On May 31st, Magento announced security patch SUPEE-9767 and Magento Enterprise Edition v126.96.36.199. These security updates address 16 separate platform vulnerabilities, 8 of which are considered high severity.
The patch notes call for manually updating a setting in the admin panel prior to deployment.
Before applying the patch or upgrading to the latest release, make sure to disable Symlinks setting in System > Configuration > Advanced > Developer > Enable Symlinks. The setting, if enabled, will override configuration file setting and changing it will require direct database modification.
This step is required to properly implement the fix for the vulnerability identified as “APPSEC-1281”, which Magento has classified as high severity.
This setting must be set to “No” for patch to be correctly applied
As part of our patch assessment process we decided to build a small Magento module which automates the steps required to toggle this setting. Not only does this save us time as we roll the patch out across our client base, but, more importantly, it helps reduce the risk of human error during patch implementation.
We’ve made the module publicly available through GitHub. Hopefully this helps improve the process of patching across the entire Magento ecosystem.