ColdFusion Security Update

A security update for ColdFusion is now available for versions 10, 9, 9.0.1 and 9.0.2.

If you are on ColdFusion 10, you will see a new update 6 within the ColdFusion administrator for you to download and install.

Adobe recommends users update their product installation with this update. Here’s a link to the related security bulletin.

 

 

9 Responses

  1. OK, I’ll go first…

    For what little it might be worth, I have successfully applied the hotfix to one of our Mac dev boxes and I haven’t noticed anything glaring in terms of problems after applying the hotfix and restarting. This is the same box that went sideways applying HF5: Mac OS X 10.6 with Tomcat and CF10 in stand-alone mode.

    YMMV.


    /ron

  2. Needed to delete hf901-00006.jar before applying hf901-00007.jar on CF 9.0.1 (Linux). Otherwise errors like “Element APPLICATIONNAME is undefined in APPLICATION” (regular CF Pages) or “allowAppDataInServContext” (CF Admin) would appear. I had applied Security Hotfix APSB12-21 before.

    Maybe this was obvious, but didn’t find anything regarding deleting hf901-00006.jar in the instructions.

  3. @Thilo, I experienced the same in Windows. The instructions should include the following:

    3) In the update file text box, browse and select hf901-00007.jar and click Submit Changes.
    4) Stop the ColdFusion instance.
    5) Delete [cfinstallroot]lib/updates/hf901-00006.jar if present
    6) Start the CF instance.

  4. My Cold Fusion Administrator is not finding any updates through Server Updates. Where can I find the download to update it manually?

  5. Just noting I’ve been running Update 6 since the 11th and haven’t noticed any issues.

    What really concerns me tho is a silent issue that CF10 itself intentionally introduces and that users are beginning to realize for themselves.

    dateConvert(“local2UTC”, now()) still -displays- UTC time zone value when output/toString()’d (thus, users may *think* it still behaves the same) but now passes the *local* time zone value to cfqueryparam and serializeJSON() (thus, fairly silent).

    Discussion about this issue is taking place in too many places to efficiently really keep track of. Just search bugtracker for ‘utc’ or visit here for further discussion: https://coldfusion.adobe.com/post.cfm/coldfusion-10-release-notes

    Thanks!,
    -Aaron

  6. Thank you Thilo Hermann and Julian Halliwell. Yes it was that the old hotfix needed to be deleted. WolfShade, I’m running windows.

  7. Just noting that I often see this random error in coldfusion-error.log:

    SEVERE: Error in getRealPathFromConn
    java.net.SocketException: Connection reset by peer: socket write error

    The line of code which throws this error uses expandPath(). But it is *VERY* random. And, when thrown, it is always written about 12 times in the same second. Then many hours will pass before it is written again about 12 times.

    This issue is not new to Updater 6. Just mentioning it here in case anyone has seen this. After the holidays I’ll research this further. Just didn’t want to forget about this one 🙂

    Thanks!,
    -Aaron

Leave a reply

Your email address will not be published. Required fields are marked *

By submitting this form, you accept the Mollom privacy policy.

Related