Magento Open Source, 1.9.x

Magento 1.x Security Patch Notice
For Magento Open Source 1.5 to 1.9, Magento is providing software security patches through June 2020 to ensure those sites remain secure and compliant. Visit our information page for more details about our software maintenance policy and other considerations for your business.

Release Notes

Magento Community Edition 1.9.1

We are pleased to bring to you Magento Community Edition, 1.9.1, which includes new features, security enhancements, expanded support for responsive design, improved SEO, and numerous other improvements and fixes.

New Features
Security Enhancements
  • To change an administrator password from the Admin, you must first enter the existing password.
  • Customer passwords are no longer stored in clear text during registration.
  • Customers in the store can no longer see the names of other users, as had been reported in certain circumstances.
  • Added a secure cookie flag for the storefront to prevent man-in-the-middle attacks. There is no change to the Secure and Unsecure Web configuration options.
  • Resolved potential Remote Code Execution exploit.1
  • Resolved a potential XML External Entity Processing (XXE) exploit that might lead to a Denial of Service attack.
Technical Updates and Solutions
Changes in This Release
Miscellaneous Fixes

We’d like to thank the following members of the Magento Community for their contributions to this release:

1 Matt Barrah, Resolve Remote Code Execution Exploit

2 Florinel Chis of Elastera, view PayPal orders from Admin

3 Alan Storm, CMS handling of HTML5 tags

4 Tim Bezhasvyly, improved indexing performance

5 Stewart Kelt, improved format of list items in Google Chrome 8

6 Martin Steudter, improved format of My Account Pages

7 Janwillem Oostendorp and Yannis Livasov, removal of untranslatable words from phtml

8 Colin Mollenhour, canonical URL in search results