Magento Commerce 2.1.2 Release Notes

We are pleased to present Magento Commerce (formerly Enterprise Edition) 2.1.2. This release includes security enhancements and several functional fixes.

Backward-incompatible changes are documented in Magento 2.1 backward incompatible changes.

Highlights

Magento 2.1.2 contains multiple bug fixes and enhancements, including

  • Support for PHP 7.0.4 and 5.6.5. This release supports PHP 5.6.5 and above instead of 5.6.x.

  • Compatible with MySQL 5.7.

  • Two new web APIs (or service contracts) for the Sales module that incorporate functionality into the Sales API that is currently available in the Admin interface. After you install this patch, you’ll be able to use the Sales API ShipOrder and InvoiceOrder methods to capture payment and ship product. See Module Reference Guide for information on using the ShipOrder and InvoiceOrder interfaces.

Why are we adding new APIs in a patch release?

These new interfaces will not break any existing customizations or extensions. See Alan Kent’s blog about Magento for more information about these features and Magento’s use of semantic versioning.

Security enhancements

This release includes enhancements to improve the security of your Magento software. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento software to the latest version as soon as possible.

The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.

General security

  • Fixed issue with using the Magento Enterprise Edition invitations feature to insert malicious JavaScript and subsequently execute it in the Admin context.
  • You can no longer change or fake a product price from the Magento storefront and then complete an order with that faked price.
  • Fixed issue with arbitrary PHP code execution during checkout.
  • Magento no longer permits you to use Products > Images and Videos > Insert YouTube video to potentially upload malicious code.
  • Fixed issue with running cron jobs less frequently than specified by the application cron setting.
  • Sessions now expire as expected after logout.
  • Removed potential for exploitation of guest order view feature to harvest order information.
  • Kount and 3D Secure now work as expected for Braintree Vault.
  • You can no longer delete a currently logged-in user.
  • A user with lesser privileges can no longer force an Admin user to add his private or public key using a JSON call.

Denial-of-service (DoS) attacks and brute force attacks

  • The Guest order view protection code is no longer vulnerable to brute force attacks.
  • You can no longer manipulate the full page cache to store incorrect pages under regular page URL entries.

Cross-site scripting (XSS)

  • Fixed issue with potential storage of malicious XSS code in the body of an email template. (A malicious user could use this this script to steal user information and cookies, or to bypass cross-site request forgery protection.)
  • Fixed issue with cross-site scripting reflected in loading section of request.
  • Resolved a potential vulnerability in which customer addresses could be deleted. You can no longer deceive a user into deleting his store address book entries.

SQL injection

  • Fixed issue with potential SQL injection through the Zend framework through ordering or grouping parameters.

Functional fixes and enhancements

We address the following functional issues in this release.

Sales API enhancements

  • We’ve added the ability to change the status of a shipment through the web API. The new ShipOrder interface supports tasks you can already do through the Admin dashboard, including the ability to:

    • create a shipment document (full or partial)

    • add details about shipped items into an order

    • change status and state of an order according to performed actions

    • notify customer about new shipment document

  • We’ve added the ability to change the status of an invoice through the web API. The new InvoiceOrder interface supports tasks you can already do through the Admin dashboard, including the ability to:

    • create an invoice document (full or partial)

    • capture money placed with order payment

    • notify a customer about document creation

    • change order status and state

For more information on these API enhancements, see Magento Sales API.

  • We’ve fixed an issue with using the REST API to link simple products to configurable ones. (GITHUB-5243)
  • You can now use the REST API to create a configurable product with a linked child product. (GITHUB-5243)

Cart and checkout

  • Magento now updates order status as expected after a shipment or invoice has been created through the API.
  • Magento now updates the mini cart as expected when you reorder an item. Previously, Magento added the reordered items to the shopping cart, but the mini cart did not update its item count. (GITHUB-6121)

Tracking and shipping

  • Magento no longer throws an exception if you enter an invalid FedEx shipment tracking number.
  • Changing the city field of an order now affects the shipping rate as expected. Previously, the shipping rate did not update when you changed the city field.

Upgrade

  • You can now save simple products created in 2.0.x environments after upgrading to environments running Magento 2.1.x. Previously, you could not successfully save the opened product after upgrading.

General fixes

  • Magento 2.1.2 now supports PHP 7.0.4.
  • The Product page scope selector now displays all related websites associated with a restricted user.
  • We’ve resolved an issue with the get active payment methods (getActiveMethods). (GITHUB-5413)
  • Magento now correctly renders HTML tags on the Sales Order page price field.
  • Visual swatches are now displayed in search results.
  • Magento now factors in the Weight attribute as expected when you use advanced search on grouped products.

Known issues

  • Issue: Error creating configurable products in 2.1.1 (GITHUB-6424). Workaround: Clear your browser cache after upgrading.

  • Issue: When you edit a configurable product and add options to a simple product, Magento does not save these options. Workaround: None.

  • Issue: Logo for transactional emails cannot be uploaded successfully (GITHUB-6275). Workaround: None.

  • Issue: The catalogProductRepository API (REST) returns an unexpected attribute type. Certain attribute_code values (for example, category_ids) return an array instead of the expected string. Workaround: As needed, adjust your code so that it handles the response as an array.

  • Issue: Magento does not correctly display Product > Catalog table after upgrade from 2.0.1 to 2.1.0 on systems running Varnish. Workaround: Restart Varnish after upgrading. For more information, see Component Manager and System Upgrade Guide: Step 4.

System requirements

Our technology stack is built on PHP and MySQL. For more information, see System Requirements.

Magento 2.1.2 requirements have changed slightly from 2.1.1. This release supports PHP 5.6.5 and above instead of 5.6.x.

Install the Magento software

See one of the following sections:

Get Magento Commerce using Composer

Magento Commerce (formerly Enterprise Edition) is available from repo.magento.com. Before installing the Magento Commerce software using Composer, familiarize yourself with these prerequisites, then run:

composer create-project --repository-url=https://repo.magento.com/ magento/project-enterprise-edition=<version> <installation directory name>

where <version> is 2.1.0, 2.1.1, and so on

For example, to install 2.1.1 in the magento2 directory:

composer create-project --repository-url=https://repo.magento.com/ magento/project-enterprise-edition=2.1.1 magento2

Get Magento Commerce using a compressed archive

The following table discusses where to get the Magento software. We provide the following downloads:

  • Magento Commerce software only
  • Magento Commerce software with sample data (designed to help you learn Magento faster)

These packages are easy to get and install. You don’t need to use Composer, all you need to do is to upload a package to your Magento server or hosted platform, unpack it, and run the web-based Setup Wizard.

Archives are available in the following formats: .zip, .tar.bz2, .tar.gz

To get the Magento Commerce archive:

  1. Go to your account on magento.com.
  2. Log in with your Magento user name and password.
  3. In the left navigation bar, click Downloads.
  4. In the right pane, click Magento Commerce 2.X > Full Release or Magento Commerce 2.X > Full Release + Sample Data for the software.
  5. Follow the instructions on your screen to complete the Magento Commerce download:

    • Magento-EE-<version>.* (without sample data)
    • Magento-EE-<version>+Samples.* (with sample data)
  6. Transfer the installation package to your development system.

Complete the installation

After you get the Commerce software:

  1. Set file system ownership and permissions.
  2. Install the software:

Upgrade from an earlier version

To upgrade to Magento Commerce 2.1 from an earlier version, see Upgrade to Magento version 2.1 (June 22, 2016).

Migration toolkits

The Data Migration Tool helps transfer existing Magento 1.x store data to Magento 2.x. This command-line interface includes verification, progress tracking, logging, and testing functions. For installation instructions, see Install the Data Migration Tool. Consider exploring or contributing to the Magento Data Migration repository.

The Code Migration Toolkit helps transfer existing Magento 1.x store extensions and customizations to Magento 2.0.x. The command-line interface includes scripts for converting Magento 1.x modules and layouts.