[Looking for Charlie's main web site?]

New updates for Coldfusion 11, 10, and 9 (security update for 9, 11; still more for 10)

If you'd not heard the news, there were several updates released today, for CF 11, 10, and 9.

As for CF11 and CF9, it's mainly a security update. For CF10, it's got quite a bit more. (And there is another update for CF11 to come in the future which Adobe mentioned when it came out with its first update last month.)

For more on each, see below.

Adobe has also posted a blog entry about the update, and if you have questions or concerns about it (that should be seen by them), it would be best to raise them there, as they may not see them here. I welcome comments otherwise, of course.

ColdFusion 11 Update 2

So as for this update 2 for CF11, it's a security update. From the security bulletin (which applies to 11, 10, and 9), "these hotfixes address a security permissions issue that could be exploited by an unauthenticated local user to bypass IP address access control restrictions applied to the ColdFusion Administrator. Cross-site scripting and cross-site request forgery vulnerabilities are also addressed in the hotfixes."

And to be clear, this is the 2nd update for ColdFusion 11. I find when working with some people running CF11 that they have not noticed there are new updates. (Of course, the update tool in the CF Admin should point it out, assuming the server is connected to the internet. but even then some do not notice the indicator of a new update.)

And as for the first update to CF11, the Adobe CF blog did indeed mention it when the first CF11 update came out, in September.

You can learn about CF11 update 2 in this technote (and of course, in the Server Updates feature of the CF Admin).

And let me warn you that if you have not yet applied update 1, then after applying update 2 it's critical that you rebuild the web server connector if using IIS. The technote warns you, but many miss that. I discuss the concept in more detail in 2 blog entries I did (related to CF10, but still useful). See more in the 2nd paragraph of the next section. (To be clear, you do NOT need to update the connector after this update 2, if you had already done that after update 1. This paragraph is talking to those who either did not yet do update 1, or did not update the connector after applying update 1.)

Similarly, if you may be new to applying updates in CF11 (and maybe never did them in CF10), there's a great resource from an Adobe engineer from a couple of years ago that's a great 50-question FAQ on the feature. See more on that in the last paragraph of the next section.

ColdFusion 10 Update 14

As for CF 10, this is update 14 and again you can find a link to it in the CF 10 Admin's Server Updates feature. Still, there is a technote for CF10 update 14, which of course is linked to from the update as shown in the CF admin server updates feature. Many never read those, which is a shame.

Update: Before you may proceed to apply update 14, while I have some substantial comments you'll want to consider below, let me note first that since I came out with my blog entry here, Adobe has created two new blog entries dealing with problems some folks have had related to update 14: Again, not everyone will applying update 14 will need to deal with these, but I wanted to make sure my readers here knew of them as they considered applying the update.

Note that the technote tells you that this is another update where you MUST rebuild the web server connector after applying the update. The update page in the server updates feature will also warn you, but many miss that. I discuss the whole notion of updating the web server connector in more detail in 2 blog entries I did related to update 12, starting at CF911: Why/when you MUST update the web server connector for #ColdFusion 10, and may have missed it. After applying update 14, the date of the connector (isapi_redirect.dll, for IIS, for example) would be Oct 9 2014 (the date that new DLL was created by Adobe, not the date you rebuilt the connector). Again, see my blog entries for more info.

And Update 14 is quite a bit more than just the just the security update (mentioned elsewhere here for CF 11 and CF9). This update includes:

  • Tomcat upgrade to 7.0.54
  • Tomcat connector upgrade to 1.2.40
  • Support for JDK 8
  • Support for Apache HTTP server 2.4.x (up to 2.4.9)
  • Fixes for vulnerabilities mentioned in the security bulletin APSB14-23
  • Several important bug fixes in AJAX, Database, Net Protocols and other areas

Note that it also includes the security fixes discussed above in the CF11 section. And while that list does list some interesting things, I'll note that it does not list ALL that you may be interested to know has been updated in CF10 update 14.

First, the list above comes from the technote for CF10 update 14. And note that it links also to a document listing the 50+ bug fixes. (I do wish they'd list the update number in the URL for a document like that. What if a future update also had bug fixes and a similar document was needed?)

Note also that despite the reference to that second document as "bug fixes", it does mention changes that are really updates, like an update to the Postgres driver, and more. (I'd missed that when I first posted this entry. A comment from a reader led me to notice that.)

Sadly, because the wording is the title of the bug report as users wrote them, we can't always tell from them what was actually changed. For instance, the bug report about Postgres requests that it be updated to 9.3. It's not clear from it what version they finally updated to (there are no notes on the bug report added from Adobe).

I did some digging and find in the updated files list ([ColdFusion10]\cfusion\hf-updates\hf-10-00014\hotfix_filelist.log) that it DID add postgresql-9.3-1101.jdbc41.jar and removed postgresql-8.3-604.jdbc3.jar. I also see an update to mysql-connector-java-commercial-5.1.17-bin.jar (though curiously, no removal of another mysql jar).

I also see in the bug list references to several updates related to problems folks have had using the CF admin, problems with JSON, and a pernicious bug that has hurt some people using implicit getters and setters in CFCs.

Anyway, you'll want to look over the list of "bug fixes" carefully to see if there are any other changes that may affect you.

And I'm sure some will (reasonably) complain, "hey, why aren't these added for CF11?" The good news is that Adobe has said that they will be doing another update for CF11 soon (see an update in the entry on Update 1), and I'm sure it will included these things and much more (especially bug fixes for 11). I suspect there's just a lot more for them to add so it's taking more time to test.

And FWIW, it's been a while since we've had one (the last being update 13, which was technically only had anything new for OS X users, as I discussed in a blog entry at the time.)

Let me also point out that if you face any challenges using the CF10 server update feature, there is a a great resource (written a couple of years ago by an Adobe engineer), ColdFusion 10 Hotfix Installation Guide, which is basically a 50-question FAQ about some issues folks may face when applying CF10 updates. Much (but not all) of it would apply to CF11 as well.

ColdFusion 9 Security Update

As for CF9, the update is primarily a security-related hotfix.

You can learn more in the security bulletin (APSB14-13), and I had mentioned above in the CF11 section what the security features of the new update were about.

There are different steps and download files depending on your specific version of CF9, as well as depending on whether you had or had not applied the immediately preceding security update (APSB13-27).

For more on the steps and the downloads, see the technote for APSB14-23.

Do be aware, though, that if this may be your first application of a security hotfix in CF9, note that they are cumulative and you may get new ones implemented that could impact your server. I discussed how you can learn more about this problem in a blog entry I did last year: CF911: New Adobe document about ColdFusion security hotfixes: required reading, I'd say.

FWIW, I'll note that as for the "number" (of the jar) for the update, that also depends on you're specific version of CF 9. If running CF 9.0.2, it's hf902-00007.jar. If CF 9.0.1, it's hf901-00012.jar. If CF 9.0.0, it's hf900-00013.jar.

Finally, if you're going to be updating CF9, please see my blog entry warning of some gotchas to be careful about, Applying hotfixes to #ColdFusion 9 and earlier? A guide to getting it right.

More Help with Applying CF Updates

As you can perhaps tell from all my tips above, I have helped people solve many problems related to applying updates, whether to CF 8, 9, 10, or 11, in my CF Server troubleshooting consulting services.

I pulled together many of the tips, tricks, and traps in a talk I did, Updating/Hotfixing #ColdFusion 11, 10, 9 and 8: Tips and Traps.

Hope all that's helpful. If you have questions or comments, fire away. If you want guided assistance in applying (or considering) the hotfixes, reach out to me. I help people with this stuff every day.

Comments
Hi Charlie,
did you hear about any problems with the new JDBC driver for postgreSQL?
I get connection timeouts to our 9.1 Server after updating to CF 10 Update 14.
(Ubuntu Linux 12.04 64bit)...
This also applies to my Win7 64 bit machine with PostgreSQL 9.1

Apache 2.4 support is very welcome! :)

Best regards
Joerg
# Posted By Jörg Zimmer | 10/15/14 5:56 AM
@Jörg, I was not aware that an updated Postgres driver was part of the CF10 updates. Thanks for pointing that out.

As I look now at the "bug fix" document (http://helpx.adobe.c...), I do see that it lists one that refers to a "need to update to postgres 9.3". Interesting. I wouldn't have considered that a "bug fix" but an "update".

Anyway you're saying you're using Postgres 9.1 and having problems connecting to that after the update? That's a real shame to hear.

It's not clear from that bug entry (since it's using the wording of the person who requested the "fix") just what Postgres support Adobe updated to. I'd suspect it was a DataDirect driver update, in which case the question is what version of Postgres does that support. Or is it that for Postgres, Adobe provides a real driver from Postgres? I don't know and am pressed for time to look into that now.

As for your problem, I'm afraid I don't have any suggestions on that, other than to say that you ought to report the problem on the Adobe blog entry (they came out with one after I posted mine): http://blogs.coldfus...

I have also updated my entry here to point to that new blog entry, as well as to note that, as you have indicated Jörg, there is really more to the "bug fixes" list for CF10 update 14 than just bug fixes, really, given that they updated a database driver. That wasn't listed as one of the "updated" things in the few bullet points about the update. Folks on CF10 will want to look over that list of fixes to see what else may be "new".

Thanks again for the observations, and sorry I can't help more.
# Posted By charlie arehart | 10/15/14 7:21 AM
thanks for you quick reply Charlie!
I posted this to the official adobe blogpost...
# Posted By Jörg Zimmer | 10/15/14 7:55 AM
Charlie,

I am getting a 500 error after installing the CF10 update. I am seeing the same thing that Ray Buechler is seeing.

http://blogs.coldfus...

I too have the server locked down using Pete's guide. Have you seen this yet? Thanks.

-Daniel
# Posted By Daniel Garcia | 10/15/14 12:18 PM
As an update on the news of CF10 updater 14 above, note that Adobe has added a note to their technote on it (http://helpx.adobe.c...):

"On Windows, ensure that you have Microsoft Visual C++ Redistributable 2012 Update 4 installed before attempting to reconfigure the connector. To download Visual C++ Redistributable 2012 visit this webpage (http://www.microsoft...

There are other important notes on that page to pay attention to. For instance, if updating to Java 8 after doing it, note the need to move tools.jar (see the technote). There's also another blog entry from Adobe related to that: http://blogs.coldfus...

Finally, @Daniel, did you ever resolve your problem?
# Posted By charlie arehart | 10/30/14 9:09 AM
Charlie,

I did get the issue resolved. It was the one mentioned here:

http://blogs.coldfus...

The fix for me short term was just manually uninstalling and then running the updater as an administrator.

Thanks.

-Daniel
# Posted By Daniel Garcia | 10/30/14 9:26 AM
Ah, great. Thanks for the update. Sorry I didn't think to point you to that after it was posted. Glad things are resolved for your for now.
# Posted By charlie arehart | 10/30/14 10:25 AM
Charlie,

What is the significance of running the web server connector other than to update the isapi_redirect.dll file? Last time I ran the connector, it destroyed by configs and undid many settings related to Pete's lockdown guide. I'd rather not run the connector if I can just do the updates it needs to do manually, such as copy the DLL file.

Thanks,
Adam
# Posted By Adam Winter | 12/2/14 9:11 AM
@Adam, that's right (that rebuilding the connector will lose the settings). I have complained about that on the Adobe blog entry about that IIS tuning for CF11. I have just updated by blog entry about rebuilding the connectors (which I point to above) to make that point clear also. And I point there to an Adobe feature request I made to get them to preserve those settings. I hope you and other readers will go there and vote it up (https://bugbase.adob...

But yes, to your point, the main thing the rebuild does is create that new DLL (when you have applied updates that would cause a new one to be created on rebuilding the connector). So you could indeed just copy the updated dll into the other folders.

I'll just say that rebuilding the connectors (when done right) also edits configurations settings in the web server (as well as in those wsconfig folders), and sometimes there's value in rebuilding them to correct some mistakes (such as when in the past you may have done it without "running as administrator", as I discuss in the other blog entry).

But assuming you did build those connectors correctly previously, then yes just copying the dll into those folders would get them "updated".
# Posted By charlie arehart | 12/2/14 1:21 PM
Charlie,

I've applied the #14 patch and updated java to version 8u25. We are running into an issue with the new version of the web connector (isapi_redirect.dll) in which the URL structure makes a difference on whether the data is correctly returned or not. Here's an example.

Paste the code from here (http://apaste.info/T...) into a file in the root of a folder named "test". This file needs to be named the default document, and in this case that's "index.cfm". Then, try these URLs:
/test/?greeting=hi
/test/index.cfm?greeting=hi

The first will generate an error and the second will work fine. However, if I revert the connector back to the version of patch #13 and all other updates remain the same, the first URL will work fine as well.

The problem is specific to the new version of isapi_redirect.dll and the encoding of "UTF-16be". Using an encoding of "UTF-8" does not have the problem either.

Are you able to replicate this issue? If so, what do you suggest as a workaround?
# Posted By Adam Winter | 12/29/14 6:26 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.005. (Want to validate the html in this page?)

Carehart Logo

Managed Hosting Services provided by
Managed Dedicated Hosting