Magento漏洞补丁

今天打开Magento后台会提示如下信息，显示有安全漏洞补丁需进行安装来修改，下载地址：https://www.magentocommerce.com/products/downloads/magento/

Critical Reminder: Download and install Magento security patches. Download now.

安装方法很简单，将补丁.sh文件下载并上传至安装了Magento的根目录，使用sh命令直接安装即可，如果提示

Error! Some required system tools, that are utilized in this sh script, are not installed:
Tool(s) “patch” is(are) missed, please install it(them).

则表明系统未安装patch命令，直接通过yum install patch -y安装即可。

安装补丁过程中若出现以下错误：

Hunk #1 FAILED at 33.
1 out of 1 hunk FAILED — saving rejects to file downloader/template/connect/packages_prepare.phtml.rej

则需要修改packages_prepare.phtml文件，打开downloader/template/connect/packages_prepare.phtml ,并把

<input type="hidden" name="install_package_id" value="<?php echo $this->get('package_id'); ?>">

修改为

 <input type="hidden" name="install_package_id" value="<?php echo $this->escapeHtml($this->get('package_id')); ?>">

以下为Magento发送的邮件原文：

Dear Magento Community Edition merchant,

 

If you have not done so already, download and install 2 previously-released patches that address potential Magento software security risks. The patches prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition.

 

Check Point Software Technologies has informed us that they plan to send out a press release in the coming days making one of the security issues widely known, possibly alerting hackers who may try to exploit the issue.  While we have not received any reports of merchants being impacted by the security risks, it’s important to ensure the patches are in place as a preventative measure before the issue is publicized.

 

RECOMMENDED NEXT STEPS:

• Check for unknown files in the web server document root directory. If you find any, you may be impacted.
• Download and implement 2 patches from the Magento Community Edition download page.
  • SUPEE-5344 – Addresses a potential remote code execution exploit (Added Feb 9, 2015)
  • SUPEE-1533 – Addresses two potential remote code execution exploits (Added Oct 3, 2014)Note:  Different versions of the patch are available for Magento Community Edition 1.4.x through 1.9.x.
• Implement and test the patches in a development environment first to confirm that they work as expected before deploying them to your production site.

Magento takes security seriously and will continue to actively work to identify and resolve potential issues.

Best Regards,
The Magento Team