March 1, 2019
ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released
SauravGhosh Follow
Comments
(16)
Share
March 1, 2019
ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released
SauravGhosh
Staff 45 posts
Followers: 37 people
Follow
SauravGhosh Follow
(16)
16

We are pleased to announce that we have released the updates for the following ColdFusion versions:

The following are links to the tech notes for each update:

The releases address security vulnerabilities, which are documented in the bulletin APSB19-14.

In these updates, we have also introduced the following:

  • A new application setting blockedExtForFileUpload to specify a comma-separated list of file extensions for file that must be blocked for uploading.
  • In the ColdFusion Administrator, in Server Settings > Settings, there are is an option Blocked file extensions for CFFile uploads. Specify a comma-separated list of file extensions, which will be blocked from being uploaded by the cffile tag/functions.
  • The Admin API, setRuntimeProperty has a new property, BlockedExtForFileUpload. The values are a comma-separated list of file extensions to restrict file uploading of the appropriate files.

For more information, see the tech notes and the tag/function documentation.

16
SauravGhosh
Staff 45 posts
Followers: 37 people
Follow
SauravGhosh Follow
Similar Blogs
9 Dec 2024
How to get CF to know a user's real IP address, when behind a proxy, load balancer, caching solution, etc.
Someone asked how they could get CF to track the "real" ip address for someone, when their CF server was operating behind a particular proxy/caching solution--in their case Cloudflare, but it could happen with any number of such solutions. Often, suc...
Charlie Arehart
17 comments
6 likes
10 Oct 2023
RELEASED- ColdFusion 2023 and 2021 October Updates
DOCUMENT UPDATE HISTORY: - 10/10/2023: Added Docker Hub and ECR locations. - 10/10/2023: Refreshed the Server ZIP and GUI installers, Lockdown installer, and Add-on installer for ColdFusion (2023 release). Head over to ColdFusion downloadsto download...
Priyank Shrivastava
17 Oct 2024
Get Ready for Adobe ColdFusion India Summit 2024!
We are excited to announce that the Adobe ColdFusion India Summit 2024 is happening on December 7, 2024, and this year, we’re bringing the event to two vibrant cities: Bengaluru and Noida. Whether you’re a seasoned developer or just beginning your jo...
apoorvas55733193
16 Comments
Miguel-F
Mar 25, 2019
Mar 25, 2019

SauravGhosh – when you guys add security features like this in an update are you also updating the Server Auto-Lockdown installer to include them? (I realize this only applies to ColdFusion 2018)

Like
(1)
Reply
(1)
NetbasicsNL
Mar 6, 2019
Mar 6, 2019

Be aware CF11 hf 16 (up to and including hf 18) break URLEncodedFormat and builtin encoding such as in cfhttpparam, because it refuses to double encode anything. This will likely break things passing a previously encoded value. (I first noticed the problem as an oauth signature calculated over a return URL failed.)

I found an existing bug report: https://tracker.adobe.com/#/view/CF-4204045

Like
(1)
Reply
julien m
Mar 5, 2019
Mar 5, 2019

Hello,

The checksum is not correct via https://helpx.adobe.com/coldfusion/kb/coldfusion-11-updates.html

489fdb288d73136b50d5f27993c981fa

It’s not the same as in https://cfdownload.adobe.com/pub/adobe/coldfusion/xml/updates.xml

8270f3d08054e87fb24d4dad7c0cacda

We are talking about a (security) patching, you should really improve your internal check

 

Like
()
Reply
(1)
Add Comment