If you have Magento 2 installed and the version is less than 2.0.4 then you should upgrade immediately to take advantage of the following security fixes:
- Server-side cross-site scripting via user name
- Reflected cross-site scripting in Authorize.net module
- Arbitrary PHP code execution using language packs
- API token access vulnerable to brute force attacks
- Web API allows anonymous access
- Weak encryption keys when generated from Manage Encryption Keys page
Magento released 2.0.3 to address these issues but released 2.0.4 last night at 9pm to fix a packaging issue with 2.0.3. You can skip 2.0.3 and go straight to 2.0.4.
Successfully upgrading to the latest Magento 2 version 2.0.4 depends on how it was initially installed.
If you installed M2 from the official release then upgrading to 2.0.4 is easy:
- Log into your Magento2 Admin with an administrator-level account
- Go to System > Web Setup Wizard
- Enter your Authentication Keys in System Configuration. I needed to get new keys for mine to work but you may not have to. If it fails then you can generate new keys here:
- Click on System Upgrade to start the Upgrade Wizard.
- Follow the steps. If it fails then you’ll have to perform the upgrade manually (see below). The bad news is that this means uninstalling and reinstalling so be sure to back up your extensions. Luckily, thanks to the way M2 is structured it isn’t very difficult to save your work. Remember to BACKUP your files and database just in case something goes wrong!
If you installed M2 using git clone from the Magento2 CE GitHub repo:
- To update the Magento software, use git pull origin and composer update
- To change versions from develop to a release version like 2.0.2, you must uninstall the Magento software and install the released version.
- To add, remove, or update components, modify composer.json and run composer update
- To reinstall the Magento software, modify the product version in composer.json, run composer update, then reinstall the Magento software
If you’ve already installed M2 2.0.3 then be sure to uninstall and then install 2.0.4 to get the full benefit of the security fixes.
More information can be found at the official Magento website.