Magento Open Source 2.0.4 Release Notes

We are pleased to present Magento Open Source 2.0.4. This release includes all of the security enhancements and performance improvements of Magento 2.0.3, in improved packaging. You must download and install 2.0.4 to ensure that you receive all the security enhancements of 2.0.3.

Backward-incompatible changes are documented in Magento 2.0 Backward Incompatible Changes.

Fixed issues

Upgrade and Installation

  • Magento no longer creates store data inconsistently during installation.
  • During upgrade, the setup:config:set script no longer deletes values in the env.php file.

Import

  • Magento now successfully imports existing products as well as products that use custom URLs.

APIs

  • The Orders API now exposes the shipping address. This corrects an issue with using this API to integrate with third-party systems.
  • The SOAP API now returns attributes of type “text swatch” and “visual swatch” when you use the API to add attribute options. Previously, this feature did not work for these attribute types.

PHP

  • Magento now allows you to use arguments of url type in nested arrays. Previously, you could pass route parameters only if the url argument was declared at the top level.

Miscellaneous

  • Magento no longer displays HTML tags in messages.
  • Product performance has been enhanced when loading catalog products with multiple color swatches.
  • Magento now successfully saves and displays new customer attributes.
  • Magento performance has been improved by the removal of redundant get requests that previously occurred during shopping cart refresh.

Security enhancements

This release includes several enhancements to improve the security of your Magento 2.0 installation. While there are no confirmed attacks related to these issues to date, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. We recommend that you upgrade your existing Magento 2.0 installation to the latest version as soon as possible.

The following list provides an overview of the security issues fixed in this release. We describe each issue in greater detail in the Magento Security Center.

  • Issue with persistent cross-site scripting through a user account has been resolved.
  • Magento now supports setting limits on password attempts. Previously, Admin and Customer Token API access did not limit the number of attempts to enter a password, inadvertently allowing brute force attempts to guess passwords.
  • APIs that previously granted access to anonymous users are now configured to require a higher permission level. Default product behavior does not permit anonymous access to Catalog, Store and CMS APIs. However, if you would like to allow anonymous access, you can change this setting.
  • Magento now prevents the arbitrary execution of PHP code through the language package CSV file.
  • The encryption keys that are generated in System > Manage Encryption Key have been strengthened.
  • Reflected XSS can no longer occur through the Authorizenet module’s redirect data.

We recommend that you review Magento’s Security Best Practices, and confirm that all safeguards are in place to protect your system from compromise. Use this occasion to examine your system for indications of possible attack, such as strange administrator accounts, unfamiliar files on the server, etc. To receive direct notification from our security team regarding any emerging issues and solutions, sign up for the Security Alert Registry.

System requirements

Our technology stack is built on PHP and MySQL. Magento 2.0.1 and later support PHP 5.5, 5.6, 7.0.2, and MySQL 5.6. For more information, see System Requirements.

Installation instructions

New installations

New users can now complete a full installation of Magento Open Source 2.0.4 from an archive file on the Download page.

Download a new installation
  1. Go to the Magento Community Edition Download page.

  2. Under Full Release, select a format for the download archive file. Then, click Download.

  3. Follow the Magento installation instructions.

Install a new installation with Composer
  1. Go to the Magento Open Source Download page.

  2. Under Download with Composer, click Download.

  3. Follow the instructions to download Composer, and get the Magento Open Source metapackage.

Upgrade existing installations

If you installed Magento Open Source 2.0.0 from an archive, you must perform some additional tasks before you can upgrade your installation. Current users of Magento 2.0.0/2.0.1/2.0.2/2.0.3 must first update the installer from the command line. Then, update the installation from the Web Setup Wizard or command line. For detailed instructions, see the technical bulletin.

Upgrade an existing installation from the Setup Wizard
  1. Log in to Admin with Administrator privileges.

  2. On the Admin sidebar, click System. Under Tools, choose Web Setup Wizard.

  3. Click System Upgrade. Follow the onscreen instructions to complete the upgrade.

For more information, see Upgrade the Magento installation and components.

Upgrade an existing installation from the GitHub repository

Developers who contribute to the Open Source codebase can upgrade manually from the Magento Open Source GitHub repository.

  1. Go to the Contributing Developers page.

  2. Follow the instructions to pull the updates from the repository and update Composer.