As an update to this post, I have offered a new post, pointing out that many people are having problems with this set of updates here. So I would recommend folks hold off on applying it for now. I will update this (and that) if we hear new info from Adobe.
Beyond adding important security and bug fixes as seems typical, this update offers several new or changed features, as well as updated support for things (such as Java 12), as is also often the case.
Uniquely, though, this update is the first ever to require that you must first have updated to the PREVIOUS update before applying this new one. So those on CF2018 must first be on update 4 before going to this new update 5, while those on CF2016 must be first on update 11 before going to this new update 12.
As always, I share a bit more here, for my readers.
(FWIW, CF 11 received its last update in June 2019, when it and CF2018 and 2016 were last updated, as I posted then.)
The new update requirement is a twist/challenge
So as I said above, this update is requires that you first must be on the latest PREVIOUS update before applying it. That has never happened before, that I know of: certainly not since the new CF update mechanism introduced in CF10, but I don't recall it in any updates before that.
Update: I have learned since posting this that the problem is about the Adobe security certificate embedded in CF, which is used when pulling down the update file. This is very much like back in CF10, when within days of its release Adobe then too changed the cert. This means that the update download mechanism would fail to "verify" the download (and so not let you proceed to install), with the error:
Error occurred while downloading the update
Failed Signature verification
Some may recall that there was then a separate "mandatory update" jar for CF10--that had to be installed manually before any subsequent updates could be pulled down.
Again, to be clear in case you see this in the future and are planning to update CF, if you are not already on at least CF2018 update 4 or CF2016 update 11, you must get updated to either of those before applying any CF update to CF2018 or CF2016 from today's, forward.
Now back to what I had written originally...
Another aspect of this challenge is that this will affect not only those moving to this update (who are NOT yet on the previous update), but it will also affect those in the future who may SKIP this update but then move to later ones--if again they are NOT yet on the update previous to this. And worse, if future update technotes or comments in the updater UI don't make this point clear, in all of them going forward, I can see this causing heartache and confusion for years to come. :-(
I have asked about it in a comment on the Adobe blog post, to hear more, but so far it seems initial comments are being moderated. That may change by the time you read this.
What's in store for those who do the update
Anyway, everyone using CF2018 and 2016 should apply the updates at some point, if not soon because they do include security fixes. See that Adobe blog post above, and also the technote for the update (that's the link to the CF2018 one, there is of course a technote also for the CF2016 one, as well as links in each for bug fixes page for each release, and the security (CVE) bulletin, etc.
As often is the case, the updates include:
- closing important security vulnerabilities
- fixing over 60 bugs
- adding new language and admin features
- adding new platforms supported (like Java 12, and more)
Given the changes, it is important (as ever) for you to test the update in a non-prod environment first. The update is too new for there to yet be any discussion of compatibility issues, but they can happen. Watch the comments here or especially in the Adobe blog post (mentioned first above) for word from the community on how things are going with the update(s).
What if you are reluctant to apply the updates, or want help
I understand that some people are reluctant to apply updates as soon as they come out, preferring to let others be the guinea pigs. Since this one includes a security update, you need to weight that decision carefully. Again, see the technote and CVE info for more.
I will add first that if you DO try to do the update and have problems, I have a couple of cornerstone blog posts on dealing with problems applying CF updates, both here and on the Adobe CF portal:
- Having problems after applying a CF update? What to check, and how to recover!
- How to solve common problems with applying ColdFusion updates (in 10 and above)
And as I explain in both, I am available to help you also, remotely, quickly, and with satisfaction guaranteed.
What about the web server connector?
Yes, this update does provide an updated web server connector. You would want to update that after updating CF. Either use the "update" button on the CF web server configuration (wsconfig) UI, or the update flag for the wsconfig command-line equivalent.
Update: I had not noticed this need to update the connector when I made my original post.
What about updates to the Adobe CF Docker images
I don't yet see a new Docker image for the updates, but from past experience we should expect those later today or in coming days.
Yes, there are new Adobe CF Docker images for these two latest updates.
If you weren't aware, Adobe started offering Docker images for CF2018 and 2016 in 2018, as I discuss here, as well as for each of their updates.
Better still, you can hear more from me about using the CF Docker images a talk and a daylong workshop I'll be doing at CF Summit, as I discuss here.
We can also expect soon to see that Forgebox has a new set of CF engine updates for the new updates, for use with Commandbox and its available Docker image.
What about other updates?
Sometimes, when people are updating CF they stop to assess if perhaps they need to update related things.
First, as for Java, the Java update (as of my writing today) is update 4 for Java 11 and update 221 for Java 8. I have more on these (and getting and applying the update, as well as dealing with problems) in a post here.
Second, as for FusionReactor, its latest version is 8.2.1 (as of an update yesterday). For more on updating FR, see a post I did on that. And for more on its recent updates, see the release notes for FR 8.
Finally, what about the PMT (the CF2018 Performance Monitoring Toolset)? It required an update after CF2018 update 2 (if you had been running the PMT based on the original installer released with C2018 in July of 2018). I blogged about that PMT update, noting also that there was a new PMT installer released at that same time (Feb 2019). If you have installed the PMT since then, then it already includes that first PMT update. If you installed the PMT from the original PMT installer, you need to apply the update from Feb 2019 if you have not. I am not aware that there was an update to the PMT with this CF2018 update 5. If I learn something new, I will update this post to reflect that.
Update: I do notice that the jar in the PMT-hotfix folder (see my blog post in the last paragraph) is indeed differently sized and has some different contents compared to the one that appeared there since CF 2018 update 2. No word yet on whether it really is a required update, or what it contains (there had been a new update technote for that PMT update 1, but when I change that to use the number 2 in the URL, it gets a 404 currently.)
For more content like this from Charlie Arehart:
Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed