What is Magento?
Magento is an ecommerce platform constructed on open source technologies which provides on-line merchants having a flexible shopping cart program, also as control more than the appear, content and functionality of their on the internet retailer. Magento gives potent marketing, search engine optimization, and catalog-management tools. Magento is amongst the very best ecommerce platforms available these days, with editions ranging from neighborhood open source, to huge, large-scale enterprise SaaS primarily based systems.Magento 2.3.3 is a next generation platform with an unmatched flexibility and innovation opportunities. Magento 2 is more extensive and efficient APIs, responsive design reference themes and over 50% faster page load times across many catalog and checkout pages (among many other updates!).What’s New in Magento 2.3.3?
Magento Open Source 2.3.3 offers significant platform upgrades, substantial security changes, and PSD2-compliant core payment methods.
This release includes over 170 functional fixes to the core product and over 75 security enhancements. It includes over 200 contributions from our community members. These contributions range from minor clean-up of core code to significant enhancements to Inventory Management and GraphQL.
New security-only patch available
Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release (for example, Magento 2.3.3) provides. Patch 2.3.2.2 (Composer package 2.3.2-p2) is a security-only patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, Magento 2.3.2.
If you have already upgraded to the pre-release version of this patch (2.3.2-p1), we strongly recommend that you upgrade to 2.3.2-p2 as soon as possible. Patch 2.3.2-p2 contains the critical security fixes that are included in Magento 2.3.3, 2.2.10, 1.9.4.3, and 1.14.4.3, but that are not included in patch 2.3.2-p1.
For general information about security-only patches, see the Magento DevBlog post Introducing the New Security-only Patch Release. For instructions on downloading and applying security-only patches (including patch 2.3.2-p1), see Install Magento using Composer.
Other release information
Although code for these features is bundled with quarterly releases of the Magento core code, several of these projects (for example, Page Builder, Inventory Management, and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in separate, project-specific release information which is available in the documentation for each project.
Apply the Catalog pagination issue on Elasticsearch 6.x patch to resolve a critical search result pagination issue
This patch resolves issues that users of Magento 2.3.3 experience in deployments where Elasticsearch 6.x is used as the catalog search engine. Users who attempt to navigate past the first page of search results are unsuccessful, and Magento displays an error message. After this patch is installed, users will be able to page through all search results. See Applying patches for specific instructions on downloading and applying Magento patches. To find the patch, navigate to Tech Resources, and select the ‘Catalog pagination issue on Elasticsearch 6.x’ patch associated with the version of Magento you are running.
Apply the EmailMessageInterface backward compatibility issue patch to resolve an email interface backward-incompatibility issue
This patch addresses backward-incompatibility issues that extension developers may have experienced after the introduction of Magento\Framework\Mail\EmailMessageInterface
, which was released in Magento 2.3.3. In the scope of this patch, the new EmailMessageInterface
inherits from the old MessageInterface
, and core modules are changed back to rely on MessageInterface
. Merchants should apply this patch as soon as possible, especially if their deployments include extensions or customizations that use the mail interface.
See Applying patches for specific instructions on downloading and applying Magento patches. To find the patch, navigate to Tech Resources, and select the EmailMessageInterface backward compatibility issue patch associated with the version of Magento you are running.
Apply the Method chaining fix for product collection patch to resolve an issue with broken method chaining in some extensions
This patch addresses changes that were introduced in Magento 2.3.3 that resulted in problems with extensions and customizations of the product collection feature that rely on method chaining contracts. The addAttributeToFilter
method (in file app/code/Magento/Catalog/Model/ResourceModel/Product/Collection.php
) was refactored without a return statement, which broke the method chaining that is used extensively in customizations of this feature. This patch refactors the method to add the missing return statement and ensure that method chaining works as expected.
Highlights
Look for the following highlights in this release:
Substantial security enhancements
This release includes the following security enhancements:
- PSD2 compliance to core payment methods
- Fixes for 75 critical security issues
- Significant platform-security enhancements that boost XSS (cross-site scripting) protection against future exploits. This effort is the culmination of several months of concentrated effort on Magento’s part to reduce our backlog of security enhancements.
Core payment methods integrations are now compliant with PSD2 regulations
The European Union recently revised the Payment Services Directive (PSD) regulation with an updated version–PSD2. This revised regulation goes into effect on September 14, 2019, and will significantly affect most payment processing involving credit cards or bank transfers. See the Magento Forum DevBlog post 3D Secure 2.0 changes for more information on Magento Payment Provider Recommendations and a wealth of links to PSD2 regulation discussions.
This release contains the following major PSD-related changes:
- The Braintree payment method now complies with PSD2 regulations. Its core integration API has been upgraded to the latest JavaScript SDK v3 API, which is a requirement for supporting native Braintree 3D Secure 2.0 adoption. Braintree transactions are now also verified by using the native Braintree 3D Secure 2.0 service.
- Authorize.net now provides the ability, through the
cardholderAuthentication
request field, to make 3D Secure verification through third-party services such as CardinalCommerce. Starting with this release, Authorize.net accept.js integration will support 3DS 2.0 through CardinalCommerce.
- The Cybersource and eWay payment modules have been deprecated in this release to comply with PSD2 SCA regulation, which takes effect on September 14, 2019. Use the official Marketplace extensions for these features instead.
Security enhancements and fixes to core code
- 75 security enhancements that help close cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities as well as other security issues. No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP whitelisting, two-factor authentication, use of a VPN, the use of a unique location rather than
/admin
, and good password hygiene. See Magento Security Center for a comprehensive discussion of these issues. All known exploitable security issues fixed in this release (2.3.3) have been ported to 2.2.10, 1.14.4.3, and 1.9.4.3, as appropriate.