For more resources as well as some additional thoughts on the updates (including what security matter it entails as well as some lessons learned in applying the update--especially if you may update your Java to the JVM released last month), read on.

[....Continue Reading....]

You will find that you can no longer INSTALL CF updates via the CF admin, if CF is using this new Java version. And even if the CF update is run from the command line, if using this newer Java version that also will fail. In either case, there is a new JVM argument that solved the problem, as I discuss below.

This is happening in CF2023, 2021, and 2018. (And this may continue to happen with future JVM updates, until Adobe otherwise addresses the problem.)

As an update, when I first created this post on Jul 21, another problem was that you would find that you could no longer use the CF Administrator to download CF updates, if CF was runnign this new Java version. You would get an error reporting, "Failed Signature verification"--or in some cases you may see only "error failed". But within a couple of weeks, I found that the CF Admin COULD now download updates (including the August 2023 CF update) but the CF update STILL fails to install correctly, as discussed in this post, unless the workaround offered is used.

FWIW, Adobe has also updated the technotes for CF2021 update 10 and CF2023 update 4 with a text box at the top that acknowledges this issue and points to this post for more detail.

In this post, I explain a) what this is all about, then b) how you can fix the problem of INSTALLING the update using the CF Admin, I'll explain how it seems we HAVE to workaround that problem (for now). I also offer a link to a bug report I've filed. I even offer a thought on how this new JVM update may prove over time to affect MORE than just this, and even MORE than just CF (and Lucee) but many java apps. Read on for more.

[....Continue Reading....]

Yes, this is shocking. Yes, unless there's a good explanation, I can understand how many would feel "someone on the CF team should be flogged". Don't shoot me: I'm just the messenger. I don't work for Adobe.

But I will add that in this post, besides just sharing news about the update (and more than JUST pointing to the update), I also offer an ADDITIONAL "fix" some will want to consider, to go BEYOND what this update addresses. See the discussion on "blocking the _cfclient query string".

Read on for more, where I cover:

• Finding more info on this update
• A suggestion on blocking the _cfclient query string
• News for those doing manual offline installs: this update DOES have a zip
• As for doing a Java update along with this update
• CF2018 WAS indeed also updated

[....Continue Reading....]

TLDR: The new updates are 1.8.0_381 (aka 8u381), 11.0.20, 17.0.8, and 20.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the 4 JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

For more on the update, and some additional thoughts, read on.

[....Continue Reading....]

Update: 3 days after this update, Adobe released yet another, and then 4 days after that they released yet another, both p1 security updates. While I have posts on each of the two subsequent updates, the one on Jul 14 and then the one on Jul 19, the information below is still important and has details that I do not repeat in the later post.

For more resources as well as some additional thoughts on the updates, read on.

[....Continue Reading....]

[....Continue Reading....]

What if you want it back? In this post, I explain what changed, why, and how to get the functionality back--albeit at your own risk. For more, read on.

[....Continue Reading....]

Update Jul 2023: Before considering what I share in this post, note that if you have updated your CF to use the Java update from Jul 2023, the cause of this error may be due to a totally different issue. See my post from July 2023 on that matter.

Update Feb 2023: In mid-February 2023, Adobe did re-sign their jars and placed them on the uploads site so that either the CF Admin update download or anyone performing a manual download after that date WOULD get the newly signed jars, and the problem below then no longer happens. (They are now signed as "SHA256withRSA, 4096-bit key".) I leave the rest here still for those who would want to understand what DID happen and why the update jars that were in place then DID change (slightly) for this reason.

[....Continue Reading....]

I've seen the problem raised often enough that when I saw someone raising it this weekend, I decided to solve it by creating a new folder in the cfmlrepo.com site, at least for CF2021 and CF2018 (for now), offering there the initial versions of all the neo-*.xml files for those two editions.

For more information, see what I shared (including more background on the issue, where I got the files, where I put the files, and more) in my reply about all this to the CF Community thread where the user raised the need this weekend.

And for the sake of those who may "just want the files" without any need of explanation or warnings:

• cfmlrepo folder of neo-*.xml files for CF2021
• cfmlrepo folder of neo-*.xml files for CF2018

I welcome thoughts, feedback, or suggestions.