ColdFusion Security Update

December 11, 2012
Staff 98 posts
Followers: 12 people
9

ColdFusion Security Update

Staff 98 posts
Followers: 12 people
December 11, 2012

A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 6 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here’s a link to the related security bulletin.

 

 

Comments (9)
2012-12-23 07:14:51
2012-12-23 07:14:51

The ODBC connection to my SQl Server stopped working and times out since I updated. Need help

Like
2012-12-20 13:56:44
2012-12-20 13:56:44

Just noting that I often see this random error in coldfusion-error.log:

SEVERE: Error in getRealPathFromConn
java.net.SocketException: Connection reset by peer: socket write error

The line of code which throws this error uses expandPath(). But it is *VERY* random. And, when thrown, it is always written about 12 times in the same second. Then many hours will pass before it is written again about 12 times.

This issue is not new to Updater 6. Just mentioning it here in case anyone has seen this. After the holidays I’ll research this further. Just didn’t want to forget about this one 🙂

Thanks!,
-Aaron

Like
2012-12-19 05:20:17
2012-12-19 05:20:17

Thank you Thilo Hermann and Julian Halliwell. Yes it was that the old hotfix needed to be deleted. WolfShade, I’m running windows.

Like
2012-12-15 16:42:47
2012-12-15 16:42:47

Just noting I’ve been running Update 6 since the 11th and haven’t noticed any issues.

What really concerns me tho is a silent issue that CF10 itself intentionally introduces and that users are beginning to realize for themselves.

dateConvert(“local2UTC”, now()) still -displays- UTC time zone value when output/toString()’d (thus, users may *think* it still behaves the same) but now passes the *local* time zone value to cfqueryparam and serializeJSON() (thus, fairly silent).

Discussion about this issue is taking place in too many places to efficiently really keep track of. Just search bugtracker for ‘utc’ or visit here for further discussion: https://coldfusion.adobe.com/post.cfm/coldfusion-10-release-notes

Thanks!,
-Aaron

Like
2012-12-14 14:04:21
2012-12-14 14:04:21

My Cold Fusion Administrator is not finding any updates through Server Updates. Where can I find the download to update it manually?

Like
2012-12-14 00:46:02
2012-12-14 00:46:02

just noticed that instructions were updated, thanks!

Like
2012-12-13 10:44:34
2012-12-13 10:44:34

@Thilo, I experienced the same in Windows. The instructions should include the following:

3) In the update file text box, browse and select hf901-00007.jar and click Submit Changes.
4) Stop the ColdFusion instance.
5) Delete [cfinstallroot]lib/updates/hf901-00006.jar if present
6) Start the CF instance.

Like
2012-12-13 05:56:40
2012-12-13 05:56:40

Needed to delete hf901-00006.jar before applying hf901-00007.jar on CF 9.0.1 (Linux). Otherwise errors like “Element APPLICATIONNAME is undefined in APPLICATION” (regular CF Pages) or “allowAppDataInServContext” (CF Admin) would appear. I had applied Security Hotfix APSB12-21 before.

Maybe this was obvious, but didn’t find anything regarding deleting hf901-00006.jar in the instructions.

Like
2012-12-12 04:37:31
2012-12-12 04:37:31

OK, I’ll go first…

For what little it might be worth, I have successfully applied the hotfix to one of our Mac dev boxes and I haven’t noticed anything glaring in terms of problems after applying the hotfix and restarting. This is the same box that went sideways applying HF5: Mac OS X 10.6 with Tomcat and CF10 in stand-alone mode.

YMMV.


/ron

Like
Add your comment