2.4.3-p2 missing patches MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch & MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch

[leonhelmus]

Preconditions (*)

1. Magento 2.4.3-p2 on premise enterprise/open source
2. php 7.4

Steps to reproduce (*)

1. Patch magento from 2.4.3-p1 to 2.4.3-p2. Check release notes: https://devdocs.magento.com/guides/v2.4/release-notes/2-4-3-p2.html.
2. When reading release notes it says the patches have been applied.
3. Remove patches: MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch & MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch
4. Should still be secure.

Expected result (*)

1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch & MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch are retrofitted to the m2.4.3-p2 release.

Actual result (*)

1. MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch & MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch are not retrofitted to the m2.4.3-p2 release.

Am I looking in the wrong place or are the security patches for https://helpx.adobe.com/security/products/magento/apsb22-12.html missing in all the latest Magento releases? The changes introduced by those patches don't seem to exist in 2.4.3-p2 and 2.4.4. For example, the existing blockDirective method was renamed to resolveBlockDirective and a new blockDirective method was added in vendor/magento/module-email/Model/Template/Filter.php
The blockDirective method hasn't been touched in 8 years in the magento 2 repo according to a git blame https://github.com/magento/magento2/blob/2.4-develop/app/code/Magento/Email/Model/Template/Filter.php#L403.

When looking into the release notes of 2.4.3-p2, MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch & MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch should be included: https://devdocs.magento.com/guides/v2.4/release-notes/2-4-3-p2.html.

Related issue:

• Mail extension attributes cannot be accessed from email template. #35340

---

Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.

• Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant]

Hi @leonhelmus. Thank you for your report.
To speed up processing of this issue, make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, review the Magento Contributor Assistant documentation.

Add a comment to assign the issue: @magento I am working on this

To learn more about issue processing workflow, refer to the Code Contributions.

---

• Join Magento Community Engineering Slack and ask your questions in #github channel.

⚠️ According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[hostep]

@nathanjosiah: maybe you can clarify this a bit in public now?

And maybe the release notes should be modified a bit so users are made aware of how Magento now handles email templates, making those patches no longer needed. So devs aren't getting confused when they try to research this.

(and maybe take a look at issue 35340 as well, since it's a bit related)

Thanks!

[leonhelmus]

A collegue of mine said its the same for 2.4.4. Btw that is also one of my issues i created 😁.

[nathanjosiah]

The patches are not present because we chose to implement a more comprehensive fix in the 2.3.7-p3/2.4.3-p2/2.4.4 release. The hotfixes will not and should not be applied to these releases.

[leonhelmus]

@nathanjosiah Good to know could you share a commit/pr that resolved it. This way i can inform internally.

I have also added two other issues:
#35343
#35340

[leonhelmus]

@nathanjosiah It seems for cloud projects it still gets applied, see :
https://github.com/leonhelmus/magento-cloud-patches/blob/1a86e3747f623a9a2163c8e50dc8174ed8b7f0e5/patches.json#L386

I will make a PR to resolve it.

[leonhelmus]

@hostep What do you think?

[hostep]

No idea, I don't work with Magento Cloud, but if the patch still applies on 2.4.3-p2 for Magento Cloud, then there is probably something wrong on their end. So wait a bit until somebody reviews your PR and gives some feedback there 😉

[nathanjosiah]

@BaDos can you take a look?

[leonhelmus]

Any updates on this?

[gbobts]

The patches are not present because we chose to implement a more comprehensive fix in the 2.3.7-p3/2.4.3-p2/2.4.4 release. The hotfixes will not and should not be applied to these releases.

Could you let us know where the changes have been applied, such as patch MDVA-43395 is not required anymore ? Is it with applyModifiers method ?