May 10, 2016
Updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10 released
Comments
(26)
May 10, 2016
Updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10 released
Newbie 25 posts
Followers: 1 people
(26)

This post is to announce the release of updates for ColdFusion 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB 16-16, upgrade the Tomcat engine and contain other bug fixes. 

ColdFusion 2016 Update 1

ColdFusion (2016 release) Update 1 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 8.0.32. This update includes several important bug fixes for security, core language features, server, and other areas.

For details, refer this technote.

ColdFusion 11 Update 8

ColdFusion 11 Update 8 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes several important bug fixes for security, language, AJAX, and other features.

For details, refer this technote,  

ColdFusion 10 Update 19

ColdFusion 10 Update 19 addresses an issue mentioned in the security bulletin APSB 16-16. Tomcat has been upgraded to version 7.0.68. This update includes important bug fixes for security and server

For details, refer this technote

26 Comments
2016-07-26 15:51:56
2016-07-26 15:51:56

[sub]

Like
2016-05-26 08:09:33
2016-05-26 08:09:33

Running ColdFusion 11 Update 7 works correctly on my Windows 7 system. My local website loads correctly and IIS has been verified as working (hello world). Once I install ColdFusion 11 Update 8 I receive the following message: http status 500 – coldfusion.server.ServiceFactory$Service NotAvaiableException: The Runtime service is not available.90 percent of the ColdFusion Lockdown Guide has been applied to the desktop.

Like
2016-05-23 02:00:45
2016-05-23 02:00:45

Christopher,
A possible reason can be that the CF service was still running, hence the updater was not able to move the jar files locked and used by the CF server, to a back up location.
If your CF server is running with a non-administrator account, can you ensure that it has the permission to stop/start the CF services. That is, if you want to avoid running the updater manually every time a new update is out.

Like
2016-05-20 08:03:53
2016-05-20 08:03:53

[sub]

Like
2016-05-18 13:38:22
2016-05-18 13:38:22

Follow up to my two posts above:

A command line install of Update 8 worked just fine.

A technician with Adobe informs me that they have identified an issue with installing this update via the CF Administrator for those who have applied the official CF11 “lockdown” steps.

Like
2016-05-18 11:00:06
2016-05-18 11:00:06

Follow up to my last post, here is portions of the Update 8 install log.

The files in the first section (the ones it’s trying to move) don’t even exist… is that the issue?

I also noticed it’s using a mix of / and in file paths for some reason.

My CF user has full write permissions to the folders referenced in this error, and I’ve had no problems installing updates before.

=================================================================================

Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusionlibupdateschf11000007.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backuplibupdateschf11000007.jar

Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpclient-4.3.5.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpclient-4.3.5.jar

Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpclient-cache-4.3.5.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpclient-cache-4.3.5.jar

Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpcore-4.3.2.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpcore-4.3.2.jar

Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/httpmime-4.3.5.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/httpmime-4.3.5.jar

Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/commons-net-3.0.1.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/commons-net-3.0.1.jar

Moving files failed:
Status: FATAL ERROR
Additional Notes: FATAL ERROR – Could not move the file MYDRIVE:CFROOTcfusion/lib/commons-collections-3.2.1.jar to the backup location MYDRIVE:CFROOTcfusionhf-updateshf-11-00008backup/lib/commons-collections-3.2.1.jar

=================================================================================

Failed to delete directory
Status: ERROR
Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpclient-4.3.5.jar
ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpclient-4.3.5.jar

Failed to delete directory
Status: ERROR
Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpclient-cache-4.3.5.jar
ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpclient-cache-4.3.5.jar

Failed to delete directory
Status: ERROR
Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpcore-4.3.2.jar
ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpcore-4.3.2.jar

Failed to delete directory
Status: ERROR
Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/httpmime-4.3.5.jar
ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibhttpmime-4.3.5.jar

Failed to delete directory
Status: ERROR
Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/commons-net-3.0.1.jar
ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibcommons-net-3.0.1.jar

Failed to delete directory
Status: ERROR
Additional Notes: ERROR – Failed to delete directory:MYDRIVE:CFROOTcfusion/lib/commons-collections-3.2.1.jar
ERROR – Unable to delete file: MYDRIVE:CFROOTcfusionlibcommons-collections-3.2.1.jar

Like
2016-05-18 10:45:01
2016-05-18 10:45:01

Update 8 doesn’t seem to want to install for me.

I am running CF11 Update 7 (Enterprise Edition) and using CF Administrator to install Update 8. The update installs, the CF service restarts, but then I log back into CF Administrator and it shows that Update 7 is still the latest update installed. I have cleared browser cache, restarted CF services, and even restarted the entire server… no change.

I see an “hf-11-00008” folder and hotfix_008.jar file in my CFcfusionhf-updates folder, and received no error message during the installation of the update. Any suggestions?

And how do we install hotfixes manually on CF11?

Like
2016-05-17 08:01:32
2016-05-17 08:01:32

Wmulder,
Can you try a simple hello world HTML page (that should keep CF out of the picture) in your site’s web root to make sure that is is functioning well.
Similarly, try a simple no-frills CFML page placed in CF’s webroot /cfusion/wwwroot/, and try to access it in a browser over CF’s internal port (default : 8500).
Note that the internal port may be disabled. So you may have to edit the server.xml file at /cfusion/runtime/conf/server.xml to uncomment the “internal webserver start” section, and restart the CF server.
Are IIS and ColdFusion on the same machine?

Like
2016-05-17 03:06:14
2016-05-17 03:06:14

Hi Immanuel and Piyush,

– problem didn’t exist until directly after 8 update. Previous update was 7 and connectors were reconfiged.

Can you insure that the connector is in place by checking the handler mapping for cfm/cfc extensions in your IIS website. They should point to isapi_redirect.dll in your CF installation.
– Handler mappings in place

There should also be a “jarkarta” virtual dir configured with the website.
– jakarta is present

Also check if the connector related files are present at this directory “configwsconfig”.
– all connector related files are in place

Any request for a resource (.html/.cfm) that comes to IIS at the designated port (usually 80) is forwarded to CF at the AJP port (8014 by default), only if the file extension is .cfm/.cfc.
ColdFusion cannot take over any request comming to IIS.
– That’s what I would have thought 🙂

The site has been working flawlessly since the last occurrence, However it did do what it did… It appeared that CF tried to process the request without IIS doing it’s thing with the Handlers(!).

Your checks have now got me looking in the right place however, the isapi_redirect logs show something – any ideas:

[Thu May 12 16:06:28.886 2016] [7208:4656] [info] HttpExtensionProc::jk_isapi_plugin.c (2759): service() failed because client aborted connection
[Thu May 12 16:34:25.771 2016] [7208:4528] [error] isapi_write_client::jk_isapi_plugin.c (1454): WriteClient failed with 995 (0x000003e3)
[Thu May 12 16:34:25.802 2016] [7208:4528] [info] ajp_process_callback::jk_ajp_common.c (2175): (PRODUCTION02) Writing to client aborted or client network problems
[Thu May 12 16:34:25.817 2016] [7208:4528] [info] ajp_service::jk_ajp_common.c (2903): (PRODUCTION02) sending request to tomcat failed (unrecoverable), because of client write error (attempt=1)
[Thu May 12 16:34:25.817 2016] [7208:4528] [info] HttpExtensionProc::jk_isapi_plugin.c (2759): service() failed because client aborted connection
[Thu May 12 17:49:38.405 2016] [7208:10340] [info] TerminateFilter::jk_isapi_plugin.c (2822): Tomcat/ISAPI/isapi_redirector/1.2.41 stopping

Thanks
Will.

Like
2016-05-16 00:05:25
2016-05-16 00:05:25

Wmulder,

CF11 Update 8 does not carry any connector related changes. Update 7 did. You need not reconfigure the connector after applying Update 8, if you already had Update 7 installed and you had reconfigured the connector after installing it.

Can you insure that the connector is in place by checking the handler mapping for cfm/cfc extensions in your IIS website. They should point to isapi_redirect.dll in your CF installation.
There should also be a “jarkarta” virtual dir configured with the website.
Also check if the connector related files are present at this directory “configwsconfig”.
Any request for a resource (.html/.cfm) that comes to IIS at the designated port (usually 80) is forwarded to CF at the AJP port (8014 by default), only if the file extension is .cfm/.cfc.
ColdFusion cannot take over any request coming to IIS.

Like
2016-05-16 00:03:52
2016-05-16 00:03:52

Wmulder, can you confirm this issue did not exist on the previously installed update?

Please do also mention the previous hotfix installed.

Like
2016-05-13 06:22:52
2016-05-13 06:22:52

CF11 updated to 8 on Win2012 successful. But… one of my sites (since the update) occasionally stops.. really hard to diagnose.. it’s as if the connector dies – resulting in a 404 as CF starts to look for the site here: C:ColdFusion11PRODUCTION02wwwrootindex.cfm, rather than passing the request to IIS which manages the URL rewriting and site location. Or is it IIS failing and CF taking over? Who knows – once the fix was to restart the site in IIS, but second time this didn’t work – required restarting the CF instance!

Using CF Enterprise with IIS 8

Any ideas/help appreciated.

Like
2016-05-11 11:17:06
2016-05-11 11:17:06

Restarting both the CF service and the add on service corrected issue. Manual restart needed after update is applied since it did not complete on it’s own. Sorry for posting before that option was explored.

Like
2016-05-11 10:33:05
2016-05-11 10:33:05

After applying update 8 on CF 11, getting “Service manager authentication failed for http://127.0.0.1:8987/PDFgServlet/. Re-register the service manager.” when calling tag. Add on Service is running and CF admin showing connection status as OK, when “verify all server managers” clicked.

Any suggestions?

Like
2016-05-11 09:06:19
2016-05-11 09:06:19

haxtbh,
Can you clear the browser cache and try to check for updates again. If that does not work, can you pls. confirm the following:
What is the current update level of the server on which you do not see the new update notification? Is it a standalone or a JEE installation?
Can you check the the update URL in the settings tab of the “server update” section in the CF admin console. Click on the “Restore Default URL” to ensure that it is correctly set. If you open up the updates XML file directly in the browser, do you see the new update elements?

Paul,
Not sure what you mean by “cfadmin update bits”. Pls. do clarify. In case you mean that you don’t see the applied update reflecting in the CF admin console’s “server updates” or “settings summary” section, then pls. check if it was update was successfully installed in the first place.
You’ll find the update install log file at :
cfusionhf-updateshf-11-00008 folder … in a standalone installation of CF.
cfusion.warWEB-INFcfusionhf-updateshf-11-00008… in a JEE installation of CF.
Applying the update should also place the update JAR file in the updates folder in the cfusion lib directory, amongst other changes.
Also, which version of CF are you using?

Like
2016-05-11 07:06:19
2016-05-11 07:06:19

[sub]

Like
2016-05-11 07:01:31
2016-05-11 07:01:31

[sub] here too.

Like
2016-05-11 03:50:57
2016-05-11 03:50:57

Flawless updates for CF2016 on Win 2012R2 and Win 10.

Like
2016-05-11 03:15:37
2016-05-11 03:15:37

How much they were tested? Are you sure we don’t get in trouble with more bugs as you update here core apache libs?

Like
2016-05-11 01:56:44
2016-05-11 01:56:44

I’m glad to see my REST-Bug fixed after exactly 18 months…
For a bug that only affects PRODUCTION machines, this is pretty damn slow.

Like
2016-05-11 01:28:05
2016-05-11 01:28:05

No issues with this update so far (CF11), installed fine, running fine at the moment.

Like
2016-05-11 00:50:44
2016-05-11 00:50:44

Only 1 of my CF 11 servers is offering the update. Is this getting rolled out or is something wrong? They are all currently using Update 7

Like
2016-05-10 20:40:44
2016-05-10 20:40:44

Paul, are you saying an update applied manually does not show up as installed from the administrator?

Like
2016-05-10 18:28:49
2016-05-10 18:28:49

minor annoyance, if you update manually, the cfadmin update bits don’t pick up that update.

Like
2016-05-10 13:57:45
2016-05-10 13:57:45

me too [sub]

Like
2016-05-10 10:59:32
2016-05-10 10:59:32

I wish I could subscribe without leaving a comment.

Like
Add Comment