We are pleased to announce that we have released the updates for the following ColdFusion versions:
Note: The ColdFusion (2021 release) installers have also been refreshed with this update. The new server installers bundle Update 2 and JDK 11.0.11. The ColdFusion Add-Ons and other installers are bundled with JDK 11.0.11. The refreshed installers are available at ColdFusion downloads.
In these updates, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes.
These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB21-75.
In addition, Update 2 of ColdFusion 2021 features the following:
For more information, see the tech notes for ColdFusion 2021 Update 2.
The Docker images will be hosted shortly on Amazon ECR and Docker Hub.
Please update your ColdFusion versions and provide us your valuable feedback.
Staff
43 posts
A number of individuals (myself included) had issues with ColdFusion 2018 Update 12 (CF2018U12) beyond the query-of-query bug that was introduced (and that Charlie Arehart mentioned above in his comments). Installing the update on a Windows server that was running ColdFusion 2018 Update 11 (CF2018U11) resulted in a Tomcat 403-Forbidden error. Even rebuilding the IIS connector did not fix the issue. I worked with Adobe support to troubleshoot this, and they found that I had two problems with my configuration that I will share here, in hopes that this will save someone else the headaches.
There were two configuration files involved – I’ll list the full paths once and then just refer to them by name for the remainder of this comment:
- server.xml – {cf install folder}/cfusion/runtime/conf/server.xml
- workers.properties – {cf install folder}/config/wsconfig/{magic number}/workers.properties
First, my server.xml file had an artifact left over from an older Tomcat version, and it hadn’t been removed by any of the updaters. In the AJP connector portion of the file (the <connector protocol=”AJP/1.3″…>tag), the requiredSecret attribute needed to be removed entirely.
Second, the isapi_redirect.log file (located in the same folder as the workers.properties file) indicated that I was having binding issues between the IIS connector and Tomcat. The solution was to make sure an IP address was defined correctly in both the connector’s workers.properties file and the server.xml file’s <connector protocol=”AJP/1.3″…> tag. In my case, I needed to add an address=”127.0.0.1″ attribute to the connector tag in server.xml, and change the value of the worker.cfusion.host line in workers.properties from localhost to 127.0.0.1 (see the examples below):
workers.properties
worker.cfusion.host=127.0.0.1
worker.cfusion.type=ajp13
worker.cfusion.connection_pool_size=500
worker.cfusion.secret=[redacted]
worker.cfusion.max_reuse_connections=250
…
server.xml AJP Connector tag
<Connector protocol=”AJP/1.3″ address=”127.0.0.1″ port=”8018″ redirectPort=”8451″ packetSize=”65535″ secret=”[redacted]” maxThreads=”25″ connectionTimeout=”60000″ tomcatAuthentication=”false”/>
If your IIS and ColdFusion installations are on different servers (distributed installation), you’ll likely need to adjust the IP addresses in workers.properties and server.xml accordingly.
Also important to note: the worker.cfusion.secret in workers.properties must match the secret in the AJP connector tag in server.xml.
Heads-up: As is being discussed in a cf community forum thread, there are some bugs in query of queries functionality, in both these updates.
And Adobe has a fix. To obtain it, email them at cfsup@adobe.com, as indicated a nested comment there from Adobe,
As for applying such special fixes, you may find value in a blog post I’ve done in the past, “How to implement a special hotfix that Adobe may give you“.
Also, it would be very helpful if the cffiddle.org site (run by Adobe) could be updated ASAP to run these two new updates. Thanks.
I can report that at some point since my comment a month ago, the cffidle.org site was updated to use the Sept updates for CF2021 and 2018.
Here are a couple of follow-on points that may interest readers (and a couple of questions for Adobe).
- Note that the update technotes for both CF2021 and 2018 indicate that the updates (or refreshed installers) offer support for MacOS Big Sur and an update of CF’s embedded Tomcat to 9.0.50, in addition to other bug fixes, the security fixes, etc. (I am curious to hear if folks running MacOS find that the update alone is enough to deal with issues, or if instead they really will need to use the “refreshed CF2021 installer” that is also offered with this update. Note that none is offered for CF2018.)
- Speaking of those the “refreshed” CF2021 installers, I’ll note a couple other gotchas:
- First, despite what this page says, the installers are NOT to be found at the page indicated (the CF “downloads” page). That is referring to the “related” installers, like the add-ons, .NET, PMT, API Manager, etc. The actual CF installers have never been offered on that CF “downloads” page.
Instead, the installers are to be found at a page that page points us to, which is the other, traditional page for obtaining the installer (for Developer or Trial use), where one fills out the form and then chooses the installer desired.
- And second, on that page, some may have noticed that Adobe has for some months offered also links to the installer at the BOTTOM of that form, such that one needed not fill it out. (I’ve been meaning to blog about that.) But beware that as of this morning on Sept 14, those links below the form still download the ORIGINAL CF2021 installers, not today’s announced “refreshed” ones.
Instead, it’s only if you DO proceed to fill out the form, then what you get WILL be the refreshed installer (at least it was for the Windows installer I obtained, but I suspect it’s so for the other OS installers).
And I suspect in time that the file obtained via those links at the bottom of the form WILL be updated to be the refreshed installers.
(Adobe folks: please do attend to that. Otherwise there could be a lot of confusion from people finding those are not updated.)
- First, despite what this page says, the installers are NOT to be found at the page indicated (the CF “downloads” page). That is referring to the “related” installers, like the add-ons, .NET, PMT, API Manager, etc. The actual CF installers have never been offered on that CF “downloads” page.
- Finally, it’s because that page for downloading CF only offers CF2021 (now that it came out, and no longer CF2018–as is always their policy with new releases) that one can’t get any refreshed installer there for CF2018.
Adobe folks: will you be offering a refreshed installer for folks who have licensed CF2018, at the licensing.adobe.com site? (I am unable to confirm that for folks, myself.) Or will there be absolutely no refreshed installers for CF2018? That would be a shame, as it’s a total pain to update CF (needing to deal with updates 4 and 8 specially), as well as the CF web server connectors, and the JVM. While it’s nice that the CF, wsconfig, and JVM updates are bundled into refreshed installers for CF 2021, we need it as much if not more for CF2018.
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
