Magento Open Source 2.3.5 Release Notes

Magento Open Source 2.3.5 offers significant platform upgrades, substantial security changes, and performance improvements.

This release includes over 180 functional fixes to the core product and over 25 security enhancements. It includes resolution of over 46 GitHub issues by our community members. These community contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.

Quarterly releases may contain backward-incompatible changes (BIC). Magento 2.3.5 contains minor backward-incompatible changes. To review minor backward-incompatible changes, see BIC reference. (Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.)

During pre-release, we discovered issues that forced us to create new packages. To expedite delivery, we chose to change the name of the full-release patch from 2.3.5 to 2.3.5-p1. The 2.3.5-p1 package contains all new features and fixes. We also changed the name of the security-only patch for this quarter from 2.3.4-p1 to 2.3.4-p2. Future releases will follow the typical package naming conventions for full-release and security packages. See Wishlist error during upgrade to Magento versions 2.3.4-p1 or 2.3.5.
Security-only patch available

Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, Magento 2.3.5-p1) provides. Patch 2.3.4.2 (Composer package 2.3.4-p2) is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Magento 2.3.4. All hot fixes that were applied to the 2.3.4 release are included in this security-only patch. (A hot fix provides a fix to a released version of Magento that addresses a specific problem or bug.)

For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release. For instructions on downloading and applying security-only patches (including patch 2.3.4-p2), see Install Magento using Composer. Security-only patches include security bug fixes only, not the additional security enhancements that are included in the full patch.

With this quarterly release, we’ve changed how we describe these security issues. Individual issues are no longer described in the Magento Security Center. Instead, these issues are documented in an Adobe Security bulletin.
Other release information

Although code for these features is bundled with quarterly releases of the Magento core code, several of these projects (for example, Inventory Management and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in the separate, project-specific release information that is available in the documentation for each project.
Upgrade to Magento 2.3.5-p1 or 2.3.4-p2 for merchants running pre-release versions of Magento 2.3.5

Merchants upgrading to pre-release versions of Magento 2.3.5 and security-only patch 2.3.4-p1 and whose deployments contain bundle products may encounter the following error during upgrade:

Module ‘Magento_Wishlist’: Unable to apply data patch Magento\Wishlist\Setup\Patch\Data\CleanUpData for module Magento_Wishlist. Original exception message: Unable to unserialize value. Error: Syntax error

Merchants who encounter this error after installing Magento 2.3.5 should upgrade to Magento 2.3.5-p1. Merchants who encounter this error after installing Magento 2.3.4-p1 should upgrade to Magento 2.3.4-p2. See Wishlist error during upgrade to Magento versions 2.3.4-p1 or 2.3.5.
Download and run the updated Database Cleanup script

This hotfix addresses an issue with a previous database clean-up script that was released in March 2020. That database cleanup script has been updated to clear pre-existing failed login data in additional database tables. We recommend that all merchants run DB_CLEANUP_SCRIPT_v2 script to clear pre-existing failed login data in additional tables as soon as possible. See the Remove failed login attempts from the database support article.

Magento Open Source 2.3.4 Release Notes

Magento Open Source 2.3.4 offers significant platform upgrades, substantial security changes, and PSD2-compliant core payment methods.

This release includes over 220 functional fixes to the core product and over 30 security enhancements. It includes resolution of over 275 contributions by our community members. These community contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.
Security-only patch available

Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, Magento 2.3.4) provides. Patch 2.3.3.1 (Composer package 2.3.3-p1) is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Magento 2.3.3. All hot fixes that were applied to the 2.3.3 release are included in this security-only patch. (A hot fix provides a fix to a released version of Magento that addresses a specific problem or bug.) For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release. For instructions on downloading and applying security-only patches (including patch 2.3.3-p1), see Install Magento using Composer. Security-only patches include only security bug fixes, not the additional security enhancements that are included in the full patch.

With this quarterly release, we’ve changed how we describe these security issues. Individual issues are no longer described in the Magento Security Center. Instead, these issues are documented in an Adobe Security bulletin. Please see Security updates available for Magento (APSB20-02).
Highlights

Look for the following highlights in this release:
Substantial security enhancements

This release includes the following security enhancements:
Over 30 security enhancements that help close cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP whitelisting, two-factor authentication, use of a VPN, the use of a unique location rather than /admin, and good password hygiene. See Adobe Security Bulletin for a discussion of these fixed issues. All known exploitable security issues fixed in this release (2.3.4) have been ported to 2.2.11, 1.14.4.4, and 1.9.4.4, as appropriate.
Security enhancements and fixes to core code

Additional security enhancements include:

    Removal of custom layout updates and the deprecation of layout updates to remove the opportunity for Remote Code Execution (RCE). The Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages has now been converted to a selector. You can no longer specify an entity-specific layout update with text but instead must create a physical file that contains the layout updates and select it for use. The name of the file containing an update must follow the conventions described here.

    Redesigned content template features so that only whitelisted variables can be added to templates. This avoids the situation where administrator-defined templates such as email, newsletters, and CMS content can include variables and directives that can directly call PHP functions on objects.
	
Magento Open Source 2.3.3 Release Notes

Patch code and release notes published on October 8, 2019

Magento Open Source 2.3.3 offers significant platform upgrades, substantial security changes, and PSD2-compliant core payment methods.

This release includes over 170 functional fixes to the core product and over 75 security enhancements. It includes over 200 contributions from our community members. These contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.
New security-only patch available

Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, Magento 2.3.3) provides. Patch 2.3.2.1 (Composer package 2.3.2-p1) is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Magento 2.3.2. For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release. For instructions on downloading and applying security-only patches (including patch 2.3.2-p1), see Install Magento using Composer.
Other release information

Although code for these features is bundled with quarterly releases of the Magento core code, several of these projects (for example, Page Builder, Inventory Management, and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in separate, project-specific release information which is available in the documentation for each project.
Highlights

Look for the following highlights in this release:
Substantial security enhancements

This release includes the following security enhancements:

    PSD2 compliance to core payment methods
    Fixes for 75 critical security issues
    Significant platform-security enhancements that boost XSS (cross-site scripting) protection against future exploits. This effort is the culmination of several months of concentrated effort on Magento’s part to reduce our backlog of security enhancements.

Core payment methods integrations are now compliant with PSD2 regulations

The European Union recently revised the Payment Services Directive (PSD) regulation with an updated version–PSD2. This revised regulation goes into effect on September 14, 2019, and will significantly affect most payment processing involving credit cards or bank transfers.  See the Magento Forum DevBlog post 3D Secure 2.0 changes for more information on Magento Payment Provider Recommendations and a wealth of links to PSD2 regulation discussions.

This release contains the following major PSD-related changes:

    The Braintree payment method now complies with PSD2 regulations. Its core integration API has been upgraded to the latest JavaScript SDK v3 API, which is a requirement for supporting native Braintree 3D Secure 2.0 adoption. Braintree transactions are now also verified by using the native Braintree 3D Secure 2.0 service.

    Authorize.net now provides the ability, through the cardholderAuthentication request field, to make 3D Secure verification through third-party services such as CardinalCommerce. Starting with this release, Authorize.net accept.js integration will support 3DS 2.0 through CardinalCommerce.

    The Cybersource and eWay payment modules have been deprecated in this release to comply with PSD2 SCA regulation, which takes effect on September 14, 2019. Use the official Marketplace extensions for these features instead.

Security enhancements and fixes to core code

    75 security enhancements that help close cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities as well as other security issues. No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP whitelisting, two-factor authentication, use of a VPN, the use of a unique location rather than /admin, and good password hygiene. See Magento Security Center for a comprehensive discussion of these issues. All known exploitable security issues fixed in this release (2.3.3) have been ported to 2.2.10, 1.14.4.3, and 1.9.4.3, as appropriate.

Magento Open Source 2.3.2 Release Notes
=============
Patch code and release notes published on June 25, 2019. Release notes last updated on June 26, 2019.

We are pleased to present Magento Open Source 2.3.2. This release includes over 200 functional fixes to the core product, over 350 pull requests contributed by the community, and over 75 security enhancements. It includes significant contributions from our community members.
Other release information

Although code for these features is bundled with quarterly releases of the Magento core code, several of these projects (for example, Page Builder, Inventory Management, and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in separate, project-specific release information which is available in the documentation for each project.
Apply the Scope parameter for Async/Bulk API patch to address an issue with the Async/Bulk REST API

In certain versions of Magento Open Source and Magento Commerce, the Asynchronous and Bulk REST endpoints support the default store view scope only. After this patch is applied to deployments running those versions of Magento, the current Magento message queue implementation  will factor in the store that executes queue operations. See Patch for Magento Framework Message Queue and Store Scopes for a full discussion of this scope-related issue and patch contents. See Applying patches for specific instructions on downloading and applying Magento patches. Navigate to the Magento Security Center, and select the patch associated with the version of Magento you are running.
Highlights

Look for the following highlights in this release:
Substantial security enhancements

This release is focused on substantial security enhancements:

    75 security enhancements that help close cross-site scripting (XSS), remote code execution (RCE), and sensitive data disclosure vulnerabilities as well as other security issues. No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. See Magento Security Center for a comprehensive discussion of these issues. All known exploitable security issues fixed in this release (2.3.2) have been ported to 2.2.9, 2.1.18, 1.14.4.2, and 1.9.4.2, as appropriate.

    Google reCAPTCHA module for PayPal Payflow checkout. The new PaypalRecaptcha module adds Google reCAPTCHA and CAPTCHA to the Payflow Pro checkout form. This enhanced functionality has been added in response to malicious targeting of Magento deployments that implement Payflow Pro. Configuration information can be found in Google reCAPTCHA.

Starting with the release of Magento Commerce 2.3.2, Magento will assign and publish indexed Common Vulnerabilities and Exposures (CVE) numbers with each security bug reported to us by external parties. This will allows users of Magento Commerce to more easily identify unaddressed vulnerabilities in their deployment.
Performance boosts

    Significant improvement to storefront page response time. The page response times for the catalog, search, and advanced search pages have been significantly improved under high load.

    Improved concurrent access to block cache storage. We have optimized the logic of concurrent access to the block cache, which has improved the response of storefront pages under high load by approximately 20%.

    Product page gallery load optimization. Product images are now loaded as quickly as other page content. In previous releases, although the product page loaded quickly, product images needed two to four additional seconds to load completely.

    Improved page rendering through deferred loading and parsing of storefront JavaScript. All non-critical JavaScript code has been relocated to the bottom of storefront pages, which speeds up page rendering and allows users to see the complete page sooner while nonessential elements remain inactive. To enable this performance enhancement, you must navigate to Stores > Configuration > Developer > JavaScript Settings and enable the Move JS code to the bottom of the page option.

Infrastructure improvements

This release contains 130 enhancements to core quality, which improve the quality of the Framework and these modules: Catalog, Sales, Checkout/One Page Checkout,  UrlRewrite, Customer/Customers, and UI. Here are some additional core enhancements:

    Braintree payment method is now supported for checkout with multiple addresses. Previously, you could not use Braintree and Braintree PayPal when checking out an order that was being shipped to multiple addresses. 


    The CGI URL gateway in UPS module has been updated from HTTP to HTTPS. The CGI URL gateway endpoint in the UPS module has been updated from HTTP to HTTPS in response to the disablement of the HTTP gateway by UPS in mid-2019. See Magento User Guide for information about using the UPS shipment method. Shipping method configuration settings are described in Shipping methods.

    Google chart API updated to the Image-Charts. Magento now uses the Image-Charts free service to render static charts in Admin dashboards. Earlier deployments used Google Image Charts, which was deprecated in 2012 and turned off on March 18, 2019.

Merchant tool enhancements

Magento now performs the following tasks as asynchronous background processes and sends system messages to alert Admin users when tasks complete. Moving these common administrative tasks to the background frees administrators to work on other tasks while the initial tasks are processing.

    Discount coupon generation. See Coupon Code.

    Mass editing of products.

    Data export. Previously, connection timeouts occurred during export of large data sets (for example, the export of 200,000 products). See Export for more information.

Vendor-developed extension enhancements

This release of Magento includes extensions developed by third-party vendors.
Amazon Pay

Amazon Pay is now compliant with the PSD2 directive for UK and Germany. See Payment services (PSD 2) - Directive (EU) for an introduction to PSD2.

Magento Open Source 2.3.1 Release Notes
=============
Release notes published on March 26, 2019 and last edited on June 26, 2019.

We are pleased to present Magento Open Source 2.3.1. This release includes over 200 functional fixes to the core product, over 500 pull requests contributed by the community, and over 30 security enhancements.

This release includes significant contributions from our community members. These contributions range from minor clean-up of core code to the development of substantial features such as Inventory Management and GraphQL. Although code for these features is bundled with quarterly releases of the Magento core code, several of these projects (for example, Page Builder and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are not documented in these core release notes but in separate project-specific sets of notes.
Apply the Scope parameter for Async/Bulk API patch to address an issue with the Async/Bulk REST API

In certain versions of Magento Open Source and Magento Commerce, the Asynchronous and Bulk REST endpoints support the default store view scope only. After this patch is applied to deployments running those versions of Magento, the current Magento message queue implementation  will factor in the store that executes queue operations. See Patch for Magento Framework Message Queue and Store Scopes for a full discussion of this scope-related issue and patch contents. See Applying patches for specific instructions on downloading and applying Magento patches. To apply the patch, navigate to the Magento Security Center, and select the patch associated with the version of Magento you are running.
Apply the PRODSECBUG-2198 patch to address critical SQL injection vulnerability

A critical SQL injection vulnerability has been identified in 2.3.x Magento code. A fix for this issue is included in Magento 2.3.1. If you cannot immediately apply the full patch, you can quickly protect your store from this vulnerability by installing patch PRODSECBUG-2198. However, we strongly encourage all merchants to stay up-to-date on security patches. See the description of PRODSECBUG-2198 in the Magento Security Center for information on this vulnerability.

Follow these steps to download and apply this patch:

    Access the Downloads page here.

    Select the Git-based option from Select your format.

    Download the patch and upload to a specific directory in your Magento installation such as m2-hotfixes (confirm that the directory is not accessible publicly).

    From your project root, apply the patch.
 git apply ./m2-hotfixes/<patch-file-name>.

    Refresh the cache from the Admin (System > Cache Management).

PayPal Payflow Pro active carding activity update

The PayPal Payflow Pro integration in Magento is being actively targeted by carding activity. To resolve these carding activity issues, Magento has provided Composer packages that add an option for Google reCAPTCHA and CAPTCHA to the Payflow Pro checkout form. See PayPal Payflow Pro active carding activity for a full discussion of this issue and instructions on downloading these packages. We strongly recommend that all Payflow Pro merchants download and install these packages to help enhance the security of their storefronts.
Apply the Admin Dashboard Image-Charts patch to address deprecation of Google Image Charts

Magento 2.x currently uses Google Image Charts to render static charts in Admin dashboards. Google stopped supporting Google Image Charts on March 14, 2019, and Magento is providing the Admin Dashboard Image-Charts patch to replace Google Image Charts with the Image-Charts free service. Users of Magento 2.x deployments will not be able to view static charts in Magento 2.x instances unless they download and apply this patch.   See Switch from deprecated Google Image Charts to Image-Charts for Magento for information on downloading and applying this patch.
Highlights

Look for the following highlights in this release:
Merchant tool enhancements
Improved order creation workflow in the Admin

The Admin order creation workflow has been refactored to eliminate delays when editing billing and shipping addresses. Processing of these fields now happens only after they are populated.
Ability to upload PDP images without compression and downsizing

Merchants can now upload PDP images larger than 1920 x 1200 without first compressing and downsizing the images. Previously, when a merchant uploaded a high quality product image (larger than 1920 x 1200), Magento resized and compressed the image. Merchants can now set requirements for resizing and compression as well as compression quality and target width and height.
Inventory Management 1.1.0 (Community-developed feature!)

The Magento Inventory (was MSI) community project has added multiple new features to this release of Inventory Management. See Inventory Management Release Notes for information about specific fixes and acknowledgements to community contributors.

    Support for Elasticsearch and Inventory Management. All site searches now return correct products and quantities when Elasticsearch is used as the search engine. (As of this release, only default option from 2.3+) Searches return results from stock assigned to the website. Advanced features are supported, including filtering search results. Community-developed feature!

    Distance Priority Source Selection algorithm (SSA) option. Merchants can enable this algorithm to reduce fulfillment costs by shipping orders from the closest inventory locations. This SSA option uses address geocoding through the Google Maps API to calculate the shortest distance for deliveries. See Manage source selection algorithms.

    Enhancements to mass inventory transfers. Bulk transfer of inventory has been optimized to improve processing speed and to reduce locking during transfers.

Improved developer experience
Progressive Web Apps (PWA) Studio

PWA Studio is a set of developer tools that allow you to develop, deploy, and maintain a PWA storefront on top of Magento 2.x. See Magento PWA Documentation.
GraphQL

Community contributions for this release include major additions to cart actions (create cart, populate cart, set shipping address) and customers (create customer account). See Release Notes for information about specific fixes and acknowledgements to community contributors.
Substantial security enhancements

This release includes over 30 security enhancements that help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues. No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. See Magento Security Center for a comprehensive discussion of these issues. All exploitable security issues fixed in this release (2.3.1) have been ported to 2.2.8, 2.1.17, 1.14.4.1, and 1.9.4.1, as appropriate.
Performance boosts

    Customer address handling has been rewritten with UI components that increase platform performance, which in turn streamlines the management of customers with 3000 and more addresses.

    The Admin order creation page now handles customer accounts with 3000 addresses without performance issues. 


    Magento now displays the list of additional customer addresses contained in the storefront customer address book as a grid, which has improved performance for customers with many additional addresses associated with their accounts. Address Book describes how to use this enhanced feature.

    The shipping and billing data that a user enters during checkout now persists if the user interrupts checkout to continue shopping. Previously, checkout data was deleted after a cart update.

Infrastructure improvements

Infrastructure improvements are core enhancements that underlie both merchant and developer features.

    This release includes a new Authorize.Net extension to replace the Authorize.Net Direct Post module, which implemented an MD5-based hash that Authorize.Net will no longer support as of June 28, 2019. See Authorize.Net for information on configuring and using this new extension. Information about the deprecation of Authorize.Net Direct Post can be found here. Note that Magento released a patch in late February to address this issue on pre-2.3.1 installations of Magento, which is discussed in Update Authorize.Net Direct Post from MD5 to SHA-512.

    Accept.js library is now used for Authorize.NET payments.

    Magento now supports Elasticsearch 6.x. Fix submitted by community member Romain Ruaud in pull request 21458. Thank you, Romain!

    Update PayPal Express Checkout to checkout.js v4. This introduces a modernized checkout flow, faster checkout performance, and new payment options in a single integration that does not have to be updated as new payment methods become available. It also unlocks new payment options including Venmo and PayPal Credit. See PayPal Express Checkout.

    Magento now supports Redis 5.0.

    Magento support for PHP has changed slightly as a result of expanding our Elasticsearch support in this release. Magento 2.3.1 is compatible with PHP 7.2.x and certified on PHP 7.2.11.

    You can now isolate and extract MySQL Views from regular database tables with no negative effects on database backup and restoration. Support for MySQL Views was introduced in 2.3.0 with unexpected consequences to the default database backups and restore mechanism. This fix restores expected backup and restore functionality while preserving MySQL View support the backward compatibility with legacy inventory. Fix submitted by community member Stepan Furman in pull request 21151. Thank you, Stepan!

    Magento now uses version 6.0 of the DHL XML Services schema for the DHL shipping method. *

    Checkout information now persists after a cart update. Information previously entered by a customer during check out (such as shipping address) now persists after the customer updates their shopping cart. Previously, when a customer updated their shopping cart, all information previously entered during check out (such as shipping address) was deleted.
    Upgrade of Magento Functional Test Framework (MFTF) to 2.3.13.

Bundled extension enhancements

This release of Magento includes extensions developed by third-party vendors.
Amazon Pay

    Added multi-currency support for EU and U.K. merchants. See Use multi-currency for an introduction to using this new feature with Magento 2.x.

dotdigital Engagement Cloud (formerly dotmailer)

    dotmailer has been rebranded as dotdigital Engagement Cloud.

    Support for Marketing preferences has been added to the customer account dashboard area.

    If enabled, we now display the customer consent text in the customer’s account dashboard area as the general subscription text.

    The abandoned cart and automation process now benefits from a retry function if contacts are pending in dotdigital Engagement Cloud.

Magento Shipping

New features for Magento 2.3.1 include:

    Shipment Cancellation. You can now cancel a shipment that has not yet been dispatched by accessing the shipment and clicking Cancel Shipment.

    Portal Access via Magento. You can now access the Magento Shipping portal directly from Magento using the Magento Shipping credentials that are stored in your Magento instance.

Enhancements to existing features include:

    Multiple improvements to the Shipment workflow user experience.

    Batch Processing. Error messaging and field validation has been added to the batch processing workflow. See xxx for a description of other enhancements to batch processing.

    Collection Points. Available Collection Points have been expanded to cater for both FedEx Hold at Locations and UPS Access Points.

    Significant user interface changes have been made to the list of locations displayed during checkout. Opening and closing hours are now included when provided by the carrier.

    Click & Collect. The list of Click & Collect locations in checkout has been brought in line with the new Collection Points list. For a description of the new Collection Points list, see xxx.

    Carrier Specific Packaging. Carrier-specific packaging has been added for FedEx. These packages will be available for selection during shipping if a FedEx carrier is configured.

    Qualification Experience. The three Qualification experiences (Ship to Address, Click & Collect, and Collection Points) have been restructured and are now available as outcomes in a single Qualification experience.

    Security. We’ve closed scenarios that could allow for third-party code execution.

    Magento Cart Price Rules. Cart price rules can now be applied to Magento Shipping.

    Dispatch. We’ve added additional workflow capabilities during the dispatch process to cater for future carriers.

Vertex

    Added support for B2C VAT.

    Added support for configurable logging.