CF911: New Adobe document about ColdFusion security hotfixes: required reading, I'd say

Posted At : May 21, 2013 12:12 AM | Posted By : Charlie Arehart
Related Categories: cf9, admin, cf911, cf10, hotfix, security
Comments: (4)

Note: This blog post is from 2013. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.

Here's a new document from Adobe (new as of last week, it seems) that you may have missed, but which I would argue is REQUIRED READING for all CF admins and developers:

Important hotfix-related notes for ColdFusion 9 and ColdFusion 10

What is this about? and why is it important? Read on below, as the document itself and current links from Adobe don't quite convey its significance, I think. For more perspective, I discuss below both what has happened to many folks after applying ColdFusion security hotfixes in recent years, and how this document helps.

[....Continue Reading....]

Comments (4)

Related Blog Entries

How to tell what, if any, hotfixes have been applied to ColdFusion (9 and earlier) (June 18, 2012)

Comments

[Add Comment]

That issue of session fixation does sound like something we may have unknowingly been hit by, and I agree that the info given isn't enough for me to understand the problem properly. Could you elaborate at all, or point me to a source?

# Posted By Jane | 5/23/13 12:31 PM

Hey Charlie - looking for some advice:
...is it possible to upgrade from 9,0,0,251028 direct to 9,0,2,282541, or do I need to uninstall 9,0,0,251028 , then install 9,0,2,282541 fresh? Or do all the 'hotfixes' just upgrade you to 9,0,2,282541? (e.g. will the hotfixes remove all the verity and turn my server into 9,0,2,282541)? Any help much appreciated.
Adobe info is a bit useless

Thanks

# Posted By jon | 8/18/13 9:36 AM

@Jane, so sorry I missed your comment there from back in May. As for more on fixation, I'd recommend you see the blg entry here:

http://www.petefreit...

@jon, no, you CANNOT upgrade a 9.0 or 9.0.1install to 9.0.2. You would have to remove 9.0 or 9.0.1 first. Why might you want to consider it? Why did Adobe create it? Since this this isn't the place to discuss that, I just created a new blog entry for you (and others):

http://www.carehart....

# Posted By Charlie Arehart | 8/19/13 12:47 AM

Thanks, that article helps a lot, especially the last sentence - since I first asked, we've moved up to CF10.

# Posted By Jane | 8/19/13 3:14 AM

[Add Comment]

Enter your email address to subscribe to this blog.

Recent Comments

Beware that latest Oracle JDK installers will REMOVE older JDK installs of that version
Charlie Arehart said: Eric, thanks so much. I'd indeed missed that news, which is first partly because I find few people s ... [more]

Beware that latest Oracle JDK installers will REMOVE older JDK installs of that version
eric said: As of build 381 of JDK 8 with the exe or MSI will act the same way and remove older versions.

New updates released for Java 8, 11, 17, 21, and 22 as of Apr 16 2024: resources and thoughts
Charlie Arehart said: I'll say first that you can indeed update the jvm Lucee uses, just as you can with CF, though like C ... [more]

New updates released for Java 8, 11, 17, 21, and 22 as of Apr 16 2024: resources and thoughts
Chris said: Hi, we're new to Lucee (have previously been running on Adobe CF for some time). We've noticed that ... [more]

Recordings available for the recent 17-session Adobe ColdFusion Summit Online 2024
Gavin Pickin - Ortus Solutions said: Thanks Charlie for Compiling this, and also explaining the reasons behind the records from Las Vegas ... [more]

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

Entries by year

2024

April (4)
March (1)
February (2)
January (6)

2023 (33)
2022 (20)
2021 (18)
2020 (17)
2019 (23)
2018 (15)
2017 (14)
2016 (17)
2015 (10)
2014 (19)
2013 (18)
2012 (32)
2011 (21)
2010 (30)
2009 (52)
2008 (95)
2007 (94)
2006 (94)

RSS

Contact

About

A veteran server troubleshooter who's worked in enterprise IT for more than three decades, Charlie Arehart (@carehart) is a longtime contributor to the community who as an independent consultant provides remote, short-term, and even on-demand troubleshooting/tuning assistance for organizations of all sizes and experience levels (carehart.org/consulting).

You can reach Charlie by email at charlie (at) carehart.org, or you can follow him on twitter, @carehart. This blog is one resource among several within https://www.carehart.org/, where you can also find out more about him.

In fact, if you'd like his help, he's available for consulting for as little as 15 minutes.

Appreciate any of the resources I've offered?

Archives By Subject

admin (97) [RSS]
apache (10) [RSS]
API Manager (4) [RSS]
basics (8) [RSS]
blogging (14) [RSS]
business (2) [RSS]
carehart classics (26) [RSS]
CF Server Monitor (26) [RSS]
cf10 (58) [RSS]
cf11 (43) [RSS]
cf2016 (56) [RSS]
CF2016 Intro Series (8) [RSS]
cf2018 (53) [RSS]
cf2021 (45) [RSS]
cf2023 (25) [RSS]
cf411 series (10) [RSS]
cf8 (52) [RSS]
cf9 (33) [RSS]
cf911 (54) [RSS]
CFBuilder (20) [RSS]
CFFundamentals (5) [RSS]
cfml (35) [RSS]
cfmx (8) [RSS]
cfmythbusters (7) [RSS]
commandbox (3) [RSS]
community (24) [RSS]
connector (8) [RSS]
contributions (13) [RSS]
debugging (13) [RSS]
derby (5) [RSS]
docker (7) [RSS]
editors (10) [RSS]
evangelism (5) [RSS]
fusionreactor (62) [RSS]
general (59) [RSS]
hidden gems (12) [RSS]
homesite+ (3) [RSS]
hotfix (21) [RSS]
IIS (12) [RSS]
installation (8) [RSS]
introduction (2) [RSS]
java (42) [RSS]
javascript (2) [RSS]
jdbc (10) [RSS]
keyboard shortcuts (5) [RSS]
licensing (1) [RSS]
logs (7) [RSS]
lucee (19) [RSS]
monitoring (42) [RSS]
news (21) [RSS]
orm (2) [RSS]
performance (13) [RSS]
personal (3) [RSS]
PMT (5) [RSS]
podcasts (5) [RSS]
presentations (27) [RSS]
railo (10) [RSS]
resource lists (26) [RSS]
security (26) [RSS]
seefusion (11) [RSS]
sql server (14) [RSS]
tips (22) [RSS]
tomcat (8) [RSS]
tools (44) [RSS]
training (8) [RSS]
troubleshooting (71) [RSS]
tuning (14) [RSS]
ugtv (11) [RSS]
updates (51) [RSS]
web services (8) [RSS]
webserver (5) [RSS]
writing (20) [RSS]
zeus (3) [RSS]

Upcoming/Recent Conference Appearances

Adobe CF Summit East
Apr 2024

Into The Box
May 2024

CFCamp
June 2024

BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the html in this page?)

Managed Hosting Services provided by