| group | title |
|---|---|
release-notes |
Adobe Commerce 2.3.7-p2 Release Notes |
{{ site.data.var.ee }} 2.3.7-p2 is a security release that provides security fixes that enhance your {{ site.data.var.ee }} 2.3.7 or {{ site.data.var.ce }} 2.3.7 deployment. It provides fixes for vulnerabilities that have been identified in the previous release ({{ site.data.var.ee }} 2.3.7-p1).
{:.bs-callout-info} PHP 7.3 reached end of support in December 2021, and {{ site.data.var.ee }} 2.3.x and {{ site.data.var.ce }} 2.3.x reaches end of support in April 2022. We strongly recommend planning your upgrade now to {{ site.data.var.ee }} 2.4.x or {{ site.data.var.ce }} 2.4.x deployment to help maintain PCI compliance.
{:.bs-callout-info} Releases may contain backward-incompatible changes (BIC). To review minor backward-incompatible changes, see BIC reference. (Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.)
DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as shipping carrier Knowledge Base article for information about downloading and installing the patch.
This security patch includes:
- All hotfixes that have been released for the preceding patch release
- Security enhancements
- Six security bug fixes. Only one of these six fixes is an externally reported vulnerability. Fixes for externally reported vulnerabilities are documented in the Adobe Security Bulletin.
- Bug fixes for the [Klarna]({{ site.user_guide_url }}/v2.3/payment/klarna.html) and [Vertex]({{ site.user_guide_url }}/v2.3/tax/vertex.html) vendor-developed extensions.
This release includes the following hotfixes, which address known issues first identified in {{ site.data.var.ee }} 2.3.7-p1:
-
Patch
AC-384__Fix_Incompatible_PHP_Method__2.3.7-p1_ce.patch to address PHP fatal error on upgrade. See the Adobe Commerce upgrade 2.4.3, 2.3.7-p1 PHP Fatal error Hotfix Knowledge Base article for information on both patch and issue. -
Patch
Adobe Commerce 2.3.7-p1 known issue outdated order total for PayPal. See the Adobe Commerce upgrade 2.4.3, 2.3.7-p1 PHP Fatal error Hotfix Knowledge Base article for information on both patch and issue.
Session IDs have been removed from the database. This code change may result in breaking changes if merchants have customizations or installed extensions that use the raw session IDs stored in the database.
Restricted admin access to Media Gallery folders. Default Media Gallery permissions now allow only directory operations (view, upload, delete, and create) that are explicitly allowed by configuration. Admin users can no longer access media assets through the Media Gallery that were uploaded outside of the catalog/category or wysiwyg directories. Administrators who want to access media assets must move them to an explicitly allowed folder or adjust their configuration settings. See Modify Media Library folder permissions.
Lowered limits to GraphQL query complexity. The GraphQL maximum allowed query complexity has been lowered to prevent Denial-of-Service (DOS) attacks. See GraphQL security configuration.
Recent penetration test vulnerabilities have been fixed in this release.
The unsupported source expression unsafe-inline has been removed from the Content Security Policy frame-ancestors directive. GitHub-33101
Issue: Adobe Stock images uploaded into the <install_dir>/pub/media and <install_dir>/pub/media/catalog directories are not visible in the Media Gallery. Workaround: To view and work with these images, delete them from the filesystem directories and re-upload them into an allowed Media Gallery directory. See the Stock images not displayed, Adobe Commerce and Magento Open Source 2.3.7-p2 Knowledge Base article.
For instructions on downloading and applying security patches (including patch 2.3.7-p2), see Quick start install.
For general information about security patches, see Introducing the New Security Patch Release.