Introducing the New Security-only Patch Release

Great decision made by Magento! An upgrade is always a pain point for merchants as it takes at least a month or two (depending on customization on instance or third parties’ compatibility for new Magento versions) and during that period, the stores are exposed and open to vulnerabilities. 

In my experience most of the time merchants avoid to upgrade to the latest released Magento version due to the large number of customizations in their store and top of it takes a high development cost to upgrade so the fixes of security must be INDEPENDENT and AVAILABLE handy regardless of major upgrades or dependencies of third parties.

In 2019, Magento released a security-only patch for Magento Commerce and Open-source 2.3.2. The release is called “2.3.2-p1”. It gives you the option to get just the security fixes, not a full upgrade to the latest version.

Magento is designed to make the security upgrade process faster and easier. Naming convention of the security-only patch(2.3.5-px) will be based on the latest prior full patch release(2.3.5). 

Flow Diagram to understand:

By Flow Diagram you can understand the flexibility to upgrade to the full latest version(Quality + Security) or security only provided by Magento.


Here are few examples to understand in more details:

Example 1 – A full upgrade:

  • In Q3’19, you upgrade your 2.3.2 instance to 2.3.3.
  • In Q1’20, you can upgrade your 2.3.3 instance to 2.3.4.

Example 2 – Security now, full service later:

  • In Q3’19, you upgrade your 2.3.2 instance to 2.3.2-p1.
  • In Q1’20, you can upgrade your 2.3.2-p1 instance to 2.3.4.

Example 3 – Security now, then the functional change you really need:

  • In Q3’19, you upgrade your 2.3.2 instance to 2.3.2-p1.
  • Between Q3’19 and Q1’20, you upgrade your 2.3.2-p1 instance to 2.3.3 to get access to the quality updates.
  • In Q1’20, you upgrade your 2.3.3. instance to either 2.3.4 or 2.3.3-p1, depending on the complexity of the upgrade you want to take on.*

Example 4 – Security-only update to security-only update:

  • In Q3’19, you upgrade your 2.3.2 instance to 2.3.2-p1.
  • In Q1’20, you can upgrade your 2.3.2-p1 instance to 2.3.3-p1.** without upgrading to 2.3.3

I hope these examples are sufficient to clarify your understanding of the flow of security patches. Surely these changes which are done by Magento will solve many merchants’ problems and easily keep their stores secured from vulnerabilities.

To get the latest patches, security updates, and best practices for your Magento sites, follow:

https://magento.com/security/patches

Magento Blog

Leave a Reply

Your email address will not be published.