Note: This blog post is from 2016. Some content may be outdated--though not necessarily. Same with links and subsequent comments from myself or others. Corrections are welcome, in the comments. And I may revise the content as necessary.Are you wondering what updates (in terms of version numbers) have been made to the libraries underlying CF2016?
For instance, what's the version of Solr? (It's considerably upgraded over what was in CF11 and 10). What about Java, Tomcat, Hibernate, Hibernate, Quartz, jQuery, and so on?
In this post, I offer a rundown of what seem the most significant libraries and their versions, as deployed in the first release of ColdFusion (2016 Release). I also explain how I found these version numbers, which isn't always obvious, in case that may help others. But I also offer some commentary on why this is an important issue to some, and I offer some counterpoints to the demands some have that every library should always be the absolute latest version (and why that's just not practicable).
If you just want the version numbers without the "waffle", look for the bulleted list of them below. :-)
This is a continuation of a multi-part series of posts on the introduction of CF2016.
(Before proceeding, let me note first that while I do not like that clumsy new name "ColdFusion (2016 Release)", it is the official name. And while most will call it CF2016, I have added the full name here (and in future blog posts on the release) in case some folks may search for it by that full name.)
What is meant by "the libraries underlying CF"?
As most know, one of the benefits of ColdFusion is that it bundles many libraries (some free, some commercial) which underlie most of the features in CF. When you do a CFDOCUMENT, for instance, you're relying on something called IceBrowser which is embedded within CF. (If you ask most people who pay attention to such things, they would say it was iText, but in fact it's the IceBrowser app which makes the itext calls)
And why do the library versions matter? Why do some complain if not updated?
An unfortunate side-effect of this bundling of libraries is that Adobe must pick SOME version to use, when building a given version of CF, and then they will proceed (perhaps for months) to build it out, test it, and then release it. And even then, months may pass before another update to CF, or a couple of years to a new version.
In that time, the library-maker may have updated their library, and folks who care about such details often lament that CF's included libraries are out of date, and either are missing important bug fixes in that library, or new features that it enabled, or both.
But Adobe's in a rather tough position: if they update the library while building a new version (like during the timespan of their building CF 2016), they need to re-test things before that new version can be released.
And even updating such a library in an update of CF (as those come out every few months) is also a dicey proposition, if such a new library may not only implement bug fixes or new features, but also perhaps changes in behavior. Again, it's then incumbent on Adobe to make sure that that new library (and any updates to it since the version they first embedded) has not caused incompatibilities in how CF and users' code process things.
Sometimes people complain that the problem is they'd like (or find people trying) to leverage some aspect of such a library by calling it directly themselves, and they know that a new version of the library would allow them to access that feature, but the Adobe-provided one is "old". And they may wish they could just drop in the updated version of the library to override that which came with CF, but then you can run into problems with either version/classloading conflicts, or other code on the server which now may not work due to that new library they wanted, and so on. And course this leads some to just decry entirely the use of some thing, as is the case with the Javscript-based UI tags, which leverage jQuery, Ext, YUI, and so on.
And I won't deny that sometimes they do seem to drag their feet of such updates. For instance, the version of Solr included in CF11 was 3.4, which was the same version included in CF10! It was quite dated. But we don't know if there was some issue with later updates that required substantial changes within CF, that led them to have to prioritize not implementing that update. We rarely hear such details. While some choose to presume the CF team is being lazy or disinterested, I give them the benefit of the doubt that in some cases they may know things we don't and that they don't feel compelled to elaborate.
All that said, while some will clamor that Adobe should/must include always the very latest version of any embedded library, whenever it comes out or soon after, it just doesn't seem likely or workable. (Take your complaints about that to Adobe. There's really no sense in making your case here. There's no guarantee they're listening. Open a bug report instead.)
So what are the current CF2016 library versions?
OK, history and histrionics aside, let's get to the versions of libraries included in CF 2016.
Again, note that I am not listing here every single library (there are a few dozen) but just the several that I see people most often seemingly concerned about, and as I said I am listing them as of the initial release of CF 2016 (yesterday, Feb 16 2016, as I write). I'm not promising to keep this updated as of subsequent releases/updates.
As for how I got the version numbers, I'll share a little more after these details.
- Antisamy 1.5.3 (OWASP security library)
- Axis 2 1.7.0 (web services library, and note that's "Axis 2" v 1.7.0, not "Axis")
- Derby 10.11 (embedded DB)
- Ehcache 2.10.0 (caching library)
- Esapi 2.1.0 (OWASP Enterprise Security API)
- Ext JS 4.1 (JS library which underlies various UI tags)
- Ewsapi 1.1.5 (MS Exchange API)
- Hibernate 4.3.10 (ORM library)
- Httpclient 4.4.1 (underlies CFHTTP and more)
- Jetty 9.3.6v20151106 (underlies Solr, HTMLTOPDF, and more)
- Java 1.8.0_72 (the JVM which underlies all of CF)
- JDBC Drivers 5.1.4.000138 (the built-in Merant DB drivers, such as for SQL Server, Oracle, and even MySQL. CF no longer includes the MySQL-provided driver, but you can add it yourself)
- jQuery 1.6.1 and jQuery UI 1.8.16 (JS library which underlies various UI tags and Admin interface features)
- Lucene 5.2.1 (underlies Solr, the embedded search engine in CF)
- NekoHTML (CyberNeko HTML Parser) 1.9.16
- POI 3.12 (underlies MS Office Integration features)
- PostgreSQL 9.4-1201 (db driver)
- Quartz 2.2.1 (underlies CF Schedule tasks)
- Servlets 3.1 (underlies CF/Tomcat processing)
- Solr 5.2.1 (the embedded search engine, used by CFSEARCH/CFINDEX/CFCOLLECTION, etc.)
- Tomcat 184.108.40.206 (the application server which underlies CF, when deployed in traditional "Server" configuration)
- YUI 2.3.0 (JS library which underlies various UI tags)
- Is there a library you feel I missed which should be listed?
As an aside, I'll note as well that if you connect CF to an external web server, like IIS or Apache, the date of the connector (isapi_redirect.dll, or mod_jk*.so files), at leas as of this initial release before any updates, is 1/20/16.
Before anyone may chime in to point out how it's woeful that Adobe STILL has not updated library "whatever", consider first what I said above about how they have to be concerned with backward compatibility, though surely important bug fixes (and especially security-oriented ones) should trump that.
Consider also that it may be that CF's use of some library may simply not have changed enough to warrant using some newer library (but I realize some will find that to be a meager excuse for them not updating. Again, see what I say above about how we may not know all that Adobe is considering, and they may not be being "lazy" in their choice, as well as where to take you complaints, the bugbase.)
So, wondering how I did determine the versions that I show? Think I got any wrong? I'm open to corrections. Read on.
How did I determine these versions?
Since it's critical for some people to know the exact version of things, I will share here how I found these version numbers. I could either mistakenly look in the wrong place or the wrong way, so I offer this info to help others either confirm for themselves what I see. It will also help anyone interested assess the version info for libraries in some subsequent update or new version of CF, in case I don't do another post like this. :-)
- In some cases, the info is shown in the CF Admin's "System Info" page (the "i" icon in the top right corner), as is the case with the Tomcat and Java versions
- In other cases, the version number is offered on the file itself (as was the case with the antisamy-1.5.3.jar). Note that such Java-based libraries are stored as jar files, and most (for CF) are found in the [cf]\cfusion\lib folder, though some are stored elsewhere.
- Sometimes such jars has no version number on it (as is the case with the solr-solr.jar). In that case, what I did was copy the jar file, then renamed the .jar extension to .zip (jar files really are simply compressed folders following a certain Java convention for filenames, folders, etc.). Then I opened that zip, and looked at the META-INF\MANIFEST.MF file in there, which is plain text, and generally offers a version number ("Specification-Version") for the library in question
- Sometimes you can get the version from something provided by other means, such as the Solr Admin, which for me was available at http://localhost:8989/solr/admin/
- As for the JDBC drivers, note that those provided by Adobe for SQL Server, Oracle, and even MySQL, and so on are licensed by Adobe from Merant and they're actually stored in the macromedia_drivers.jar file (in the cfusion\lib folder, like most other library jars). But you won't readily find any version numbers there, even digging down into the zip as I discuss above. But there are in fact ways to get the JDBC driver version, and I had blogged about it back in 2006. The same concepts apply, and I even just added a comment there to clarify a minor difference in later versions of CF
- Finally, note also that there are some libraries CF uses where I could not (myself) easily determine the version, such as the jasper (which underlies CFREPORT) and FCKEditor (which underlies CFTEXTAREA), which is why they are not listed above. If anyone figures out how to determine their version
Certainly, if I got anything wrong, please let me know and I'll update the info here, acknowledging your contribution.
And I hope the list here is helpful, now or for someone finding it in a blog post in the future. Some people don't pay attention to "what's new" with a CF release until they can get their org to finally move to it, perhaps a year or more after its release.
And last, let me say one more time: if you want to complain about the fact that some specific library "should be updated", this is not the place to say that. Raise it in the Adobe Adobe bugbase. If you want to add something here which you may feel would help others, do feel free to add that here.
For more content like this:
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, I can help via my consulting services
- See that for more on how I can help a) over the web, safely and securely, b) usually very quickly, c) teaching you as we go, and d) with satisfaction guaranteed