Magento 1 EOL Patches

A list of the patches made available to Magento 1 EOL support customers

Patches to fix discovered vulnerabilites in Magento 1 are made available to customers who have a Magento 1 EOL Support plan. A list of these patches is maintained here, including patch date, description, and a link to download the patch. For more information on Magento 1 EOL Support, please read the FAQs.

Date
ID Description Open Source Commerce
Aug 07 2020 12 Improves PCI-DSS compliance by forcing login form to disable autocompletion. Download Download
Aug 07 2020 13
(HIGH)
Re-release of Adobe’s SUPEE-11346 (originally released on 06/22/2020) for Magento 1.9.4.5.
Download
Aug 07 2020 14 Prevents parallel logins for the same user account (session attack for backend and frontend). Download Download
Aug 19 2020 15 Adds new configuration option to enable “secure” marker for all cookies. Download Download
Aug 28 2020 16 Adds compatibility for PHP 7.3. Download Download
Aug 28 2020 17 Improves clearing of session data with parallel logins. Download Download
Oct 01 2020 18
(CRITICAL)
This patch is based on a backport for CVE-2020-9690 of Magento 2.
Download Download
Oct 01 2020 19
(CRITICAL)
Prevents admin users from using soap access w/product attributes and a product to upload and execute executable files to the server.
Download Download
Oct 01 2020 20 Prevents admin users with access to System > Permissions > Variables from adding config paths for encrypted config fields. Download Download
Oct 29 2020 21 Improves compatibility of 3rd party integrations by flagging cookies as SameSite=None. Download Download
Oct 29 2020 22
(HIGH)
Prevents access to the /downloader directory.
Download Download
Oct 29 2020 23 Replaces the news feed URL in Magento so you receive patch notifications in your admin panel. Download Download
Oct 29 2020 24 Avoids incorrect form keys creating an error log entry. This is an improvement for patch ID 18. Download Download
Oct 29 2020 25
(CRITICAL)
Fixes an issue whereby an administrator with permission to update product data was able to store an executable file on the server and load it via layout xml.
Download Download
Dec 09 2020 26 Improves cookie handling. Download Download
Dec 09 2020 27
(HIGH)
Prevents admin users with permission to import/export data and to create widget instances from loading an executable file via layout xml.
Download Download
Dec 09 2020 28
(HIGH)
Prevents admin users with permission to create products from injecting an executable file on the server via wishlist functionality.
Download Download
Dec 09 2020 29
(HIGH)
Prevents admin users with permission to import/export data and to edit cms pages from injecting an executable file on the server via layout xml.
Download Download
Dec 09 2020 30 Improves patch 20. Download Download
Dec 09 2020 31 Improves patch 21. Download Download
Dec 09 2020 32 Fixes an issue with patch 23. Download Download
Jan 21 2021 33 Fixes an issue with patch 31: Cookie secure flag wasn’t boolean in JavaScript. Download Download
Jan 21 2021 34 Adds samesite setting to PHP based session cookies. Download Download
Apr 05 2021 35 Fixes a core bug when using prepare data for redirecting. Note: This patch is also required for patch 39 to operate properly. Download Download
Apr 05 2021 36
(HIGH)
Fixes a bug in Zend Framework’s Stream HTTP Wrapper - CVE-2021-3007
Download Download
Apr 05 2021 37 Support for PHP 7.4 and PHP 8. In order to switch to PHP 7.4 or PHP 8 you also have to make sure any custom code and third party extension is compatible with these PHP versions!
Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use \r\n line breaks instead of \n line breaks for certain files.
Option 1: If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command: find . -type f -print0 | xargs -0 dos2unix
Option 2: If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks: find . -type f -name \*.php -print -exec sed -i '' 's/\r//' {} \;
Download Download
Apr 05 2021 38 Changes the content-type in json responses from text/html tot application/json to prevent XSS attacks Download Download
Apr 05 2021 39 The wishlist sharing function has been subject to intensive SPAM abuse. We added a switch to the Magento configuration to disable the sharing functionality. Please note that patch #35 is required for this patch to work properly. Please make sure to configure the setting according to your needs: The behavior of the Wishlist Sharing functionality can be controlled via a new config option in System > Config > Wishlist > Share Options > Enable Sharing Download Download
Apr 05 2021 40 We fixed a vulnerability in the MySQL adapter to prevent SQL injection attacks. CVE-2021-21024 Download Download
May 28 2021 41 Updates Zend_Http_Response to support HTTP/2 Download Download
May 28 2021 42
(HIGH)
This patch adds improved security to unserialize() calls to avoid unexpected object creation. Attention: This patch changes almost every unserialize() call throughout the core code to prevent unwanted object creation. It touches many code aspects we’re unable to cover with tests. It might also affect functionality you intentionally wanted to create objects via unserialize(). It’s therefore crucial to test all your integrations and customizations before you apply it in your live environments!
Download Download
May 28 2021 43
(HIGH)
We fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation.
Download Download
May 28 2021 44
(HIGH)
Due to missing sanitation in data flow it was possible for admin users to upload arbitrary executable files to the server.
Download Download
May 28 2021 45
(HIGH)
Layout XML enabled admin users to execute arbitrary commands via block methods.
Download Download
May 28 2021 46
(HIGH)
We fixed a vulnerability in Magento’s package manager which lead to a RCE via race conditions.
Download Download
May 28 2021 47 Zend_Validator wasn’t able to validate emails with uptodate TLDs. The list of TLDs has been updated. Download Download
May 28 2021 48 Adds array_key_first() and array_key_last() with a polyfill. Download Download
May 28 2021 49 This fixes a bug introduced with patch #47. Magento uses a copy of Zend’s original file with modified paths. While updating the file’s content, these modified paths have been replaced with their originals. So Magento wasn’t able to find the correct files anymore. Download Download
Aug 9 2021 50 Improves PHP5.6 compatibility for unserialization. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions! Download Download
Aug 9 2021 51 Updates phpseclib to version 2.0.32 to fix CVE-2021-30130. Download Download
Aug 9 2021 52 Fixes a persisted XSS vulnerability. Download Download
Aug 9 2021 53
(CRITICAL)
Restores missing .htaccess files from core automatically. In some Magento installations merchants or developers or agencies accidentally removed .htaccess files from regular core directories and thus exposed security vulnerabilities. To regain protection for these directories we automatically check for deleted .htaccess files and reinstate them in the following locations:
/app/.htaccess /dev/.htaccess /downloader/lib/.htaccess /downloader/Maged/.htaccess /downloader/template/.htaccess /includes/.htaccess /lib/.htaccess /media/downloadable/.htaccess /media/customer/.htaccess /shell/.htaccess /skin/frontend/rwd/default/scss/.htaccess /var/.htaccess
Download Download
Aug 9 2021 54 Improving PHP8 compatibility. Download Download
Aug 9 2021 55 Prevent DoS attack via passwords larger than 4k. Download Download
Aug 9 2021 56
(HIGH)
An administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.
Download Download
Aug 9 2021 57
(HIGH)
Arbitrary command execution in Custom Layout Update via block method.
Download Download
Aug 9 2021 58
(HIGH)
Arbitrary file delete in customer media allows remote code execution.
Download Download
Aug 9 2021 59 This patch adds brute force attack prevention to customer login via Frontend and API as well as admin panel login. If enabled this feature prevents brute force login attacks by disabling the login feature once the failed login attempts limit is reached. With every failed login attempt the login retry time increases. This time is respecting the max_execution_time setting. The failed login attempts counter will be reset if a successful login is detected before it reaches the login attempt limit.
Customer Login: To enable this feature, go to System > Configuration > Customer Options > Password Options. The Switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field Maximum number of failed attempts. If an account has too many failed logins, an error message will appear. The customer can then send an unlock link via email to the account’s address. The email template is called ‘Customer Account Unlock Notification’.
Admin Login: To enable this feature, go to System > Configuration > Admin > Security. The switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field ‘Maximum number of failed attempts’. If an account has too many failed logins, an error message will appear. The administrator can then send an unlock link via email to the account’s address. The email template is called ‘Admin Account Unlock Notification’.
API: To enable this feature, go to System > Configuration > Magento Core API > General Settings. The switch is called ‘Enable brute force protection’.
Download Download
Sep 8 2021 60 Some of our customers are using netz98’s magerun tool to maintain their stores. With this patch we add additional compatibility for our last patch #59 features with magerun by adding a reload() Method to the Mage_Customer_Model_Customer. Download Download
Sep 8 2021 61
(HIGH)
An administrator with privileges to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. The fix applies to the Zend_Db::factory().
Download Download
Nov 4 2021 62 Improves deserialization performance for PHP 5.6. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions! Download Download
Nov 4 2021 63 Fixes an issue with brute force protection (patch #59) and requesting reset password link. Download Download
Nov 4 2021 64
(CRITICAL)
An administrator with the right to create or edit CMS pages was able to upload and execute arbitrary code using the wysiwyg editor.
Download Download
Jan 20 2022 65
(CRITICAL)
Improves security checks for patch #64 and adds compatibility with symlinked media directories.
Download Download
Jan 20 2022 66 Improves compatibility for third party code and patch #61. Download Download
Jan 20 2022 67
(CRITICAL)
Improves compatibility for import file uploads to ./var directory and patch #64.
Download Download
May 12 2022 68
(CRITICAL)
Fixes to prevent RCE attacks via Varien_Convert_Adapter_Zend_Cache and Mage_Dataflow_Model_Convert_Adapter_Zend_Cache. These classes were not used in Magento core code, thus we decided to remove them completely. We did not see any valid use case to change cache entries via import/export. Attention: If you use any of theses classes in your customization, please be aware that you have to change your custom code in order to stay compatible.
Download Download
May 12 2022 69
(HIGH)
This patch prevents sending passwords in emails in plain text. Passwords in emails will all be replaced with asterisks. One exception: If an administrator sets a new customer password via the admin panel, in this case you’ll now see a note on the input field that this password is sent in plain text. You now have a button to force sending a ‘Forgot Password’ email via the admin panel.
Download Download
May 12 2022 70 This patch fixes a JavaScript issue with Import/Export. Download Download
May 12 2022 71 Fixes a session handling issue for downloadable products, introduced in SUPEE-11314. Download Download
May 19 2022 72 This patch fixes a bug of patch #69 which stopped account confirmation emails to work. With patch #69 we introduced code to redact the customer password from the customer object. This patch fixes a bug that caused the customer account confirmation email to stop working. Download Download
Jul 25 2022 73 This patch fixes an issue with the JS and CSS merge and sets the Content-Type on an educated guess basis. Download Download
Jul 25 2022 74 This patch disables the phar:// protocol to open and/or execute content of phar files (e. g. in the context of including templates). Many of the found vulnerabilities use phar:// files to exploit the system. Forbidding the opening of phar files and preventing the unserialization on them hardens Magento. Download Download
Jul 25 2022 75 This patch improves handling of admin passwords and makes sure to implement PCI security measures. You can now configure admin password strength settings in System > Configuration > Admin > Security > Admin Password Strength. You can set it to any of these values:
Default
Password must contain at least 7 characters. Password must contain at least one number and one letter.
PCI
All of the rules above. Change password every 90 days. No repetition of the last 4 passwords. If password is set by another admin, it is forced to be changed. All admin passwords are forced to be changed on activation.
PCI Advanced
All of the rules above. Password must contain special characters.
Download Download
Jul 25 2022 76
(CRITICAL)
This patch fixes an issue where an admin could use the password forgot feature to escalate their privileges. This patch contains the SQL Formatter which is licensed under the MIT License.
Download Download
Jul 25 2022 77 This patch reduces deprecated messages with PHP 8.0/8.1. Download Download
Aug 10 2022 78 Patch (#75) introduced a new feature to harden administrator passwords with forced PCI compliance. Unfortunately this patch interfered with our previously introduced brute force protection (Patch #59). Patch #78 fixes compatibility of admin password PCI compliance (#75) with brute force protection (#59). Download Download
Oct 27 2022 79 This patch fixes a XSS vulnerability in Mage_Dataflow_Model_Convert_Adapter_Http::save() which allows the display of content via $this->getData() on the page using echo(). Download Download
Oct 27 2022 80 This patch replaces rand() with mt_rand() since PHP 7.1 mt_rand() has superseded rand() completely, and rand() was made an alias for mt_rand(). Download Download
Oct 27 2022 81 This patch improves Patch #78: If a user lacks permission to change his password, he is informed about it. This patch fixes the current redirect loop. Download Download
Oct 27 2022 82 This patch improves Patch #76: Read-Query detection is extended by DESCRIBE, TABLES, VALUES, and PREPARE. Download Download
Oct 27 2022 83 This patch adds a message ID to outgoing emails, because especially Google hardened their spam filter for emails without message ID. Download Download
Oct 27 2022 84 This patch provides support for MySQL 8. Download Download
Mar 16 2023 85 This patch improves PHP8 compatibility for Zend_Registry. Download Download
Mar 16 2023 86 This patch improves PHP8 compatibility for report.php. Download Download
Jun 2 2023 87 This patch improves password security by checking if password equals email address for customers and if password equals username or email address for admin users. Download Download
Jun 2 2023 88 This patch improves PHP8 compatibility for the catalog product action attribute form. Download Download
Jun 2 2023 89 This patch improves PHP8 compatibility for Mage_Api_Model_Wsdl_Config_Element. Download Download
Jun 2 2023 90 This patch fixed an login loop issue caused by missing setOrigData(). This patch also hardens bruteforce password protection. Download Download
Jun 2 2023 91 This patch fixes an issue with rejected mails due to incompatible line endings. After upgrading to PHP8, we noticed that all emails were rejected by some mail systems. As of PHP8, the mail() function separates all parts of an email using CRLF instead of LF. However, the Zend_Mail_Transport_Sendmail wrapper class still uses LF as line separator. This resulted in mails being sent with mixed line endings. Download Download
Jun 2 2023 92 This patch prevents javascript execution in email template previews in admin panel. Download Download
Oct 30 2023 93 This patch improves compatibility with PHP 8 and MySQL. Enables ATTR_STRINGIFY_FETCHES in MYSQL-PDO to avoid integer string problems in json encode. Download Download
Oct 30 2023 94 This patch improves MySQL compatibility by adding data type support for unsigned integers. Download Download
Dec 20 2023 95
(HIGH)
This patch improves protection against bruteforce attacks to view guest orders. New protect codes are much longer now. This patch adds a new configuration option to System > Configuration > Sales > General > Block short guest order protect codes to blocks access for guest orders with short protect codes. Ref: CVE-2023-41879
Download Download
Dec 20 2023 96 This patch fixes a typo for patch #94 where we misspelled unsigned with unsinged. Download Download
Feb 15 2024 97 tinyMCE uses iFrame to show its content, which lead to an XSS vulnerability. By sandboxing the iFrame no XSS is possible anymore.
Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use \r\n line breaks instead of \n line breaks for certain files.
Option 1 If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command: find . -type f -print0 | xargs -0 dos2unix
Option 2 If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks: find . -type f -name \*.php -print -exec sed -i '' 's/\r//' {} \;
Download Download
Feb 15 2024 98 Forgot Password feature now uses formkey protection to prevent CSRF attacks. Download Download
Feb 15 2024 99 This patch improves compatibility for PHP8. In the reports section, total for each column will be calculated with additions. It also covers the name column, which does not contain numbers. The patch will make sure that all value are converted to numbers first. Warning! If e.g. product names start with a number, this will lead to wrong column totals! Download Download
Feb 15 2024 100 This patch improves include file handling in environments with multiple symlinked directories. Download Download
Jul 30 2024 101 This patch updates phpseclib to version 2.0.47, fixes DoS (denial of service) vulnerability. Download Download
Jul 30 2024 102
(HIGH)
This patch fixes XSS vulnerability in admin panel when uploading files.
Download Download
Jul 30 2024 103 This patch improves PHP 8 compatibility for modules when methods such as call_user_func_array are used. Download Download
Jul 30 2024 104 This patch improves USPS compatibility. Download Download
Aug 29 2024 105 This patch adds in-app rate limiting for specific URLs.
⚠️ We do highly recommend to use fail2ban for larger shops as it is much faster and provides more configuration. This feature here is meant to protect smaller shops with less sophisticated hosting setups.
We do protect the following URLs by default with a limit of 10 requests per 10 seconds:
/customer/account/login
/sales/guest/form
Rate limits will be tracked in the table mageone_ratelimit_log. A cron job at 1.30 am will remove outdated entries. Further URLs can be added by custom modules. Use your config.xml file to add new entries to the global section like so:
<mageone_ratelimit>
<custom_identifier>
<route>/path/of/url</route>
<enabled>true</enabled>
<max_queries_in_time_window>10</max_queries_in_time_window>
<time_window_in_seconds>10</time_window_in_seconds>
</custom_identifier>
</mageone_ratelimit>
Download Download
Aug 29 2024 106
(HIGH)
This patch fixes a file content extraction vulnerability in dataflow.
Download Download
Aug 29 2024 107
(HIGH)
This patch fixes a stored XSS vulnerability in dataflow.
Download Download
Aug 29 2024 108 This patch updates UPS integration to work with OAuth2.0.
⚠️ Please note that we were unable to get access to the official UPS Test API. This patch therefore is given without warranty.
**Please make sure to test it thoroughly in your own setup!**
Download Download
Aug 29 2024 109 This patch fixes a missing translation helper for Patch #105. Download Download
Aug 29 2024 110 This patch fixes dataflow realpath problems concerning Patch #107. Download Download
Aug 29 2024 111 This patch improves PHP5.6 compatibility for UPS carrier update from Patch #108. Download Download

Severity Categories

(CRITICAL)
Critical severity issues allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.

(HIGH)
High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate other origins or read cross-origin data. Bugs which would normally be critical severity with unusual mitigating factors may be rated as high severity.

Patch instructions

We recommend testing patches in a staging environment first. After testing, the patches can then be installed live using versioning software such as Git. This way the patch can be applied locally (or in the staging environment), then committed and pushed normally. The steps, provided by our partner, are as follows:

  1. Upload the local file into the <Magento_root> on the server using SFTP, SSH or your normal transport method.
  2. Verify the file is in the correct directory.
  3. In the command line interface, run the following command according to the patch extension:
    • M1 Open Source: $ patch -p1 --ignore-whitespace < /path/to/file
    • M1 Commerce: $ patch -p0 --ignore-whitespace < /path/to/file
  4. For visible changes in the user interface to be reflected, refresh the cache in the Admin under System > Cache Management.

Patches can also be undone, or reversed, with the -R option (or use your version control to remove the changes):

  • M1 Open Source: $ patch -R -p1 < /path/to/file
  • M1 Commerce: $ patch -R -p0 < /path/to/file

Further Reading

Have questions not answered here? Please Contact Support to get more help.


Last modified January 21, 2021