Magento 2.4.3-p1 and Magento 2.3.7-p2 versions have been released on 12th October 2021 for Commerce/Cloud (Adobe Commerce ) and Open Source editions.

These Magento 2.4.3-p1 and 2.3.7-p2 versions come with security fixes that improve the deployment of Magento 2.4.3 and Magento 2.3.7 for both Commerce/Cloud and Open Source. Now, when installing time-sensitive security fixes, Magento 2 store-owners/merchants/users do not need to apply hundreds of enhancements and functional fixes that are included in a full quarterly release.

Magento 2.4.3-p1 and 2.3.7-p2 releases include fixes for vulnerabilities that have been reported in the previous Magento 2 releases (Adobe Commerce 2.4.3/2.3.7-p1 and Magento Open Source 2.4.3/2.3.7-p1)

Magento 2.4.3-p1 and Magento 2.3.7-p2 versions include several security enhancements, hotfix, and bugs fixes. Magento 2.4.3-p1 includes seven security fixes, and Magento 2.3.7-p2 includes six security fixes.

Magento 2.4.3-p1 & 2.3.7-p2 Versions Highlights

Security Fixes and Enhancements

• Seven security fixes and several security enhancements included in 2.4.3-p1
• Six security fixes and several security enhancements included in 2.3.7-p2
• Two hotfixes that have been released for Magento 2.4.3 Commerce/Cloud (Adobe Commerce) and Open Source 
• Session IDs have been removed from the database (in both 2.4.3-p1 and 2.3.7-p2 versions)
• Admin access to Media Gallery folders has been Restricted (in both 2.4.3-p1 and 2.3.7-p2 versions)
• The limits to GraphQL query complexity has been Lowered (in both 2.4.3-p1 and 2.3.7-p2 versions)
• The Recent penetration test vulnerabilities have been fixed (in both 2.4.3-p1 and 2.3.7-p2 versions)
• The source expression "unsafe-inline" is now supported in the Content Security Policy directive "frame-ancestors" (in both 2.4.3-p1 and 2.3.7-p2 versions)

Known Issues/Bugs Fixed in Magento 2.4.3-p1/2.3.7-p2

• the PHP fatal error on upgrade, that was addressed by patch "AC-384__Fix_Incompatible_PHP_Method__2.3.7-p1_ce.patch to address PHP fatal error on upgrade" has been fixed
• the issue related to "placed order price is displayed when a buyer tries to place an order with a different product using the PayPal payment method" which was previously addressed by patch Adobe Commerce 2.3.7-p1 known issue outdated order total for PayPal has been fixed
• the bug for the Braintree, Klarna, and Vertex vendor-developed extensions has been fixed in both Magento 2.4.3-p1 and 2.3.7-p2 versions

Known Issue in Magento 2.3.7-p2

Issue:

• Adobe Stock images uploaded into the <install_dir>/pub/media/catalog and <install_dir>/pub/media folders are invisible in the Media Gallery

Workaround:

• If you're looking to work with these images, you can remove them from filesystem folders and re-add them into an allowed Media Gallery folder

Backward Incompatible 2.4.3 - 2.4.3-p1 & 2.3.7-p1 - 2.3.7-p2

1. Minor Backward-Incompatible Changes

In Magento 2.4.3-p1 and Magento 2.3.7-p2, two methods have been added, two database columns have been added, one API class has been added

Class

• this method Magento\Customer\Model\ResourceModel\Customer::findSessionCutOff has been added
• this method Magento\Customer\Model\ResourceModel\Customer::updateSessionCutOff has been added

Database

• this column customer_entity/session_cutoff has been added
• this column customer_visitor/created_at has been added

Class API membership

• this class Magento\Framework\Session\SessionManager has been added

2. Major Backward-Incompatible Changes

Media Gallery folders

• a configuration option for Media Gallery content has been introduced in Magento 2.4.3-p1, this configuration option denotes which folders can contain Media gallery files
• in config.xml file, the new configuration path system/media_storage_configuration/media_storage/allowed_resource/media_gallery_image_folders is used to specify the Media Gallery Allowed folders.
• the initial values are the catalog/category and WYSIWYG folders. These can be extended by adding a new value in config.xml.

Issue

• after Magento 2.4.3-p1 or 2.3.7-p2 version is applied/installed, any Media Gallery files in the pub/media folder, or in a folder outside a Media Gallery Allowed folder will not be reachable to the Media Gallery

Workaround

• add a new entry under system/media_storage_configuration/media_storage/allowed_resource/media_gallery_image_folders
• or copy one of the specified Media Gallery Allowed folders or any Media Gallery files to the pub/media/wysiwyg folder

Conclusion

It's always recommended to keep your Magento 2 site up to date with the latest version.

In December 2021, PHP 7.3 will reach the end of support. In April 2022, Magento 2.3.x both Commerce/Cloud (Adobe Commerce) and Open Source will reach their end of support.

It's recommended, to upgrade to Magento 2.4.x to keep your store up to date with the latest security fixes, enhances, new features, PCI compliance, and more. You can hire an experienced Magento 2 developer to professionally upgrade your site to the latest version or to apply the necessary security patches.