How to apply Magento patches

in Security Tags: MagentoMagereportSecurity

This article explains how to apply a Magento patch to fix bugs and secure the safety of your webshop. Magento Enterprise Edition users can download patches via the Magento Support Portal via Magentocommerce.com.

Different Magento patches

Every once in a while Magento issues a new patch for Magento Community and Magento Enterprise to increase the security of their software. These patches are basically security releases, and new Magento versions mostly contain all prior patches. Whenever a new patch comes out, download and install it as soon as possible. A complete overview of Magento patches can be found on Magento.com.

Six steps to apply the patch and increase your Magento security

You need SSH (shell) access to download and apply the patch. You need only three commands, CD, WGET and BASH, to navigate, download and apply the patch.

Step 1: Make a backup

There’s a chance that certain plugins or elements in your webshop aren’t compatible with the Magento patch. That’s why we always recommend you to make a backup first, in case something goes wrong.

Step 2: Log on to SSH (shell)

Log on to the shell server. If you don’t how to log on, contact your hosting provider or technical contact. As an alternative you can follow the steps in the article log in on your hypernode using SSH.

Step 3: Download the patch

To download the correct patch for your webshop you need to know what version of Magento your using. Don’t know what version you use?

To find out, use the following command:

For Magento 1:

magerun sys:info

For Magento2:

magerun2 sys:info

Or get the version by simply using Magereport.

Download the patch(es) you need via the Magento downloads page<.

Step 4: Apply the patch

To apply the patch, move the patch file to your magento directory.
For Magento 1 this is the /data/web/public directory and for Magento 2 the /data/web/magento2 directory.

The command BASH will apply the patch you just downloaded:

   bash NAME_PATCH

Let’s assume here that the patch name is: patch_supee-5994.sh. Your actual command would look like this:

bash patch_supee-5994.sh

Step 5: Clear your cache

It’s important to flush the Magento cache after applying the patch. Flushing your caches can be done in the back-end of your Magento shop under Cache management. . Don’t forget to flush your OPcode or APC cache as well!

Step 6: Check your shop

Don’t forget to check your shop for vulnerabilities after patching and flushing your caches. Magento’s Security Patch Page provides a list of signs to look out for to determine whether your site is comprised or not.

FAQ

I keep getting a Hunk failed error. What should I do?

When you get the Hunk failed error it means you downloaded the patch for the wrong version. Please check what version of Magento you’re running and download the correct patch. If you still receive this error, please check the Magento forum for more information on these patches or discuss your problem on one of their boards.

How long will downloading and applying the patch take?

Downloading and applying the patch doesn’t take much time. We do however recommend that you check your shop thoroughly after applying the patch, which can take up quite some time.

I’ve patched my shop, but I keep getting an notification in the back-end of Magento

Magento doesn’t check whether you’ve applied the patch or not, so that notification will always be visible, patched or not. If you already applied the patch, you can ignore the notification or indicate you’ve read the message.

Can I check if a patch is installed?

Yes you can. You can scan your site with magereport.com to see if a patch is installed or not. If a check comes up grey it’s possible the files that are needed for the check are relocated. Therefore it can’t see whether your shop is patched or not. No worries. Simply use SSH to check if your shop is patched.

Every check that’s been installed can easily be found in the content of your shop. More specifically it’s logged in app/etc/applied.patches.list . So you use the command grep to access the list:

grep '|' app/etc/applied.patches.list

The output will look like this:

-e 2015-04-14 08:34:22 UTC | SUPEE-5344 | EE_1.14.1.0 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v1.14.1.0..HEAD

In this example only SUPEE-5344 has been applied. When you uninstalled a patch, you’ll see this:

-e 2015-04-14 15:21:48 UTC | SUPEE-5344 | EE_1.14.1.0 | v1 | a5c9abcb6a387aabd6b33ebcb79f6b7a97bbde77 | Thu Feb 5 19:14:49 2015 +0200 | v1.14.1.0..HEAD | REVERTED

I have a Magento 2 shop, can I still check if a patch is installed?

If you have a Magento 2 shop on Hypernode, most security checks will come out as ‘safe’, except for SUPEE-5344 Shoplift (the check in MageReport comes out as ‘unknown’). This makes sense, since the patches are made for Magento 1.x versions security leaks. If a security leak also effects Magento 2, the Magento team will release a separate patch or version (like they did with the Magento 2.0.1 Security update).

Hosting elsewhere? Some security patch checks may report unknown if your hosting provider has taken measures to protect your shop against these vulnerabilities.

Magereport keeps saying the security patch isn’t installed

We found out that there are several reasons why patches can come out as uninstalled on Magereport.com, so we recommend you to check the following:

  • When compilation is enabled in the backend of your Magento, the Magento patch doesn’t work properly. Disable compilation (navigate to System > Tools > Compilation page and click on Disable button) to make sure the patch works. After disabling compilation, check your site with magereport.com again. If the check still comes out as not installed, try re-compiling.
  • Check if the patch is installed in the correct directory;
  • Reload your opcode cache, webserver, php-fpm process and possible other caches. The old code might be still be active;
  • Check your shops’ .htaccess. If you’ve made any adjustements in your .htaccess, it’s possible the patch is only partially installed;
  • [SUPEE-6482-only] Using a Magento version older them Magento 1.6.1.0? Update to a more recent version. When patching Magento versions older then Magento 1.6.1.0, certain redirects aren’t added.

We hope one of the causes mentioned above can fix your problem. If not, we recommend you to hire a Magento specialist. Unfortunately we can’t help fixing these problems. We’re a hosting company that specializes in Magento hosting. Magento development however is a completely different specialty. A list of Magento developers per country can be found on Magereport.com.

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.

3