About two weeks ago Magento released new security patch SUPEE-6285.
As part of ongoing commitment to security, Magento team has uncovered potential vulnerabilities that are proactively addressed with a new patch (SUPEE-6285). There are no confirmed reports of attacks related to these issues to-date, but it is important that you immediately deploy the patch in order to protect your store.
This patch addresses the following security issues:
- It prevents attackers from posing as an administrator to gain access to the last orders feed, which contains personally identifiable information that can then be used to obtain more sensitive information in follow-on attacks. Check to see if you have been compromised by reviewing your server logs for someone trying to reach the /rss/NEW location.
- It closes a number of security gaps including cross-site scripting (XSS), cross-site request forgery (CSRF), and error path disclosure vulnerabilities.
For Magento Community Edition, a patch is available for Community Edition 1.4.1 to 184.108.40.206 and is part of the core code of our latest release, Community Edition 1.9.2, which is now available for download.
When running Patch SUPEE-6285 most of the users encountered a problem:
Checking if patch can be applied/reverted successfully...
ERROR: Patch can't be applied/reverted successfully.
Hunk #1 FAILED at 33
The solution is that before implementing this new security patch (SUPEE-6285), you must first implement SUPEE-5994 (issued May 14, 2015). This will ensure that the patch works properly.
To find out how to setup SSH KeyPair, connect to your server via SSH and then install Magento patches please read my in-details article Installing Magento Patches SUPEE-5344, SUPEE-1533 – Using SSH connection and running SH script.
You might check out Magento forum post Magento 220.127.116.11 SUPEE-6285 Hunk #1 FAILED at 33 to read more on what problems did others encounter and how did they solve it.
But anyways it’s very straightforward - install SUPEE-5994 before implementing SUPEE-6285. To find more details on SUPEE-6285 read Critical new Magento security patch.