[Looking for Charlie's main web site?]

CF911: Latest CF Security hotfix technote updated (Mar 29) for issue with ColdFusion 8.0.1

Note: This blog post is from 2012. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.
If you are running ColdFusion 8.0.1 and may have applied the latest CF Security hotfix (APSB12-06) since it came out Mar 13 2012, note that there was an update to that on Mar 29, 2012.

The good news is that you just need to update the one hotfix jar. While it is discussed in the technote for the hotfix, the note about this update is sadly (currently) at the BOTTOM of the technote. I'll repeat what it says here, to give it some more visibility:

Note - Updated on March 29, 2012

Following bug is reported for ColdFusion 801 against this security bulletin hotfix.

java.lang.NoSuchMethodError Exception is thrown while using cffile upload.

We have updated the hotfix files of ColdFusion 801 to include the fix for the above issue. Users who have already applied the hotfix for ColdFusion 801 can just update the hotfix jar.

I'm pretty sure this is fixing what some found to be a reliance in the hotfix on your having applied one of the specific Cumulative hotfixes, but if someone had not, or if they inadvertently removed the CHF during the process of adding this single one, things would break. I'll note that the HF technote above does say very specifically what jars to remove, when applying the hotfix. Some people in haste instead delete all the hf and chf jars, or delete chf hars when it says to remove only hf jars. They so look similar in name.

I cover this issue of being careful about applying hotfixes (there are other mistakes you can easily make) in another blog entry I did, CF911: Are you finding CF (or CF Admin) busted after applying a hotfix? Three possible reasons.

And before someone chimes in to lament, "this is what's so wrong with the CF hotfix process, that mistakes can be easily made", I cover that too. The short answer is that Adobe is addressing this in CF10, and may even offer something to help us later for CF 8 and 9. We shall see.

Comments
Just wanted to chime in on the Hot Fix update process. It's a real PITA until CF10, but until (if?) Adobe supplies an auto-updater for CF8 and 9, I highly recommend David Epler's Unofficial Updater: http://uu2.riaforge.... For CF 8.0.1 and 9.0.1 it downloads and applies all known hot fixes in the correct order.
While I'm glad people find Unofficial Updater 2 useful and solves the pain of patching CF8.0.1 and 9.0.1, I have not updated it yet with the fix that Adobe released on March 29th. This is mostly due to the way Adobe has published the fix and waiting to see if they change the URLs yet again.

https://github.com/d...

And while CF10 might make it easier to apply updates, Adobe's track record of revising security hotfixes after they are released has not been all that great over the last 4 or 5.
Copyright ©2024 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting