Magento Open Source 2.0.10 Release Notes

We are pleased to present Magento Open Source (formerly Community Edition) 2.0.10. This release includes multiple security and functional enhancements as well as enhancements to the Sales API. New Sales API methods allow third party solutions, such as shipping or ERP applications, to use APIs when they create an invoice or shipment.

Backward-incompatible changes are documented in Magento 2.0 Backward Incompatible Changes.

Highlights

• Patch 2.0.10 is now compatible with MySQL 5.7.

• Patch 2.0.10 introduces two new web APIs (or service contracts) for the Sales module that incorporate functionality into the Sales API that is currently available in the Admin interface. After you install this patch, you’ll be able to use the Sales API ShipOrder and InvoiceOrder methods to capture payment and ship product. For more information on these API enhancements, see the Sales API discussion in the Module Reference Guide.

Why are we adding new APIs in a patch release?

These new interfaces will not break any existing customizations or extensions. See Alan Kent’s blog about Magento for more information about these features and Magento’s use of semantic versioning.

Security enhancements

This release includes enhancements to improve the security of your Magento software. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento software to the latest version as soon as possible.

The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.

General security

• You can no longer delete a currently logged-in user.

• Fixed issue that occurred during update with disclosure of the application’s internal path.

• Fixed issue that occurred during setup with disclosure of the application’s internal path.

• Sessions now expire as expected after logout.

• Fixed issue with using the Magento Enterprise Edition invitations feature to insert malicious JavaScript and subsequently execute it in the Admin context.

• You can no longer change or fake a product price from the Magento storefront and then complete an order with that fake price.

• A user with lesser privileges can no longer use a JSON call to force an Admin user to add his private or public key.

• Fixed remote code execution issue in checkout.

• Upgrade now places stores in maintenance mode as expected. (GITHUB-3191)

• Resolved issue with potential SQL injection through the use of the ordering or grouping parameters.

• Fixed issue with retrieving potentially sensitive information through the use of backend media.

Denial-of-service (DoS) attacks and brute force attacks

• The Guest order view protection code is no longer vulnerable to brute force attacks.

• Fixed vulnerability to DoS attacks by full page cache poisoning.

Cross-Site Request Forgery (CSRF)

• Removed vulnerability in cart checkout experience by enhancing server-side CSRF validation.

• Resolved a potential vulnerability in which customer addresses could be deleted. You can no longer deceive a user into deleting his store address book entries.

Cross-site scripting (XSS)

• Fixed issue with XSS reflection in the loading section of REST requests.

• Fixed issue with potential storage of malicious XSS code in the body of an email template. (A malicious user could use this this script to steal user information and cookies, or to bypass cross-site request forgery protection.)

Functional fixes

We address the following functional issues in this release.

Sales API enhancements

• We’ve added the ability to change the status of a shipment through the web API. The new ShipOrder interface support tasks you can already do through the Admin dashboard, including the ability to:

  • create a shipment document (full or partial)

  • add details about shipped items into an order

  • change status and state of an order according to performed actions

  • notify customer about new shipment document

• We’ve added the ability to change the status of an invoice through the web API. The new InvoiceOrder interface supports tasks you can already do through the Admin dashboard, including the ability to:

  • create an invoice document (full or partial)

  • capture money placed with order payment

  • notify a customer about document creation

  • change order status and state

For more information on these API enhancements, see Magento Sales API.

Performance

• We’ve improved the load speed of the configurable product form.

• We’ve improved the load speed of the review step for the wizard used to create a configurable product.

Tracking and shipping

• Changing the city field of an order now affects the shipping rate as expected. Previously, the shipping rate was not updated when you changed the city on your order form.

• Magento now returns UPS shipping rates for Puerto Rico.

• Magento no longer throws an exception if you enter an invalid FedEx shipment tracking number.

Cart and checkout

• Magento now updates the mini cart as expected when you reorder an item. Previously, Magento added the reordered items to the shopping cart, but the mini cart did not update its item count. (GITHUB-6121)

• You can now use an alternative Merchant Account ID when using Braintree as a payment method. (GITHUB-5910)

General fixes

• Magento now returns you to the Admin dashboard after you’ve successfully changed your Admin password. Previously, Magento prompted you to change your password even after you just successfully changed it. (GITHUB-4331)

• You can now update multiselect attribute values for multiple products from the server side. (GITHUB-5459)

• State/Province field is now displayed as required on the Add New Address page. (GITHUB-5279)

• Maestro credit card now passes validation.

• The cursor now appears as expected when you edit a product description.

• Visual swatches are now displayed when in search results.

• GiftRegistry *.less file is not properly packaged in the composer package

• Delete paging functionality for configurable product variations.

• The order comment timestamp now correctly reflects the time that the comment was submitted, not when the page was last refreshed. (GITHUB-5719), (GITHUB-5890)

Known issues

• Issue: Logo Email for transactional emails can not be uploaded successfully (GITHUB-6275). Workaround: Create a header template and reference the image location absolutely.

• Issue: Cannot save a custom transactional email logo. Workaround: None.

• Issue: The scope selector on the Product page does not display all websites associated with a restricted user. Workaround: None.

System requirements

Our technology stack is built on PHP and MySQL. For more information, see System Requirements.

composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition=<version> <installation directory name>

composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition=2.0.10 magento2