive, and the transaction would not appear in the payment gateway. (GITHUB-2984, GITHUB-2878, GITHUB-3305, GITHUB-4076).






2.0.5

28 April 2016 - 310MBSecurity

Issue with persistent cross-site scripting through a user account has been resolved.
Magento now supports setting limits on password attempts. Previously, Admin and Customer Token API access did not limit the number of attempts to enter a password, inadvertently allowing brute force attempts to guess passwords.
APIs that previously granted access to anonymous users are now configured to require a higher permission level. Default product behavior does not permit anonymous access to Catalog, Store and CMS APIs. However, if you would like to allow anonymous access, you can change this setting.
Magento now prevents the arbitrary execution of PHP code through the language package CSV file.
The encryption keys that are generated in System > Manage Encryption Key have been strengthened.
Reflected XSS can no longer occur through the Authorizenet module's redirect data.


Upgrade and Installation

Magento no longer creates store data inconsistently during installation.
During upgrade, the setup:config:set script no longer deletes values in the env.php file.


Import

Magento now successfully imports existing products as well as products that use custom URLs.
Product import now works successfully in a multi-store environment. Previously, Magento would display the following error message, "URL key for specified store already exists", when importing products into a multi-store configuration.


Export

Export performance has been enhanced. Pages no longer hang randomly, and CPU usage is no longer pegged. (GITHUB-3217)


APIs

The Orders API now exposes the shipping address. This corrects an issue with using this API to integrate with third-party systems.
The SOAP API now returns attributes of type "text swatch" and "visual swatch" when you use the API to add attribute options. Previously, this feature did not work for these attribute types.


PHP

Magento now allows you to use arguments of url type in nested arrays. Previously, you could pass route parameters only if the url argument was declared at the top level.


Database

Magento no longer duplicates queries to the database from the Catalog page. Instead, if Magento has already loaded specific data during request processing, it re-uses it instead of duplicating the query.
Magento no longer duplicates SQL queries on CMS and Category pages. Previously, significant duplications occurred.


Miscellaneous

Magento no longer displays HTML tags in messages.
Product performance has been enhanced when loading catalog products with multiple color swatches.
Magento now successfully saves and displays new customer attributes.
Magento performance has been improved by the removal of redundant get requests that previously occurred during shopping cart refresh.
Selecting the Use Aggregated Data option now correctly displays Dashboard data. (GITHUB-3459)
Magento now displays the expected color swatch when you select a color swatch for a configurable product. Previously, Magento did not change the color when you selected a swatch.
HTML template minification now properly handles commented code.
Deleting one of several custom options no longer deletes all options. Previously, deleting one option from the Product page also deleted all other custom options. (GITHUB-2989)
When Full Page Cache (FPC) is enabled, the CAPTCHA image differs for every user. Previously, the CAPTCHA image on the registration page remained the same for every customer after FPC was enabled.
Google no longer indexes the Admin URL. Previously, Google indexed the Admin side meta tag. The frontend meta tag was not affected.
Magento no longer sends a subscription success email whenever a customer enters his email address to subscribe to a newsletter. Users receive a "thank you for your subscription" message and a subscription success email only when registering for the first time.
Guests can now successfully click on the product page link for any item in an emailed shared wishlist.
Custom customer attributes are now saved at checkout.






2.0.2

3 February 2016 - 310MBThis release resolves issues that some users encountered while upgrading from Magento 2.0.0 to Magento 2.0.1.





2.0.1
 (major version) (security release)
26 January 2016 - 310MBWe are pleased to present Magento Community Edition 2.0.1, the next generation of the world’s leading digital commerce platform. This patch release contains several important functional updates, including official support for PHP 7.0.2. This release also includes numerous enhancements to improve the security of your Magento 2.0 installation. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. 



PHP 7 Compatibility

Magento 2.0.1 adds support for PHP 7.0.2, which provides dramatic performance improvements, drastically reduces memory consumption, and supports new PHP language features.


USPS API Changes

On January 17, 2016, USPS made several changes to their services, rates, and package names. The updates are reflected in this release, and include the following changes: Standard Post renamed "Retail Ground", Flat Rate Box for Priority Mail Express Eliminated


Security Enhancements

SQL injection
Persistent XSS vulnerability for order comments made from Admin
Ability to save XSS code into database
Reflected XSS in cookie HTTP header
CSRF vulnerability on cart checkout
Ability for users to bypass filter by editing inline translations
Ability to access core system information using CMS blocks and cache entries
Ability to save XSS code through custom options
Ability to bypass Magento storefront CAPTCHA
Persistent XSS using customer name
Ability for unauthenticated users to delete any product review from the storefront
Attackers able to access order information in the store
Lack of password quality enforcement when changing admin passwords


General

Catalog price rule when specifying subproduct discounts.
Shopping cart for a registered user not returning a full list of selected products. The shopping cart of a registered user now operates as expected.
Failure to update minicart after completing an order using PayPal. Magento now clears the minicart as expected after you complete a purchase with PayPal.
Customer Edit form not appearing when you create a new Customer using a customer attribute. The Customer Edit form now appears as expected.
Sending messages using the wrong AMQP connection alias. Messages are now sent as expected.
Redundant calls to plugin methods.
Cart subtotal not including custom option prices in order calculations for configurable product. Shopping cart subtotal calculations now include custom option prices.
Catalog price rule not applied to the product created through the web API. Magento now applies the catalog price rule as expected.
Inconsistent application of discounts across all relevant configurable products. Magento now correctly displays discounts for all relevant options of a configurable product.
Incomplete display of category fields when working in store view scope. Magento now displays all scope information as expected.
Inability to create and save a new Content block. You can now add new blocks from the Admin.
Issue with checkbox component behavior. Checkbox component now displays expected behavior. Magento sends the checkbox input value (original) data only if the checkbox is checked upon form submission.
Selected country information not appearing at checkout.
Not all classes able to be intercepted in early stages of application life cycle.
JavaScript errors when loading product tables on a catalog page.
Failure during creation when Google experiments is enabled.
Unspecified resetting of product assignments after applying a filter from a category product listing.
Incorrect target for the "Learn More" link on the Payment Methods Configuration page.
Changes in the USPS API to match updated USPS method names.
Prices incorrect on product page for configurable product when catalog prices include tax.
Synonyms not working.
Orders not created when Include Tax in Order Total is set to "Yes."
Shipping address in the Orders API now exposes the shipping address value.
The Replace feature of the Import Product works in a multistore environment.
Magento now displays product tables correctly when an administrator navigates to Product > Inventory > Catalog after either of these two actions: 1) first time after product installation; 2) clearing cache and static file directories.
Creating a product with an empty file as a custom file option now works correctly.
Added autoload functionality instead of direct paths to load dependent files.
Product URL rewrites now works correctly when accessed from a Category page.


Import

Error during product import. Validation now works correctly.
Container components not disabled during import.


Testing

Legacy tests fail due to obsolete paths. References to classes in the legacy build removed.
Integration tests fail on Magento 2.0.


Performance

Redundant executions of MessageBox plugin.
Redundant executions of StoreCookie plugin.
Catalog pages in Magento installations running Varnish.
Swatch module on a category product listing page.
Large stores with a significant number of customers.


Installation and Upgrade

Issue with precompilation.
Product performance after an upgrade that modifies the database schema.
Accessing sample data after deploying Magento with composer create-project.
Travis Cl build failures due to authentication to repo.magento.com.


PHP

PHP syntax error prevents the collection of all phrases for translation.
Magento tries to save twice when a product is added to the catalog.
Code Migration tool randomly hangs and terminates with an error.






2.0.0
 (major version)
24 November 2015 - 310MBThe new Magento 2 platform empowers brands, retailers, and businesses across B2C and B2B industries to quickly and cost-effectively deliver engaging omnichannel shopping experiences. Magento 2 also offers enhanced performance and scalability,  new features to boost conversion rates, and business agility and productivity improvements. The new platform also builds on our open source heritage and offers unmatched flexibility and innovation opportunities to our global ecosystem of partners and developers.





1.9.3.9
 (security release)
14 August - 200MBMagento 1.9.3.9 provides resolution of multiple critical security issues. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.



Highlights

Magento no longer performs unnecessary write operations on the core_url_rewrite table.

Customers can now successfully register during checkout without being unexpectedly logged out.

Incorrect escaping in the cron.sh file no longer prevents cron jobs from running in parallel as expected.

Magento now cleans session data as expected after a customer logs out.



Known Issues

If your custom code or extension is using Zend/Filter/PregReplace.php with the modifier e, it will now return an error due to possible RCE issues.

Read more: http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html






1.9.3.8
 (security release)
12 March - 150MBMagento 1.9.3.8 provides resolution of multiple critical security issues. These critical security issues include authenticated Admin user remote code execution, unauthorized data leaks, and cross-site request forgery (CSRF) vulnerabilities. We recommend upgrading your Magento store to this latest version.



Highlights

Changed Magento Admin to support recent USPS shipping changes. On February 23, 2018, USPS removed APIs that support the creation of shipping labels without postage. In response, we’ve removed this functionality from the Magento Admin. Consequently, you cannot create and print shipping labels that do not have postage applied.

Updated copyright to 2018.



Notes

If you try to import products that contain HTML tags in the SKU attribute, Magento displays this error at the data validation stage (that is, when you click Check data): Invalid value in SKU column. HTML tags are not allowed.

If you try to create or edit a product in the Admin panel and the product’s SKU attribute value contains HTML tags, Magento throws this error when you try to save the product: HTML tags are not allowed in SKU attribute.

Read more: http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html






1.9.3.7
 (major version) (security release)
29 November 2017 - 150MBMagento 1.9.3.7 fixes multiple critical security issues. These issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version.



Highlights

Magento no longer displays the “Invalid Secret Key. Please refresh the page.” message when a user loads the Admin.

The one-page checkout page now displays the following message when a customer checks out an order for which no amount is due: No payment information required. Magento versions prior to 1.14.3.3 included this message, but it was missing from v1.14.3.3.

We’ve fixed a typo in the patch header information. (autocomplete="new-pawwsord” is now autocomplete="new-password”.) 



Notes

We no longer support custom file extensions for Mage::log(). Supported file extensions include .log, .txt, .html, .csv. For more information, navigate to Developers > Log Settings from the Admin. Magento displays this comment: Logging from Mage::log(). File is located in /var/log. Allowed file extensions: log, txt, html, csv.

Passwords for new users are now limited to 256 characters. If a new user enters a password that exceeds 256 characters, Magento displays this message: Please enter a password with at most 256 characters.

Read more: http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html






1.9.3.6
 (major version) (security release)
27 September 2017 - 150MBMagento 1.9.3.6 provides resolution of multiple critical security issues and several functional fixes. These critical security issues include remote code execution, cross-site scripting, and cross-site request forgery issues. We recommend upgrading your Magento store to this latest version. See Magento Security Center for a comprehensive discussion of these issues.



Highlights

Fixed an issue where uploaded images were twice their original size after you applied SUPEE-9767 v2.

Read more: http://devdocs.magento.com/guides/m1x/ce19-ee114/ce1.9_release-notes.html






1.9.3.4
 (major version) (security release)
13 July 2017 - 150MBMagento 1.9.3.4 addresses both security and functional issues discovered when using the SUPEE-9767 patch. We recommend upgrading.



Highlights

We've restored missing strip_tags functionality in the checkout JavaScript.

We've changed how Magento validates form keys during the generic five-step checkout process. Previously, customer registration failed during standard checkout processing if form key authentication was enabled.

Magento now displays the Allow_symlinks message in the Admin message area as expected.

Magento now preserves the background transparency of uploaded images as expected. Previously, transparency was lost after the image was uploaded, resulting in an unusable image.

You can now use Checkout with Multiple Addresses when checkout form validation is enabled.






1.9.3.3
 (major version) (security release)
1 June 2017 - 150MB
Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788, SUPEE-9652, SUPEE-8167, SUPEE-9767

There are known issues in this release: https://magento.com/security/patches/supee-9767






1.9.3.2
 (security release)
7 February 2017 - 150MB
Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788, SUPEE-9652






1.9.3.1

21 November 2016 - 150MB
Search results return all store products
Some integrations using Magento APIs no longer work
Bundled product prices do not update
Store-specific attribute labels disappear
Auto generated passwords do not work for some customers
Exceptions appear for stores with disabled breadcrumbs
Shipping rules may not be calculated correctly in some cases
PHP warnings occur with the session timestamp variable
CSRF form key is not changed after logout
Login attempts log protection table is not cleaned properly






1.9.3.0
 (security release)
26 October 2016 - 150MBIncludes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405, SUPEE-7405 v1.1, SUPEE-8788





1.9.2.4

26 February 2016 - 150MBThis release bundles improvements for issues reported by our merchants after installing the latest patch SUPEE-7405 (provided by version 1.9.2.3).



Bugfixes

Cart Merge Patch (SUPEE-7978): Carts with identical items now merge correctly. Previously, when a cart with one item was merged with another cart that contained the same item, Magento did not merge the cart totals correctly.The cart now includes only one item, and the total is correct.
SOAP API Patch (SUPEE-7822): The Magento SOAP API now works as expected. Previously after installing the SUPEE-7405 v1.0 patch, an API request would cause a 500 error, and Magento would log an exception.
PHP 5.3 Compatibility (SUPEE-7882): The patch was not compatible with PHP 5.3 for earlier versions of Magento that were still supporting this version. The issue experience by merchants was inability to view sales information in the Admin.
Upload File Permissions: The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch cause many merchants not to be able to view uploaded product images, depending on hosting provider configuration.






1.9.2.3
 (security release)
20 January 2016 - 150MBSecurity Enhancements

Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788, SUPEE-7616, SUPEE-7405






1.9.2.2
 (security release)
27 October 2015 - 150MBSecurity Enhancements

Includes patches: SUPEE-5344, SUPEE-5994, SUPEE-6237, SUPEE-6285, SUPEE-6482, SUPEE-6788






1.9.2.1
 (security release)
4 August 2015 - 150MBSecurity Enhancements

SUPEE-6482 - This patch addresses two issues related to APIs and two cross-site scripting risks.






1.9.2.0
 (security release)
7 July 2015 - 150MBSecurity Enhancements

SUPEE-6285 - This patch provides protection against several types of security-related issues, including information leaks, request forgeries, and cross-site scripting.






1.9.1.1-2
 (security release)
15 May 2015 - 150MBSecurity Enhancements

SUPEE-5994 - This patch addresses multiple security vulnerabilities in Magento Community Edition software, including issues that can put customer information at risk.






1.9.1.1

2 May 2015 - 150MBApplications:

This is Magento's official release to patch the SUPEE-5344 issue which was previously patched by Applications with the release of Magento 1.9.1.0-2.






1.9.1.0-2
 (security release)
24 April 2015 - 150MBSecurity Enhancements

SUPEE-5344 - Addresses a potential remote code execution exploit


Changes

SUPEE-4829 - This patch fixes an issue in which product images become larger when a shopper selects a swatch on a search result page.






1.9.1.0
 (security release)
24 November 2014 - 150MBHighlights

Configurable Swatches: Configurable swatches help you optimize the way products are presented on your site. New "swatch" capabilities make products more appealing—and boost conversion rates—by offering shoppers quick access to information, like available colors, fabrics, sizes, and more. Clicking on a swatch automatically updates the product image so shoppers see exactly what a color or fabric looks like, giving them confidence to proceed with their purchase.
Responsive Design Improvements: It has never been easier to create a mobile-friendly site now that Magento's responsive design reference theme includes all core Magento features, including gift registries, downloadable products, multiple wish lists, add-to-cart by SKU, and private sales. It even boasts responsive default email templates so customers can read your order confirmation emails and newsletters on any device.
Technology Updates: Magento Community Edition boosts performance and security by adding support for MySQL 5.6 and PHP 5.5. With MySQL 5.6, you benefit from improved site speed and scalability, reduced memory usage on the database server, and enhanced debugging tools. PHP 5.5 provides security improvements and ensures you have continued access to code updates. And, for those of you who haven't already upgraded from PHP 5.3, there are potential performance improvements—up to 25% based on reports from some customers. Magento Community Edition 1.9.1 has been updated to support Universal Analytics, the new standard for Google Analytics. With this update, merchants can define more custom dimensions and metrics for tracking, incorporate offline and mobile app interactions, and gain access to ongoing feature updates that will only be available on Universal Analytics.
Other Improvements: Magento CE 1.9.1 includes updates to promotions, product import/export capabilities, security, and other features as part of our commitment to continually improve product quality.


Security Enhancements

SUPEE-1533 - Addresses two potential remote code execution exploits
Resolved potential issues as discussed in Resolving a Remote Code Execution Exploit.
Magento thanks Matt Barrah for contributing to this fix.
To change their password, a Magento administrator must first enter their existing password.
Resolved a potential XML External Entity Processing (XXE) exploit with the potential to cause a Denial of Service attack.
Customer passwords are no longer stored in clear text during registration.
Storefront users no longer see each others' user names in certain circumstances.
To change an administrator password using the Admin Panel, you must first enter your existing password.
Added a secure cookie flag for the storefront to prevent man-in-the-middle attacks. Configuration options haven't changed; they are still under System > Configuration > GENERAL > Web, option groups Secure and Unsecure.


Changes

Changed the following PayPal Express Checkout configuration options (System > Configuration > SALES > Payment Methods, PayPal Express Checkout):
Shortcut on Shopping Cart renamed to Display on Shopping Cart and moved from Basic to Advanced.
The recommended Display on Shopping Cart option is now worded Yes (PayPal recommends this option).
It's more important than ever for you to configure a Magento cron job. In addition to indexing and other core functions, all Magento e-mails (including order confirmation and transactional) are now queued and sent according to your configured cron schedule.
The PayPal Bill Me Later logo and name has been replaced by PayPal Credit.
Bill Me Later options now display only in U.S. stores.
The Zend Framework version has been updated to 1.12.7.
Check out with PayPal and PayPal Credit buttons now display on product pages for gift cards and dynamic bundled products.
Updated PayPal buttons for US-based stores.
Orders with PayPal viewed on the Admin Panel have a link that enables a Magento administrator to view the order on the PayPal site.
Magento thanks Florinel Chis of Elastera for contributing to this fix.
The PayPal Standard API has been replaced with the newer PayPal Express Checkout API.
Magento CE and EE now use Google Universal Analytics.
When defining a tax rate, you can now use a wildcard character for State in any locale.
Implemented responsive transactional e-mails.

Read more: http://magentocommerce.com/knowledge-base/entry/ce19-later-release-notes#ce19-1910






1.9.0.1

16 May 2014 - 150MBFixed:

Customers can no longer apply a coupon from an inactive shopping cart price rule to a purchase.
Customers using a smartphone or other small viewport can expand subcategories in the web store that uses the new responsive theme.

Read more: http://magentocommerce.com/knowledge-base/entry/ce-19-and-ee-114-documentation-home






1.9.0.0
 (major version)
14 May 2014 - 150MBA new responsive design reference theme makes it easier and less costly for merchants to delight customers using mobile devices, and new payment options help merchants improve conversion and sales. Merchants also benefit by being better able to support customers across geographies, and from improvements in product quality, search and security.



Key benefits

Merchants can get a tablet and smart phone friendly responsive site in about half the time as before, speeding time to market and freeing up resources for other projects.

With a responsive site, merchants will be better able to participate in the fast growing mobile commerce space, and will have a site that is more easily adapted to new opportunities and less expensive to maintain. A responsive site also offers potential SEO benefits from using Google's preferred approach to mobile-optimizing sites.

Merchants can capture up to 18% more sales by providing customers access to financing through the Bill Me Later service. And they can offer their customers a smoother, more streamlined PayPal Express Checkout experience, which tries alternative payment options when a customer's credit card is rejected.

Updates available in Magento Enterprise Edition 1.14, give shoppers access to fresher search results because search indexing is performed automatically as the product catalog changes. Improved indexing also helps merchants work more efficiently, because incremental index updates no longer require manual intervention and admin performance is faster.

Merchants operating across regions and geographies can show their customers a single price. Pricing is clean and uncluttered regardless of tax structures and rates that vary from country to country.

Merchants benefit from greater security and ongoing support updates.

Read more: http://magentocommerce.com/knowledge-base/entry/ce-19-and-ee-114-documentation-home






1.8.1.0-2
 (security release)
24 April 2015 - 218MBSecurity Enhancements

SUPEE-5344 - Addresses a potential remote code execution exploit
SUPEE-1533 - Addresses two potential remote code execution exploits






1.8.1.0
 (security release)
11 December 2013 - 218MBMagento CE 1.8.1.0 helps advance overall product quality and ease operations by providing significant tax calculation improvements, a wide range of bug fixes, and several security enhancements.
Read more: http://magentocommerce.com/knowledge-base/entry/ce-18-later-release-notes






1.8.0.0
 (major version)
25 September 2013 - 218MBThis new edition improves tax calculations, boosts product quality and stability, enhances performance, and advances security for the rapidly growing Magento community.



Highlights

Major overhaul of tax calculation formulas, correction of rounding errors, and additional assistance with configuration.
Optimized cache adapters for single-server systems
Upgraded Redis cache adapters for multi-server systems.
To set up and use Redis with Magento, see Using Redis with Magento Community Edition (CE) and Enterprise Edition (EE).
Eliminated many types of database deadlocks.

Read more: http://magentocommerce.com/knowledge-base/entry/ce-18-later-release-notes






1.7.0.2

5 July 2012 - 218MB





1.7.0.1

20 June 2012 - 218MB





1.7.0.0
 (major version)
24 April 2012 - 218MB





1.6.2.0

11 January 2012 - 200MB





1.6.1.0

19 October 2011 - 200MB





1.6.0.0

18 August 2011 - 200MB





1.5.1.0

27 April 2011 - 175MB





1.5.0.1

10 February 2011 - 175MB





1.5.0.0

9 February 2011 - 175MB





1.4.2.0

9 December 2010 - 160MB





1.4.1.1

27 July 2010 - 160MB





1.4.1.0

12 June 2010 - 150MB





1.4.0.1

22 February 2010 - 135MB





1.4.0

13 February 2010 - 135MB





1.3.2.4

25 September 2009 - 125MB





1.3.2.3

23 July 2009 - 125MB





1.3.2.2

3 July 2009 - 125MB





1.3.2.1

2 June 2009 - 125MB





1.3.2

30 May 2009 - 125MB





1.3.1.1

20 May 2009 - 55MB





1.3.1

18 April 2009 - 55MB





1.3.0

31 March 2009 - 55MB





1.2.1.2

3 March 2009 - 55MB





1.2.1.1

23 February 2009 - 55MB





1.2.1

2 February 2009 - 55MB





1.2.0.3

24 January 2009 - 55MB





1.2.0.2

13 January 2009 - 55MB





1.2.0.1

31 December 2008 - 55MB





1.2.0

30 December 2008 - 55MB





1.1.8

26 November 2008 - 55MB





1.1.7

20 November 2008 - 55MB





1.1.6

28 October 2008 - 55MB