Magento 1.14 – Resolving Security Patch Issues

magento-1.14patchesSecurity

I scanned my site from the New Magento Security Tool available from magento partner portal.

The report showed me two Vulnerability issues

1) SSL TLS – Your server supports TLSv1.0. Please update your configuration to discontinue TLSv1.0 support.

How can i fix this issue?

Best Answer

This is a server configuration issue.

Depending on where/how you are hosting, contact your hosting provider to disable TLS v1.0.

If you're responsible for the server yourself, it depends on your setup. You might also be interested in this link: https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache

Applying patches manually with no SSH access

You have a good point here. The patches are supplied as .sh files and there is no solution offered by Magento for FTP only websites.

I suggest one would copy his website's code to a local environment through FTP (you would probably have that already). Then apply the patch by running the .sh file.

Now you need to find out which files you need to upload again. If you would open the .sh patch file, then you will see it consist of two sections:

Bash shell code to apply the patch. This code is general for every patch.
The actual patch in the form of a unified patch format. This indicates only the lines in files that were changed (including some context lines). This starts below the line __PATCHFILE_FOLLOWS__

From the second section you could read which files were/are affected by the patch. You need to upload these files again to your FTP or... you could just upload everything.

Applying manually without bash/shell

If you can't run .sh files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).
The website Magentary.com provides ZIP files for each Magento version containing the patched files only.

Patches in current & future releases?

The patches that are released right now apply to all versions that were already released. Of course, might Magento release a new version (major or minor). Then they will contain all security patches as Magento will also apply the patches to their development code base naturally (these patches even originate from that code base ;)).

UPDATE:
Every last patch Magento has also released new versions of Magento CE and EE already containing the specific latest patch. See the Release Archive tab on the Magento download page.

Check this sheet, maintained by JH, for which patches to install for which Magento CE and EE version: https://docs.google.com/spreadsheets/d/1MTbU9Bq130zrrsJwLIB9d8qnGfYZnkm4jBlfNaBF19M

Magento – Not able to apply security patch SUPEE-6285

this is because you have not applied previous patches 5994

enter image description here

diff --git downloader/template/connect/packages_prepare.phtml downloader/template/connect/packages_prepare.phtml
index 1e5a7e0..90562f5 100644
--- downloader/template/connect/packages_prepare.phtml
+++ downloader/template/connect/packages_prepare.phtml
@@ -33,7 +33,7 @@
 Extension dependencies
 <form action="<?php
     echo $this->url('connectInstallPackagePost')?>" method="post" target="connect_iframe" onsubmit="onSubmit(this)">
-    <input type="hidden" name="install_package_id" value="<?php echo $this->get('package_id'); ?>">
+    <input type="hidden" name="install_package_id" value="<?php echo $this->escapeHtml($this->get('package_id')); ?>">
     <table cellspacing="0" cellpadding="0" width="100%">
         <col width="150" />
         <col width="250" />

Best Answer

Related Solutions

Magento 1.9 Security Patches – How to Download and Install Without SSH

Applying patches manually with no SSH access

Applying manually without bash/shell

Patches in current & future releases?

Magento – Not able to apply security patch SUPEE-6285

Related Topic