New Security Update Available for ColdFusion 9.0, 9.0.1, 9.0.2 and 10

November 12, 2013
Followers: 0 people
10

New Security Update Available for ColdFusion 9.0, 9.0.1, 9.0.2 and 10

Followers: 0 people
November 12, 2013

New security update is available for coldfusion versions 9.0, 9.0.1, 9.0.2 and 10.0. This hotfix addresses the security issues specified in the technote here. Here is the link to the security bulletin for this hotfix. It also includes few important bug fixes for coldfusion 10 as specified here.

We recommend locking down your server by following the lock down guide and disable unused features in the production environments. 

Comments (10)
2013-11-19 02:02:58
2013-11-19 02:02:58

[…] If you get the following error when installing the update using the Download and Install option, ensure that the folder {cf_install_home}/{instance_name}/hf_updates has write permission […]

The correct path is {cf_install_home}/{instance_name}/hf-updates

Like
2013-11-13 13:12:53
2013-11-13 13:12:53

Can you comment on whether the critical fix was for a 0-day present in update 11 or not? There seems to be some conflicting information as per the last couple paragraphs of this article:

http://krebsonsecurity.com/2013/11/zero-days-rule-novembers-patch-tuesday/

Like
2013-11-13 09:31:39
2013-11-13 09:31:39

Good to know that we don’t need to re-cofigure the connector. It will be great if the connector has option not to create CFIDE virtual folder as deleting them from all the sites is a pain.

Like
2013-11-13 05:55:20
2013-11-13 05:55:20

+1 for clearer connector instructions in update docs.

When the update doc states, “reconfigure the connectors using wsconfig tool”, I understood that to mean, remove and recreate the connector, as there is no option to reconfigure in the wsconfig tool. Having a couple dozen servers with custom config files, it’s a pain to recreate them.

I did take a snapshot of my test server and did the install twice, once recreating the connector and another with no changes to the connector. I have seen no difference, as @Pavankumar validated in saying ” if you are on coldfusion version 10 update 11 you do not need to re-configure the connectors.”

Like
2013-11-12 23:40:29
2013-11-12 23:40:29

@Pavankumar: Thanks for your response! Maybe the technote can be specific about that.
For future updates: is upgrading the connectors with Upgrade_all_connectors.bat always enough? Or does that depend on the update?

Like
2013-11-12 23:19:27
2013-11-12 23:19:27

We have updated the packages CF9.zip, CF901.zip and CF902.zip under section 2

@josh if you are on coldfusion version 10 update 11 you do not need to re-configure the connectors.

Like
2013-11-12 22:56:29
2013-11-12 22:56:29

ps) this blog does not have a background colour set in the css. So if your browser is set to a default background colour other than white, that colour is displayed. It’s better to change the background colour of the html/body to white I think.

Like
2013-11-12 22:53:43
2013-11-12 22:53:43

Is it necessary to reconfigure/rebuild the connector for all sites, or is upgrading them (Upgrade_all_connectors.bat) enough?

The problem with reconfigure them is that the CFIDE virtualfolder is created in all sites, and I must manually delete this folder for all my sites.

Like
2013-11-12 22:06:06
2013-11-12 22:06:06

We will be updating it as soon as possible.

Thanks.

Like
2013-11-12 18:51:02
2013-11-12 18:51:02

The instructions on the technote are incorrect for Section 2. The CF9.zip, CF901.zip and CF902.zip under section 2 *DO NOT* contain the CF9, CF901, and CF902 directories as listed (like previous ones APSB13-13). All three of the zips start with /lib inside the given zip.

The Section 1 zips do contain the files with the CF9, CF901, or CF902 directory in the given zips.

Like
Add your comment