Adobe Commerce 2.4.6-p1 release notes

Last update: 2023-09-29
  • Created for:
  • Experienced
    Admin
    Developer

Adobe Commerce 2.4.6-p1 is a security release that provides three security fixes that enhance your Adobe Commerce 2.4.6 or Magento Open Source 2.4.6 deployment. It provides fixes for vulnerabilities that have been identified in previous releases.

NOTE

Adobe Commerce and Magento Open Source releases may contain backward-incompatible changes (BICs). To review backward-incompatible changes, see BIC reference. Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.

Apply patch to resolve security vulnerability CVE-2022-31160 in jQuery-UI library

jQuery-UI library version 1.13.1 has a known security vulnerability (CVE-2022-31160) that affects multiple versions of Adobe Commerce and Magento Open Source. This library is a dependency of Adobe Commerce and Magento Open Source 2.4.4, 2.4.5, and 2.4.6. Merchants running affected deployments should apply the patch specified in the Query UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases Knowledge Base article.

What’s in this release?

Security enhancements for this release improve compliance with the latest security best practices. These improvements include 13 security fixes and platform upgrades.

This security patch includes:

  • security fixes
  • security highlights
  • platform upgrades

Security fixes

This patch includes 13 security fixes. See Adobe Security Bulletin for the latest discussion of these fixed issues.

Security highlight

The default behavior of the isEmailAvailable GraphQL query and (V1/customers/isEmailAvailable) REST endpoint has changed. By default, the API now always returns true. Merchants can enable the original behavior, which is to return true if the email does not exist in the database and false if it exists.

Platform upgrades

Platform upgrades for this release improve compliance with the latest security best practices.

  • Varnish cache 7.3 support. This release is compatible with the latest version of Varnish Cache 7.3. Compatibility remains with the 6.0.x and 7.2.x versions, but we recommended using Adobe Commerce 2.4.6-p1 only with Varnish Cache version 7.3 or version 6.0 LTS.

  • RabbitMQ 3.11 support. This release is compatible with the latest version of RabbitMQ 3.11. Compatibility remains with RabbitMQ 3.9, which is supported through August 2023, but we recommended using Adobe Commerce 2.4.6-p1 only with RabbitMQ 3.11.

  • JavaScript libraries. Outdated JavaScript libraries have been upgraded to the latest minor or patch versions, including moment.js library (v2.29.4), jQuery UI library (v1.13.2), and jQuery validation plugin library (v1.19.5).

Known issues

  • The nginx.sample file was inadvertently updated with a change that modifies the value of fastcgi_pass from fastcgi_backend to php-fpm:9000. This change can be safely reverted or ignored.

  • Missing dependencies for the B2B security package cause the following installation error when installing or upgrading the B2B extension to 1.4.0.

    Your requirements could not be resolved to an installable set of packages.
    
      Problem 1
        - Root composer.json requires magento/extension-b2b 1.4.0 -> satisfiable by magento/extension-b2b[1.4.0].
        - magento/extension-b2b 1.4.0 requires magento/security-package-b2b 1.0.4-beta1 -> found magento/security-package-b2b[1.0.4-beta1] but it does not match your minimum-stability.
    
    Installation failed, reverting ./composer.json and ./composer.lock to their original content.
    

    This issue can be resolved by adding manual dependencies for the B2B security package with a stability tag. For details, see the B2B release notes.

Installation and upgrade instructions

For instructions on downloading and applying security patches (including patch 2.4.6-p1), see Quick start install.

More information?

For general information about security patches, see Introducing the New Security Patch Release.

On this page