Magento Community Edition 2.1.2

We are pleased to present Magento Community Edition 2.1.2. This release includes security enhancements and several functional fixes.

Backward-incompatible changes are documented in Magento 2.1 backward incompatible changes.

Highlights

Magento 2.1.2 contains multiple bug fixes and enhancements, including

  • Support for PHP 7.0.4 and 5.6.5. (This release supports PHP 5.6.5 and above instead of 5.6.x.)
  • Compatible with MySQL 5.7.
  • Two new web APIs (or service contracts) for the Sales module that incorporate functionality into the Sales API that is currently available in the Admin interface. After you install this patch, you’ll be able to use the Sales API ShipOrder and InvoiceOrder methods to capture payment and ship product. See Module Reference Guide for information on using the ShipOrder and InvoiceOrder interfaces.

Why are we adding new APIs in a patch release?

These new interfaces will not break any existing customizations or extensions. See Alan Kent’s blog about Magento for more information about these features and Magento’s use of semantic versioning.

Security enhancements

This release includes enhancements to improve the security of your Magento software. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento software to the latest version as soon as possible.

The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.

General security

  • Fixed issue with using the Magento Enterprise Edition invitations feature to insert malicious JavaScript and subsequently execute it in the Admin context.
  • You can no longer change or fake a product price from the Magento storefront and then complete an order with that faked price.
  • Fixed issue with arbitrary PHP code execution during checkout.
  • Fixed issue with retrieving potentially sensitive information through the use of backend media.
  • Fixed issue with running cron jobs less frequently than specified by the application cron setting.
  • Sessions now expire as expected after logout.
  • Removed potential for exploitation of guest order view feature to harvest order information.
  • Kount and 3D Secure now work as expected for Braintree Vault.
  • You can no longer delete a currently logged-in user.
  • A user with lesser privileges can no longer force an Admin user to add his private or public key using a JSON call.

Denial-of-service (DoS) attacks and brute force attacks

  • The Guest order view protection code is no longer vulnerable to brute force attacks.
  • You can no longer manipulate the full page cache to store incorrect pages under regular page URL entries.

Cross-Site Request Forgery (CSRF)

  • Fixed issue with potential storage of malicious XSS code in the body of an email template. (A malicious user could use this this script to steal user information and cookies, or to bypass cross-site request forgery protection.)
  • Fixed issue with cross-site scripting reflected in loading section of request.

SQL injection

  • Fixed issue with potential SQL injection through the Zend framework through ordering or grouping parameters.

Functional fixes and enhancements

We address the following functional issues in this release.

Sales API enhancements

  • We’ve added the ability to change the status of a shipment through the web API. The new ShipOrder interface supports tasks you can already do through the Admin dashboard, including the ability to:
    • create a shipment document (full or partial)
    • add details about shipped items into an order
    • change status and state of an order according to performed actions
    • notify customer about new shipment document
  • We’ve added the ability to change the status of an invoice through the web API. The new InvoiceOrder interface supports tasks you can already do through the Admin dashboard, including the ability to:
    • create an invoice document (full or partial)
    • capture money placed with order payment
    • notify a customer about document creation
    • change order status and state

For more information on these API enhancements, see Magento Sales API.

  • We’ve fixed an issue with using the REST API to link simple products to configurable ones. (GITHUB-5243)
  • You can now use the REST API to create a configurable product with a linked child product. (GITHUB-5243)

Cart and checkout

  • Magento now updates order status as expected after a shipment or invoice has been created through the API.
  • Magento now updates the mini cart as expected when you reorder an item. Previously, Magento added the reordered items to the shopping cart, but the mini cart did not update its item count. (GITHUB-6121)

Tracking and shipping

  • Magento no longer throws an exception if you enter an invalid FedEx shipment tracking number.
  • Changing the city field of an order now affects the shipping rate as expected. Previously, the shipping rate did not update when you changed the city field.

Upgrade

  • You can now save simple products created in 2.0.x environments after upgrading to environments running Magento 2.1.x. Previously, you could not successfully save the opened product after upgrading.

General fixes

  • Magento 2.1.2 now supports PHP 7.0.4.
  • The Product page scope selector now displays all related websites associated with a restricted user.
  • We’ve resolved an issue with the get active payment methods (getActiveMethods). (GITHUB-5413)
  • Magento now correctly renders HTML tags on the Sales Order page price field.
  • Visual swatches are now displayed in search results.
  • Magento now factors in the Weight attribute as expected when you use advanced search on grouped products.

Known issues

  • Issue: Error creating configurable products in 2.1.1 (GITHUB-6424). Workaround: Clear your browser cache after upgrading.
  • Issue: When you edit a configurable product and add options to a simple product, Magento does not save these options. Workaround: None.
  • Issue: Logo for transactional emails cannot be uploaded successfully (GITHUB-6275). Workaround: None.
  • Issue: The catalogProductRepository API (REST) returns an unexpected attribute type. Certain attribute_code values (for example, category_ids) return an array instead of the expected string. Workaround: As needed, adjust your code so that it handles the response as an array.
  • Issue: Magento does not correctly display Product > Catalog table after upgrade from 2.0.1 to 2.1.0 on systems running Varnish. Workaround: Restart Varnish after upgrading. For more information, see Component Manager and System Upgrade Guide: Step 4.

System requirements

Our technology stack is built on PHP and MySQL. For more information, see System Requirements.

Magento 2.1.2 requirements have changed slightly from 2.1.1. This release supports PHP 5.6.5 and above instead of 5.6.x.

Install the Magento software

You can get Magento Community Edition 2.1 from Github, Composer, or using a compressed archive.

See one of the following sections for more information:

Get the Magento CE software using Composer

The CE software is available from repo.magento.com. Before getting the CE software, familiarize yourself with the Composer metapackage prerequisites, then run

composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition=<version> <installation directory name>

where <version> is 2.1.0, 2.1.1, and so on

For example, to install Magento CE 2.1.1 in the magento2 directory:

composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition=2.1.1 magento2

Get a compressed archive

The following table discusses where to get the Magento software. We provide the following downloads:

  • Magento CE software only
  • Magento CE software with sample data (designed to help you learn Magento faster)

These packages are easy to get and install. You don’t need to use Composer, all you need to do is to upload a package to your Magento server or hosted platform, unpack it, and run the web-based Setup Wizard.

Archives are available in the following formats: .zip, .tar.bz2, .tar.gz

To get the Magento CE software archive:

  1. Go to http://magento.com/download.
  2. Choose either the software or the software and sample data:
    • Magento-CE-<version>.* (without sample data)
    • Magento-CE-<version>+Samples.* (with sample data)

    <version> is the three-digit release number (for example, 2.0.7, 2.1.0, and so on).

Get the Magento CE software from GitHub

If you clone the Magento 2 GitHub repository, you cannot use the Magento software in a production environment. You cannot have a live store that accepts orders and so on.

Before proceeding, please familiarize yourself with these prerequisites, then run

git clone git@github.com:magento/magento2.git
cd magento2
git checkout tags/<version> [-b <version>]

where

<version> is 2.1.0, 2.1.1, and so on

[-b <version>] optionally checks out a new branch.

Complete the installation

After you get the CE software:

  1. Set file system ownership and permissions.
  2. Install the software:

Upgrade from an earlier version

See the following sections for more information.

Upgrade an existing installation from the GitHub repository

Developers who contribute to the CE codebase can upgrade manually from the Magento CE GitHub repository.

  1. Go to the Contributing Developers page.
  2. Follow the instructions to pull the updates from the repository and update using Composer.

Other upgrades

Other types of upgrades are discussed in Upgrade to Magento version 2.1 (June 22, 2016).

Migration toolkits

The Data Migration Tool helps transfer existing Magento 1.x store data to Magento 2.x. This command-line interface includes verification, progress tracking, logging, and testing functions. For installation instructions, see Install the Data Migration Tool. Consider exploring or contributing to the Magento Data Migration repository.

The Code Migration Toolkit helps transfer existing Magento 1.x store extensions and customizations to Magento 2.0.x. The command-line interface includes scripts for converting Magento 1.x modules and layouts.