April 14, 2020
ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15 released
Comments
(1)
April 14, 2020
ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15 released
Staff 35 posts
Followers: 30 people
(1)

We are pleased to announce that we have released the updates for the following ColdFusion versions:

In this update, apart from fixing the security vulnerabilities, we’ve also added SameSite cookie support for cfcookie.

For more information, see the tech notes below:

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB20-18.

Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.

We thank you for your continuing support.

1 Comment
2020-04-14 17:07:03
2020-04-14 17:07:03

Great to see the new updates, both addressing security issues and the samesite cookie issue.

That said, it’s quite unfortunate to see that the Tomcat version (underlying CF server) is STILL not updated. (To be clear, I applied update 9 for CF2016 and can confirm that the CF Admin “settings summary” page still shows the Tomcat version as 9.0.21, which is from June 2019! I’m sure the same is true for CF2016 and its use of Tomcat 8.)

There have been over a dozen tomcat updates since then (to 8 and 9), including an important security one in Tomcat 9.0.31 (from Feb 11) that Pete Freitag’s awesome “HackMyCF” tool keeps pointing out that we are missing–but we can’t update Tomcat ourselves. We need Adobe to do it.  What’s the holdup? (I am pretty sure there’s an equivalent concern regarding Tomcat 8 on CF2016, but I don’t have ready access to the version number he would highlight.)

(I will point out that the previous update, in March, DID at least address ONE of the main Tomcat security concerns, in its updating of the Tomcat web server connector. That was great to see, but as I blogged about at the time, it did indeed ONLY address that one issue, without actually implementing an update of Tomcat or the Tomcat version itself.)

Like
(6)
Add Comment