Magento 1 EOL Patches

A list of the patches made available to Magento 1 EOL support customers

Patches to fix discovered vulnerabilites in Magento 1 are made available to customers who have a Magento 1 EOL Support plan. A list of these patches is maintained here, including patch date, description, and a link to download the patch. For more information on Magento 1 EOL Support, please read the FAQs.

Date
ID Description Open Source Commerce
Aug 07 2020 12 Improves PCI-DSS compliance by forcing login form to disable autocompletion. Download Download
Aug 07 2020 13
(HIGH)
Re-release of Adobe’s SUPEE-11346 (originally released on 06/22/2020) for Magento 1.9.4.5.
Download
Aug 07 2020 14 Prevents parallel logins for the same user account (session attack for backend and frontend). Download Download
Aug 19 2020 15 Adds new configuration option to enable “secure” marker for all cookies. Download Download
Aug 28 2020 16 Adds compatibility for PHP 7.3. Download Download
Aug 28 2020 17 Improves clearing of session data with parallel logins. Download Download
Oct 01 2020 18
(CRITICAL)
This patch is based on a backport for CVE-2020-9690 of Magento 2.
Download Download
Oct 01 2020 19
(CRITICAL)
Prevents admin users from using soap access w/product attributes and a product to upload and execute executable files to the server.
Download Download
Oct 01 2020 20 Prevents admin users with access to System > Permissions > Variables from adding config paths for encrypted config fields. Download Download
Oct 29 2020 21 Improves compatibility of 3rd party integrations by flagging cookies as SameSite=None. Download Download
Oct 29 2020 22
(HIGH)
Prevents access to the /downloader directory.
Download Download
Oct 29 2020 23 Replaces the news feed URL in Magento so you receive patch notifications in your admin panel. Download Download
Oct 29 2020 24 Avoids incorrect form keys creating an error log entry. This is an improvement for patch ID 18. Download Download
Oct 29 2020 25
(CRITICAL)
Fixes an issue whereby an administrator with permission to update product data was able to store an executable file on the server and load it via layout xml.
Download Download
Dec 09 2020 26 Improves cookie handling. Download Download
Dec 09 2020 27
(HIGH)
Prevents admin users with permission to import/export data and to create widget instances from loading an executable file via layout xml.
Download Download
Dec 09 2020 28
(HIGH)
Prevents admin users with permission to create products from injecting an executable file on the server via wishlist functionality.
Download Download
Dec 09 2020 29
(HIGH)
Prevents admin users with permission to import/export data and to edit cms pages from injecting an executable file on the server via layout xml.
Download Download
Dec 09 2020 30 Improves patch 20. Download Download
Dec 09 2020 31 Improves patch 21. Download Download
Dec 09 2020 32 Fixes an issue with patch 23. Download Download
Jan 21 2021 33 Fixes an issue with patch 31: Cookie secure flag wasn’t boolean in JavaScript. Download Download
Jan 21 2021 34 Adds samesite setting to PHP based session cookies. Download Download
Apr 05 2021 35 Fixes a core bug when using prepare data for redirecting. Note: This patch is also required for patch 39 to operate properly. Download Download
Apr 05 2021 36
(HIGH)
Fixes a bug in Zend Framework’s Stream HTTP Wrapper - CVE-2021-3007
Download Download
Apr 05 2021 37 Support for PHP 7.4 and PHP 8. In order to switch to PHP 7.4 or PHP 8 you also have to make sure any custom code and third party extension is compatible with these PHP versions!
Known Issue: Applying this patch might fail because there are versions of Magento in circulation that use \r\n line breaks instead of \n line breaks for certain files.
Option 1: If you encounter errors when applying the patch, you can use the command line utility dos2unix to correct the line breaks. You can use the following command: find . -type f -print0 | xargs -0 dos2unix
Option 2: If you cannot install or use dos2unix, you can also use sed on the command line to correct the line breaks: find . -type f -name \*.php -print -exec sed -i '' 's/\r//' {} \;
Download Download
Apr 05 2021 38 Changes the content-type in json responses from text/html tot application/json to prevent XSS attacks Download Download
Apr 05 2021 39 The wishlist sharing function has been subject to intensive SPAM abuse. We added a switch to the Magento configuration to disable the sharing functionality. Please note that MO-35 is required for this patch to work properly. Please make sure to configure the setting according to your needs: The behavior of the Wishlist Sharing functionality can be controlled via a new config option in System > Config > Wishlist > Share Options > Enable Sharing Download Download
Apr 05 2021 40 We fixed a vulnerability in the MySQL adapter to prevent SQL injection attacks. CVE-2021-21024 Download Download
May 28 2021 41 Updates Zend_Http_Response to support HTTP/2 Download Download
May 28 2021 42
(HIGH)
This patch adds improved security to unserialize() calls to avoid unexpected object creation. Attention: This patch changes almost every unserialize() call throughout the core code to prevent unwanted object creation. It touches many code aspects we’re unable to cover with tests. It might also affect functionality you intentionally wanted to create objects via unserialize(). It’s therefore crucial to test all your integrations and customizations before you apply it in your live environments!
Download Download
May 28 2021 43
(HIGH)
We fixed a vulnerability that allowed users with admin access to inject code (RCE) using session manipulation.
Download Download
May 28 2021 44
(HIGH)
Due to missing sanitation in data flow it was possible for admin users to upload arbitrary executable files to the server.
Download Download
May 28 2021 45
(HIGH)
Layout XML enabled admin users to execute arbitrary commands via block methods.
Download Download
May 28 2021 46
(HIGH)
We fixed a vulnerability in Magento’s package manager which lead to a RCE via race conditions.
Download Download
May 28 2021 47 Zend_Validator wasn’t able to validate emails with uptodate TLDs. The list of TLDs has been updated. Download Download
May 28 2021 48 Adds array_key_first() and array_key_last() with a polyfill. Download Download
May 28 2021 49 This fixes a bug introduced with MO-47. Magento uses a copy of Zend’s original file with modified paths. While updating the file’s content, these modified paths have been replaced with their originals. So Magento wasn’t able to find the correct files anymore. Download Download
Aug 9 2021 50 Improves PHP5.6 compatibility for unserialization. Please Note: We do not recommend to use anything older than PHP7.3. There’s no support available for older PHP Versions! Download Download
Aug 9 2021 51 Updates phpseclib to version 2.0.32 to fix CVE-2021-30130. Download Download
Aug 9 2021 52 Fixes a persisted XSS vulnerability. Download Download
Aug 9 2021 53
(CRITICAL)
Restores missing .htaccess files from core automatically. In some Magento installations merchants or developers or agencies accidentally removed .htaccess files from regular core directories and thus exposed security vulnerabilities. To regain protection for these directories we automatically check for deleted .htaccess files and reinstate them in the following locations:
/app/.htaccess /dev/.htaccess /downloader/lib/.htaccess /downloader/Maged/.htaccess /downloader/template/.htaccess /includes/.htaccess /lib/.htaccess /media/downloadable/.htaccess /media/customer/.htaccess /shell/.htaccess /skin/frontend/rwd/default/scss/.htaccess /var/.htaccess
Download Download
Aug 9 2021 54 Improving PHP8 compatibility. Download Download
Aug 9 2021 55 Prevent DoS attack via passwords larger than 4k. Download Download
Aug 9 2021 56
(HIGH)
An administrator with permission to import/export data and to edit cms pages was able to inject an executable file on the server via layout xml.
Download Download
Aug 9 2021 57
(HIGH)
Arbitrary command execution in Custom Layout Update via block method.
Download Download
Aug 9 2021 58
(HIGH)
Arbitrary file delete in customer media allows remote code execution.
Download Download
Aug 9 2021 59 This patch adds brute force attack prevention to customer login via Frontend and API as well as admin panel login. If enabled this feature prevents brute force login attacks by disabling the login feature once the failed login attempts limit is reached. With every failed login attempt the login retry time increases. This time is respecting the max_execution_time setting. The failed login attempts counter will be reset if a successful login is detected before it reaches the login attempt limit.
Customer Login: To enable this feature, go to System > Configuration > Customer Options > Password Options. The Switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field Maximum number of failed attempts. If an account has too many failed logins, an error message will appear. The customer can then send an unlock link via email to the account’s address. The email template is called ‘Customer Account Unlock Notification’.
Admin Login: To enable this feature, go to System > Configuration > Admin > Security. The switch is called ‘Enable brute force protection’. The number of failed logins defaults to 10 and can be configured in the field ‘Maximum number of failed attempts’. If an account has too many failed logins, an error message will appear. The administrator can then send an unlock link via email to the account’s address. The email template is called ‘Admin Account Unlock Notification’.
API: To enable this feature, go to System > Configuration > Magento Core API > General Settings. The switch is called ‘Enable brute force protection’.
Download Download
Sep 8 2021 60 Some of our customers are using netz98’s magerun tool to maintain their stores. With this patch we add additional compatibility for our last patch #59 features with magerun by adding a reload() Method to the Mage_Customer_Model_Customer. Download Download
Sep 8 2021 61
(HIGH)
An administrator with privileges to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. The fix applies to the Zend_Db::factory().
Download Download

Severity Categories

(CRITICAL)
Critical severity issues allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.

(HIGH)
High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate other origins or read cross-origin data. Bugs which would normally be critical severity with unusual mitigating factors may be rated as high severity.

Patch instructions

We recommend testing patches in a staging environment first. After testing, the patches can then be installed live using versioning software such as Git. This way the patch can be applied locally (or in the staging environment), then committed and pushed normally. The steps, provided by our partner, are as follows:

  1. Upload the local file into the <Magento_root> on the server using SFTP, SSH or your normal transport method.
  2. Verify the file is in the correct directory.
  3. In the command line interface, run the following command according to the patch extension:
    • M1 Open Source: $ patch -p1 --ignore-whitespace < /path/to/file
    • M1 Commerce: $ patch -p0 --ignore-whitespace < /path/to/file
  4. For visible changes in the user interface to be reflected, refresh the cache in the Admin under System > Cache Management.

Patches can also be undone, or reversed, with the -R option (or use your version control to remove the changes):

  • M1 Open Source: $ patch -R -p1 < /path/to/file
  • M1 Commerce: $ patch -R -p0 < /path/to/file

Further Reading

Have questions not answered here? Please Contact Support to get more help.


Last modified January 21, 2021