ColdFusion Security Update

A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 6 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here’s a link to the related security bulletin.



9 Responses

  1. OK, I’ll go first…

    For what little it might be worth, I have successfully applied the hotfix to one of our Mac dev boxes and I haven’t noticed anything glaring in terms of problems after applying the hotfix and restarting. This is the same box that went sideways applying HF5: Mac OS X 10.6 with Tomcat and CF10 in stand-alone mode.



  2. Needed to delete hf901-00006.jar before applying hf901-00007.jar on CF 9.0.1 (Linux). Otherwise errors like “Element APPLICATIONNAME is undefined in APPLICATION” (regular CF Pages) or “allowAppDataInServContext” (CF Admin) would appear. I had applied Security Hotfix APSB12-21 before.

    Maybe this was obvious, but didn’t find anything regarding deleting hf901-00006.jar in the instructions.

  3. @Thilo, I experienced the same in Windows. The instructions should include the following:

    3) In the update file text box, browse and select hf901-00007.jar and click Submit Changes.
    4) Stop the ColdFusion instance.
    5) Delete [cfinstallroot]lib/updates/hf901-00006.jar if present
    6) Start the CF instance.

  4. Just noting I’ve been running Update 6 since the 11th and haven’t noticed any issues.

    What really concerns me tho is a silent issue that CF10 itself intentionally introduces and that users are beginning to realize for themselves.

    dateConvert(“local2UTC”, now()) still -displays- UTC time zone value when output/toString()’d (thus, users may *think* it still behaves the same) but now passes the *local* time zone value to cfqueryparam and serializeJSON() (thus, fairly silent).

    Discussion about this issue is taking place in too many places to efficiently really keep track of. Just search bugtracker for ‘utc’ or visit here for further discussion:


  5. Just noting that I often see this random error in coldfusion-error.log:

    SEVERE: Error in getRealPathFromConn Connection reset by peer: socket write error

    The line of code which throws this error uses expandPath(). But it is *VERY* random. And, when thrown, it is always written about 12 times in the same second. Then many hours will pass before it is written again about 12 times.

    This issue is not new to Updater 6. Just mentioning it here in case anyone has seen this. After the holidays I’ll research this further. Just didn’t want to forget about this one 🙂


Leave a reply