image

SUPEE security patches for Magento 1

Critical security patches for Magento 1 are missing

We recommend that you have an experienced Magento developer install security updates.

Details:

Security vulnerabilities in Magento 1 are closed on the part of Magento by issuing security patches (so-called SUPEE patches) for all affected versions. It is therefore not necessary to update to new versions of the store system that also bring functional changes. Security patches for Magento 1 can be installed independently of the respective sub-version, although as a rule all previous patches should be installed before a newer patch can be used. Your ShopSecurity report will show the missing patches, installing old patches "on spec" is not necessary.

Solution: Install missing security patches

  • Install all missing security patches. Also check if security vulnerabilities have been exploited, if your store has been vulnerable to critical security vulnerabilities for a long time.
  • Some security patches have been released multiple times and sometimes have an additional designation with a versioning, such as "v2". Check the availability of newer patch versions e.g. in this patch directory on Github: https://github.com/brentwpeterson/magento-patches. Since the end of the official support of Magento 1 on 30/06/2020, there are no more official downloads of Magento from Adobe.
  • Check security patches in a staging or development environment before applying them to the production system.
  • Most security patches have special prerequisites, e.g. they have to be installed after other patches or require activating or deactivating certain store settings beforehand. In each case, please check the individual instructions that apply to a patch before you start installing it.
  • Only install security patches one at a time and make a separate backup before starting and after each patch, as well as the necessary functional tests after each patch.

Magento 1 security patches are often installed as follows:

  1. Download the appropriate patch from Magento. For Magento Commerce (OpenSource) you can find all patches on this page: https://www.magentocommerce.com/products/downloads/magento/. There, click on "Release Archive" and then search for the term "Magento Open Source Patches" or the exact name of the patch you are looking for.
  2. Make a backup of your store files and database.
  3. Put your store into maintenance mode. This will ensure that visitors to the store do not see any error messages during the installation.
  4. If you are using Magento's compiler, disable it to install a patch.
  5. transfer the patch to the root directory of your store on your cluster and install it from an SSH session. To do this, change to the store root directory and invoke the appropriate command depending on the patch file extension.
    1. If the patch file has the extension .sh, use the following command to install it:
      /bin/bash Patch_Filename.sh.
      Example:
      /bin/bash SUPEE_5344.sh.
    2. If the patch file has the extension .patch, use the following command to install it:
      patch -p0 < patch_filename.patch.
      Example:
      patch -p0 < SUPEE_11219.patch.
  6. Check the output of the installation for error messages or anything unusual.
  7. Clear the store cache and restart PHP in the managed center of your cluster.
  8. If using compiler, you need to recompile your store for the security patch to be active. However, we recommend that you do not use the Magento compiler.
  9. Disable the maintenance mode of the store and check all important functions.

This is the general procedure with the minimum necessary steps. In individual cases, a security patch may have further special requirements or the procedure may differ. Check the instructions for each individual security patch before installation.

Further recommended actions
  • Magento 1 will only receive official security patches until June 2020. While there are various third-party efforts to continue providing Magento 1 with security patches or even other bug fixes, there are no empirical values for this yet. We therefore recommend using an officially supported store system such as Magento 2 or Shopware (6) when developing a new store or relaunching an existing one.

Do you need assistance?

favicon
maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
logo

Do you need assistance?

maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
image
image