Magento 1.9 Security Patches – How to Download and Install Without SSH

magento-1.9patchesSecuritysshsupee-7405

The Magento security patches look like they are .sh files, how would someone apply these patches without SSH access to their Magento installations?

Also, are these patches cumulative? IE: Will they be included in future version of Magento or do they need to be reapplied?

I'm asking this question because I logged into my admin panel and received a critical security warning:

Download and implement 2 important security patches (SUPEE-5344 and SUPEE-1533) from the Magento Community Edition download page (https://www.magentocommerce.com/products/downloads/magento/).

If you have not done so already, download and install 2 previously-released patches that prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition.

A press release from Check Point Software Technologies in the coming days will make one of these issues widely known, possibly alerting hackers who may try to exploit it. Ensure the patches are in place as a preventative measure before the issue is publicized.

and this as of May 14, 2015:

It is important for you to download and install a new security patch (SUPEE-5994) from the Magento Community Edition download page (https://www.magentocommerce.com/products/downloads/magento/). Please apply this critical update immediately to help protect your site from exposure to multiple security vulnerabilities impacting all versions of the Magento Community Edition software. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344).

I also received the following email:

Dear Magento Merchant,

To further secure the Magento platform from potential attacks, we are releasing a new patch (SUPEE-5994) with multiple critical security fixes today. The patch addresses a range of issues, including scenarios where attackers can gain access to customer information. These vulnerabilities were gathered through our multi-point security program, and we have received no reports of merchants or their customers being impacted by these issues.

All versions of Magento Community Edition software are impacted and we strongly recommend that you work with your Solution Partner or developer to immediately deploy this critical patch. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344). More information about the security issues is available in the Appendix of the Magento Community Edition user guide.

You can download the patch from the Community Edition download page. Look for the SUPEE-5994 patch. The patch is available for Community Edition 1.4.1– 1.9.1.1.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches on Magento Community Edition is available online.

Thank you for your attention to this issue.

UPDATE JULY 7 – 2015

July 7, 2015: New Magento Security Patch (SUPEE-6285) – Install Immediately
Today we are providing a new security patch (SUPEE-6285) that addresses critical security vulnerabilities. The patch is available for Community Edition 1.4.1 to 1.9.1.1 and is part of the core code of our latest release, Community Edition 1.9.2, available for download today. PLEASE NOTE: You must first implement SUPEE-5994 to ensure SUPEE-6285 works properly. Download Community Edition 1.9.2 or the patch from the Community Edition download page: https://www.magentocommerce.com/products/downloads/magento/

UPDATE AUG 4 – 2015

August 4, 2015: New Magento Security Patch (SUPEE-6482) – Install Immediately
Today we are providing a new security patch (SUPEE-6482) that addresses 4 security issues; two issues related to APIs and two cross-site scripting risks. The patch is available for Community Edition 1.4 and later releases and is part of the core code of Community Edition 1.9.2.1, which is available for download today. Before implementing this new security patch, you must first implement all previous security patches. Download Community Edition 1.9.2.1 or the patch from the Community Edition download page at https://www.magentocommerce.com/products/downloads/magento/

UPDATE OCT 27 – 2015

October 27, 2015: New Magento Security Patch (SUPEE-6788) – Install Immediately
Today, we are releasing a new patch (SUPEE-6788) and Community Edition 1.9.2.2/Enterprise Edition 1.14.2.2 to address 10+ security issues, including remote code execution and information leak vulnerabilities. This patch is unrelated to the Guruincsite malware issue. Be sure to test the patch in a development environment first, as it can affect extensions and customizations. Download the patch from the Community Edition Download page/Enterprise Edition Support Portal and learn more at http://magento.com/security/patches/supee-6788.

UPDATE JAN 20 – 2016

Important: New Security Patch (SUPEE-7405) and Release – 1/20/2016
Today, we are releasing a new patch (SUPEE-7405) and Community Edition 1.9.2.3/Enterprise Edition 1.14.2.3 to improve the security of Magento sites. There are no confirmed attacks related to the security issues, but certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. You can download the patch and release from Community Edition Download page/MyAccount and learn more at https://magento.com/security/patches/supee-7405.

UPDATE FEB 23 – 2016

Updated versions of the SUPEE7405 patch are now available. The updates add
support for PHP 5.3 and address issues with upload file permissions,
merging carts, and SOAP APIs experienced with the original release.
They DO NOT address any new security issues. You can download the patch
and release from Community Edition Download page/MyAccount and learn
more at https://magento.com/security/patches/supee-7405.

Best Answer

Applying patches manually with no SSH access

You have a good point here. The patches are supplied as .sh files and there is no solution offered by Magento for FTP only websites.

I suggest one would copy his website's code to a local environment through FTP (you would probably have that already). Then apply the patch by running the .sh file.

Now you need to find out which files you need to upload again. If you would open the .sh patch file, then you will see it consist of two sections:

  1. Bash shell code to apply the patch. This code is general for every patch.
  2. The actual patch in the form of a unified patch format. This indicates only the lines in files that were changed (including some context lines). This starts below the line __PATCHFILE_FOLLOWS__

From the second section you could read which files were/are affected by the patch. You need to upload these files again to your FTP or... you could just upload everything.

Applying manually without bash/shell

  1. If you can't run .sh files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).
  2. The website Magentary.com provides ZIP files for each Magento version containing the patched files only.

Patches in current & future releases?

The patches that are released right now apply to all versions that were already released. Of course, might Magento release a new version (major or minor). Then they will contain all security patches as Magento will also apply the patches to their development code base naturally (these patches even originate from that code base ;)).

UPDATE:
Every last patch Magento has also released new versions of Magento CE and EE already containing the specific latest patch. See the Release Archive tab on the Magento download page.

Check this sheet, maintained by JH, for which patches to install for which Magento CE and EE version: https://docs.google.com/spreadsheets/d/1MTbU9Bq130zrrsJwLIB9d8qnGfYZnkm4jBlfNaBF19M

Related Topic