We report here the last faithfully magento security announcement

<<

Dear Magento Provider,

As part of our ongoing commitment to security, we have uncovered potential vulnerabilities that we are proactively addressing today with a new patch (SUPEE-6285). There are no confirmed reports of attacks related to these issues to-date, but it is important that you work immediately with your clients to deploy the patch in order to protect their stores.

This patch addresses the following security issues:

  • It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Your clients can check to see if they have been compromised by reviewing their server logs for someone trying to reach the /rss/NEW location.
  • It closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.

More information about these issues can be found on the Magento Security Center and in the Appendix of the Magento Enterprise Edition and Magento Community Edition user guides.

 

We have created patches for both Magento Enterprise and Magento Community Editions. For Magento Enterprise Edition, a patch is available for Enterprise Edition 1.9 and later releases. For Magento Community Edition, a patch is available for Community Edition 1.4.1 to 1.9.1.1 and is part of the core code of our latest release, Community Edition 1.9.2, which is now available for download.  Please work with your clients to immediately deploy the patches or upgrade to Community Edition 1.9.2.

 

DOWNLOADING THE SECURITY PATCH
Before implementing this new security patch (SUPEE-6285), your clients must first implement SUPEE-5994 (issued May 14, 2015). This will ensure that the patch works properly.

 

To download the patch, your clients can choose from the following options:

  • Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – July 2015.” 
  • Community Edition Merchants: Upgrade today to Community Edition 1.9.2 and receive the security fixes as part of the core code. Patches for earlier versions of Community Edition can also be found on the Community Edition download page (look for SUPEE-6285). 

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.

 

Thank you for your prompt attention to this matter.

Best regards,
The Magento Team

>>