This is a December edition of #MageNews 🎉
Get ready to jump into the latest updates and news from the Magento community!
Let’s scroll down…
- [Not To Miss] PHP 7.1 EOL
- [Not To Miss] PageBuilder in PWA
- [Security] PageBuilder RCE in Wild
- [Security] Arbitrary Code Execution in PHP‑FPM
- [Security] Security Incident in Magento Marketplace
- [Community Experience] Build New PageBuilder Content Type
- [Community Experience] Adobe Sensei Under the Hood
- [Community Experience] Official Magento Lang Packs
- [Community Experience] Leverage Message Queue
- [Community Experience] Conferences
- [Architecture] Future Of Magento MQ
- [Architecture] MCS v5
- [Architecture] JSON In Declarative Schema
- [Open Source] Useful Projects
- Want More?
Not to Miss
PHP 7.1 EOL
PHP 7.1 reached EOL in December. Make sure you are running at least on version 7.2. Otherwise, there may be issues with being PCI compliant and keeping your store secure.
— Sanguine Security Labs (@eComscan) November 13, 2019
PageBuilder in PWA
Magento DevDocs announced that PageBuilder integration with PWA is coming with Magento 2.3.4 which will be released in the beginning of Q1 2020.
A little (super early) @magento v2.3.4 teaser…
— Magento DevDocs (@MagentoDevDocs) November 18, 2019
PageBuilder RCE in the Wild
A critical unauthorized RCE through crafted Page Builder templates was reported in the wild. This is relevant for Magento Commerce prior to 2.3.2-p2 or 2.3.3 where PageBuilder is enabled and used. Upgrade as soon as possible to protect your store.
We're seeing a surge of attacks on the Magento Page Builder, people are trying to abuse the RCE vuln that was fixed in last month's security update in the wild. Patch your shops!https://t.co/hb7SKXft0U
— Rick van de Loo (@vdloo_) November 8, 2019
Arbitrary Code Execution in PHP‑FPM
A critical vulnerability was discovered in PHP-FPM. Depending on configuration, it may be possible to exploit PATH_INFO environmental variable to trigger memory corruption and execute malicious code.
To be sure you are safe, upgrade to PHP 7.1.33, PHP 7.2.24, or PHP 7.3.11.
It’s common to use PHP-FPM in the Magento setup, so check more information about this below.
If you're self hosting your #Magento store using @nginx
and @php, make sure you're all patched up. A PoC of this vulnerability exists which means it's already too late. You're hackedhttps://t.co/3YWHBRdd2L
— Talesh Seeparsan (@_Talesh) November 4, 2019
Magento Marketplace Security Incident
Magento Security team found a security incident on Magento Marketplace. As it was found out some account data were leaked for some users. The leaked information includes names, email addresses, MageID, billing and shipping addresses, and some limited commercial information. No modules or core products were compromised though.
— Hx01 (@Hxzeroone) November 27, 2019
Build New PageBuilder Content Type
Integer_net team shared an essential writeup about adding a new content type in PageBuilder. From adding changes to PageBuilder editor to rendering and storing final HTML snippets, one should get familiar with a new way of building customer engaging content.
— integer_net (@integer_net) November 7, 2019
Adobe Sensei Under the Hood
General overview of Adobe AI framework – Adobe Sensei. It is used inside of Magento Product Recommendations which will be GA early next year.
– [Medium] A Glimpse Under the Hood of Adobe’s AI and ML Innovations: Adobe Sensei ML Framework
Official Magento Lang Packs
Magento and Community put a great effort into creating official great-quality language packs. 68 different language packs are ready to use. Check how to include it into your project below.
– [integer_net] How to install the official Magento 2 language pack
– [Github] Magento Localization
– [Github] Language package for German
– [Github] Language package for Italian
– [Github] Language package for French
– [Github] Language package for Japanese
Leverage the Message Queue
The message queue is a kind of perfect component of any enterprise architecture where it needs to process things in the background and give visitors a quick response to their actions. Since version 2.3, Magento started moving the heavier operations to background processing using built-in Message Queue capabilities. It will be super helpful and important in a new service isolated architecture Magento is currently working on. If you are not yet familiar with the Message Queue in Magento, the following articles will be a great overview for you.
We have collected video from the presentations that were recently published and featured some of the talks.
– MM19NY: Magento Microservice Architecture (Dan Goodfriend)
– MM19NY: Data privacy and AI in eCommerce (Victoria Yaschuk)
– MM19NY: The Ultimate Guide to Indexing in Magento 2 (John Hughes)
– MageCONF2019: Alternative Checkout Flow. (Yevhen Sentiabov)
– MageCONF2019: Evolving Magento Domain Model (Anton Kril)
– [Youtube] MM19NY – Presentations Playlist
– [Youtube] MageCONF2019 – Presentations Playlist
Future Of Magento MQ
Currently, Magento supports MySQL and RabbitMQ options for the message queue possibilities. For sake of better scaling, it makes sense to support another options like AWS MQ, AWS SQS, AWS Kinesis and so on. Some details about evaluation of possible options and their implementations are available below.
– [Github] Magento Messaging Architecture and Options
– [Github] Magento Message Queue Processing Design
– [Github] Magento Messaging Options – Evaluation of Technologies
– [Github] Magento Messaging Options – AWS MQ
– [Github] Magento Messaging Options – AWS SQS
– [Github] Magento Messaging Options – AWS Kinesis
– [Github] Magento Messaging Options – AWS Kafka
– [Github] Magento Messaging Options – Azure Service Bus
– [Github] Magento Messaging Options – Adobe I/O
New version of Magento Coding Standard is out. Now it supports sniffs of GraphQL schemas.
🚀Coding standard v5 has been released!
📃Release notes: https://t.co/FNuBJIytk3
— Lena Orobei 👩🏻💻 (@LenaOrobei) November 6, 2019
JSON In Declarative Schema
Magento has got a pull request that adds support of JSON data type in Declarative Schema. MySQL started to support JSON types natively since version 5.7.8.
— Anton (@antonkaplya) November 5, 2019
– auroraextensions/simplereturns – Simplified RMA for Magento Open Source
– duhon/magento-docker – Magento docker-based development environment supported by Magento core team
– experius/Github-Magento2-Composer-Patch – browser extension that generates Magento patch definition for vaimo/composer-patches
– extdn/github-actions-m2 – GitHub Actions for Magento 2 Extensions
Make sure to be the first for our January MageNews digest – subscribe to our blog.
See you in a month!