We are pleased to announce that we have released the updates for the following ColdFusion versions:
In this update, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes.
For more information, see the tech notes below:
These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB20-43.
Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.
Note: We’ve also updated the add-on installers.
The add-ons contain these updates:
- Security fix for PDFg: (CF 2018 update 10 and CF 2016 update 16)
- SOLR security fix for CVE-2019-0193: (CF 2018 update 5 and CF 2016 update 12)
- ColdFusion Administrator remote start/stop: (CF 2018 update 2 and CF 2016 update 8)
The Docker images have also been updated.
We thank you for your continuing support.
Staff
43 posts
Adobe folks, there are some additional problems on the Java downloads page (beyond those mentioned by Michael and others in other comments here).
Please note that the first two jdk links for updates 261 and 251 mistakenly refer to “241” in their links:
http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u261-linux-i586.rpm
http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u261-linux-i586.tar.gz
and
http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u251-linux-i586.rpm
http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u251-linux-i586.tar.gz
Just a note that the Java 8.261 JDK files are not linked properly (file not found) on your website
https://www.adobe.com/support/coldfusion/downloads.html?1#additionalThirdPartyInstallers
in particular Java 8.261 windows64 exe file and also the others as well
http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u261/jdk-8u261%20-windows-x64.exe
MRC
I am working with team to get the links to work. Please stand by.
still not working
The requested URL /pub/coldfusion/java/java8/JDK8u261/jdk-8u261-windows-x64.exe was not found on this server.
Michael, I can confirm what you’re reporting. All the downloads for the Java 8 update 261 (jdk’s and jre’s) do fail with “not found” (not just that Windows 64-bit one). And FWIW, the links for Java 11 update 8 (which was also new last week) DO work.
And I have compared the URLs to the 251 update links (which do work) and it seems the URLs for 261 are “right”, so it must simply be that the files are not there. (There’s a problem with the first two jdk links for 261, and it’s true for 251 as well. I will create a new note, so that it stands out from this simply “confirmation” and so that Adobe might attend to it.)
Are there any details on what was changed in the add-on installers? I don’t see that in the tech notes — only that the PMT components of the CF server was updated.
Brian,
The add-ons contain the same security fix that are present in the update jars for both the versions.
Thanks.
Problem with the 32-bit add-on installer download for CF 2016:
ColdFusion_2016_Addon_win.exe does not have a digital signature.
Hi,
Let me verify this.
-Priyank
I’d be curious to hear, Legorol (and/or Priyank), how one would use such a signature if there was one. Of course, I realize that the CF updates download mechanism in the CF Admin DOES use a signature verification (which is NOT used if one just downloads the update jar files manually).
But since the add-on installer files would by their nature be run outside of the CF Admin (meant as they are to add functionality on a server that might not even HAVE CF installed), I am just curious how you would have used such a digital signature if there was one. Is there perhaps some tool to help with that? I see none mention on the page where one would download that installer.
My question is sincere. No snarkiness intended. 🙂
Charlie, very good question and I’ll be happy to elaborate, especially because the answer is not specific to ColdFusion and it’s good to be generally aware of it. Please excuse me if anything in this answer is obvious to you, I’m addressing it to a general audience in case someone else reads this.
In Windows, an executable (.exe) file can have a digital signature, or more precisely a code signing certificate, embedded as part of the file itself. This allows the operating system and other applications to automatically verify the authenticity and integrity of the file. Users can also manually verify the digital signature using Windows features, without using any additional tools.
When a user tries to run an executable that does not have a signature, especially for setup/installer files, they get a warning prompt in Windows.
To see if an executable file has a digital signature and to verify it manually, navigate to the executable in File Explorer, and open its Properties (e.g. with right-click > Properties). If it has a digital signature, then a Digital Signatures tab is present with various useful information. Select an entry in the Signature list, and click the Details button. This gives additional information about the specific signature, verifies it and shows a message “This digital signature is OK”, if it is the case. This is at least as strong a verification as checking a hash of the file (e.g. SHA-256) against a known value.
It is common practice (and indeed very much recommended) that software developers attach a digital signature to executables that are shipped to end-users, especially for setup/installer files. This has many advantages in addition to being able to manually verify a downloaded file. For example, anti-virus software is typically much more strict with executables that don’t have a signature.
The signature, or more precisely the code signing certificate, uses standard Public Key Infrastructure. The certificate is counter-signed by a certificate authority in the same way as an SSL certificate. The operating system verifies the authenticity of the certificate using a certificate chain up to the trusted root certificates installed on the system, in the same way as it does for an SSL certificate.
ColdFusion installers have included a digital signature at least as far back as CF 10 (which is the oldest one I have access to). This applies to all additional downloads as well, e.g. API manager and add-on services installers.
Thanks for all that. I was clearly not aware. 🙂 I guess since the cf installers have always had them, I’d never come across this. As for other software, I suppose this may explain why I’ve seen those “don’t run” errors in some installers. Since I always trusted where I’ve gotten them, I didn’t press to find that this was perhaps the explanation.
Again, Thanks for informing me and for pressing Adobe to resolve this.
I’d like to add two points of clarification here:
First, it’s worth mentioning also that the Adobe CF Docker images for CF2018 and 2016 were updated today as well (https://bintray.com/eaps/coldfusion/cf%3Acoldfusion).
Second, if you read the technote for the update (not the security bulletin), you will see a new admonition to delete any “CAR files” once used (this CAR mechanism is a feature to export admin settings from one CF instance to another). I can offer some clarification on that new admonition.
And in fact, I started to write it here but it became too lengthy and I will create a blog post instead. That may also help some become aware of the issue who would not see this comment. When I have created it, I will add a link to it here.
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
