MAY 15 2015

How to install SUPEE-5994

UPDATE: July 7, 2015: New Magento Security Patch (SUPEE-6285). Make sure to apply it after SUPEE-5994 installation. For details refer to How to install SUPEE-6285.

According to announce sent on May 15, 2015 to all Magento installations new security patch SUPEE-5994 should be installed in addition to two recent shoplift patches (SUPEE-5344 and SUPEE-1533).

Important: New Magento Security Patch – Install it Now
It is important for you to download and install a new security patch (SUPEE-5994) from the Magento Community Edition download page (https://www.magentocommerce.com/products/downloads/magento/). Please apply this critical update immediately to help protect your site from exposure to multiple security vulnerabilities impacting all versions of the Magento Community Edition software. Please note that this patch should be installed in addition to the recent Shoplift patch (SUPEE-5344).

New SUPEE-5994 patch can be downloaded as usual from Downloads page:
https://www.magentocommerce.com/products/downloads/magento/

You can install it in the same way as previous patches. To apply the patches you need SSH access (shell access actually, SSH is just most used way to get shell access) to the server. To apply patches without SSH access please refer to this article.

If you wish to save time and have us to install these patches for you, simply click here to order installation.

Step 0: Preparations

Make sure to Disable Magento Compiler at System > Configuration > Tools > Magento Compiler and clear compiled cache.

Step 1: Verify your Magento version

$ grep -A6 'static function getVersionInfo' app/Mage.php
    public static function getVersionInfo()
    {
        return array(
            'major'     => '1',
            'minor'     => '9',
            'revision'  => '1',
            'patch'     => '0',

As you can see in the example, it is Magento 1.9.1.0

Step 2: Download corresponding patches

Patches are obtained from https://www.magentocommerce.com/products/downloads/magento/

Make sure to get the right version.

Step 3: Place patches into Magento Root directory

Upload your files into Magento root directory. It is important to place patch files directly into Magento root directory and execute it also directly in Magento root directory.

$ ls -1 .
PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
app
cron.php
downloader
errors
favicon.ico
index.php
js
lib
mage
media
pkginfo
robots.txt
shell
skin
var

 

Step 4: Run the patches

$ bash ./PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
Checking if patch can be applied/reverted successfully...
Patch was applied/reverted successfully.

Step 5: Verification and flush of PHP opcode cache

Verify patch status at our patch tester page.
Test that your store is working. If you use PHP opcode caches (APC/XCache/eAccelerator) make sure to flush it after patching, otherwise code will continue to run from caches.

Additionally, if your store still using default /admin/ path, you may consider securing your Magento /admin/ by admin path change and restrict access to /downloader/.

If you have any difficulties with applying the patches please let us know in comments, so we can find the solution together.

 

 

 

Known issues / errors

Tool(s) “patch” is(are) missed, please install it

sh ./PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
Error! Some required system tools, that are utilized in this sh script, are not installed:
Tool(s) "patch" is(are) missed, please install it(them).

As it is stated in error message patch utility needs to be installed on your system. Installation is usually done with superuser privileges, so make sure you have these. To install patch on Debian/Ubuntu use:

 # apt-get install patch

or

 $ sudo apt-get install patch

To install patch on RedHat/CentOS/Fedora use:

 # yum install patch

or

 $ sudo yum install patch

can’t find file to patch at input line 334

$ bash ./PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh 
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.

patching file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php
patching file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php
patching file app/code/core/Mage/Customer/Model/Customer.php
patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php
patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php
patching file app/code/core/Mage/Install/Controller/Router/Install.php
patching file app/code/core/Mage/Install/etc/config.xml
patching file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php
patching file downloader/Maged/Model/Connect.php
patching file downloader/Maged/View.php
patching file downloader/template/connect/packages_prepare.phtml
patching file downloader/template/messages.phtml
can't find file to patch at input line 334
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git get.php get.php
|index a7fe802..71ab535 100644
|--- get.php
|+++ get.php
--------------------------
File to patch: 
Skip this patch? [y] 
Skipping patch.
1 out of 1 hunk ignored
patching file lib/PEAR/PEAR/PEAR.php
patching file lib/PEAR/PEAR/PEAR5.php
patching file lib/Varien/Io/File.php

In the output above it can not find file get.php. To solve it should be enough to place the get.php file from Magento distribution into Magento root directory.

Posted in: Magento Maintenance

How to install SUPEE-5994
36 votes, 4.65 avg. rating (92% score)
  • m8

    Is there any way we can verify the patch is installed and my site is safe via a tool like the one used with the Shoplift bug?

  • m8

    I’ve got this error on one of my local dev machines (Magento CE 1.9.1.0):

    bash PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh

    Checking if patch can be applied/reverted successfully…

    ERROR: Patch can’t be applied/reverted successfully.

    patching file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php

    Hunk #1 FAILED at 68.

    Hunk #2 FAILED at 113.

    2 out of 2 hunks FAILED — saving rejects to file app/code/core/Mage/Authorizenet/controllers/Directpost/PaymentController.php.rej

    patching file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php

    Hunk #1 FAILED at 129.

    1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Core/Controller/Varien/Router/Admin.php.rej

    patching file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php

    Hunk #1 FAILED at 201.

    Hunk #2 FAILED at 272.

    Hunk #3 FAILED at 297.

    3 out of 3 hunks FAILED — saving rejects to file app/code/core/Mage/Core/Controller/Varien/Router/Standard.php.rej

    patching file app/code/core/Mage/Customer/Model/Customer.php

    Hunk #1 FAILED at 273.

    1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Customer/Model/Customer.php.rej

    patching file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php

    Hunk #1 FAILED at 266.

    1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Dataflow/Model/Convert/Parser/Csv.php.rej

    patching file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php

    Hunk #1 FAILED at 109.

    1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/ImportExport/Model/Export/Adapter/Csv.php.rej

    patching file app/code/core/Mage/Install/Controller/Router/Install.php

    patching file app/code/core/Mage/Install/etc/config.xml

    Hunk #1 FAILED at 48.

    1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Install/etc/config.xml.rej

    patching file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php

    Hunk #1 FAILED at 190.

    1 out of 1 hunk FAILED — saving rejects to file app/code/core/Mage/Sales/controllers/Recurring/ProfileController.php.rej

    patching file downloader/Maged/Model/Connect.php

    Hunk #1 FAILED at 100.

    1 out of 1 hunk FAILED — saving rejects to file downloader/Maged/Model/Connect.php.rej

    patching file downloader/Maged/View.php

    Hunk #1 FAILED at 162.

    1 out of 1 hunk FAILED — saving rejects to file downloader/Maged/View.php.rej

    patching file downloader/template/connect/packages_prepare.phtml

    Hunk #1 FAILED at 33.

    1 out of 1 hunk FAILED — saving rejects to file downloader/template/connect/packages_prepare.phtml.rej

    patching file downloader/template/messages.phtml

    Hunk #1 FAILED at 30.

    1 out of 1 hunk FAILED — saving rejects to file downloader/template/messages.phtml.rej

    patching file get.php

    Hunk #1 FAILED at 37.

    1 out of 1 hunk FAILED — saving rejects to file get.php.rej

    patching file lib/PEAR/PEAR/PEAR.php

    Hunk #1 FAILED at 6.

    Hunk #2 FAILED at 52.

    Hunk #3 FAILED at 92.

    Hunk #4 FAILED at 101.

    Hunk #5 FAILED at 153.

    Hunk #6 FAILED at 173.

    Hunk #7 FAILED at 192.

    Hunk #8 FAILED at 212.

    Hunk #9 FAILED at 227.

    Hunk #10 FAILED at 262.

    Hunk #11 FAILED at 276.

    Hunk #12 FAILED at 331.

    Hunk #13 FAILED at 369.

    Hunk #14 FAILED at 394.

    Hunk #15 FAILED at 411.

    Hunk #16 FAILED at 425.

    Hunk #17 FAILED at 437.

    Hunk #18 FAILED at 455.

    Hunk #19 FAILED at 521.

    Hunk #20 FAILED at 538.

    Hunk #21 FAILED at 565.

    Hunk #22 FAILED at 673.

    Hunk #23 FAILED at 708.

    Hunk #24 FAILED at 732.

    Hunk #25 FAILED at 744.

    Hunk #26 FAILED at 777.

    Hunk #27 FAILED at 798.

    Hunk #28 FAILED at 817.

    Hunk #29 FAILED at 835.

    Hunk #30 FAILED at 868.

    Hunk #31 FAILED at 881.

    Hunk #32 FAILED at 907.

    Hunk #33 FAILED at 959.

    Hunk #34 FAILED at 974.

    Hunk #35 FAILED at 988.

    Hunk #36 FAILED at 1002.

    Hunk #37 FAILED at 1016.

    Hunk #38 FAILED at 1038.

    Hunk #39 FAILED at 1050.

    Hunk #40 FAILED at 1065.

    Hunk #41 FAILED at 1104.

    Hunk #42 FAILED at 1115.

    42 out of 42 hunks FAILED — saving rejects to file lib/PEAR/PEAR/PEAR.php.rej

    patching file lib/PEAR/PEAR/PEAR5.php

    patching file lib/Varien/Io/File.php

    Hunk #1 FAILED at 226.

    1 out of 1 hunk FAILED — saving rejects to file lib/Varien/Io/File.php.rej

    I guess I’m just going to manually update (http://magentary.com/kb/install-supee-5994-without-ssh/) and test functionality thoroughly, but do you guys happen to know the cause to this?

    • magentary

      According to the output your files are heavily modified and just uploading new files over will lead to unpredictable results. Every modified file (with failed hunks) should be compared with corresponding file from original Magento distribution and every change reviewed and either rolled back to original or merged with patch changes manually.

    • Michael

      I’ve found it. This is what I was asking for > http://magentary.com/kb/install-supee-5994-without-ssh/

      Thanks

    • Andrey Zhuk

      I had the same issue. The problem was in the different line separators for files in the project and default Magento. In my case I have had Windows line separators (CRLF) for the files in the project. Changing line separators to LF (Unix and Mac OS) have fixed this issue.

      • Melanie

        I have the same problem. I am new an Unix Systems. How can I change the line separators ?

        • Melanie

          I have found it out. Notepad++ can do this.
          Simply bring up the Replace dialog (CTRL+H), select Extended search mode (ALT+X), search for “rn” and replace with “n”:

  • brst dev

    how to find the patch is applied successfully if its not applied through .sh file?Is there any other way to verify it?

  • Jeon Kings

    Hey, when I tried to install patch through SSH, it said, ‘r’ command not found on line 7. Any idea how can I fix it?

    • magentary

      There is no r line endings in the original patch file, please make sure that you have downloaded it correctly, without any adjustments or tricks with text editor.

      • Jeon Kings

        I didn’t modify it at all, I just tried that file in another installation, and it worked perfectly. Can it be an issue with the server itself?

        • magentary

          As the shell says, there is r line-ending in the patch file, but there are no r line-endings in original patch file. You can verify if the file was transferred correctly with md5sum command, for 1.6-1.9 version it has the following md5sum:
          $ md5sum ./SUPEE-5994/1.6-1.9/PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh

          a6c13389079e1c71ffc4273a42e5086a ./SUPEE-5994/1.6-1.9/PATCH_SUPEE-5994_EE_1.14.1.0_v1-2015-05-14-05-05-02.sh
          It should match to md5sum output on your system. If it does match, then it is the system (shell or environment). If it does not match, the file should be re-transferred without any possible line-endings conversion in the middle.

          • Jeon Kings

            Thanks, checksum matched, Now I’m going to ask the server person if anything is wrong in configuration.

          • magentary

            Great, it can be line-endings in environment files then, like .bashrc, .bash_profile or system-wide /etc/environment or /etc/profile, etc. Server person with local access should be able to troubleshoot it effectively.