TLDR: The new updates are 1.8.0_481 (aka 8u481), 11.0.30, 17.0.18, 21.0.10, and 25.0.2, respectively. More on the updates below, including links to more info on each of them including what changed, bug fixes, and the security fixes each version contains. (I also offer a quick assessment of the changes listed for the updates.)

Also, openjdk updates are usually released at the same time or soon after, so this info may help users of such alternative JDK implementations.

For some folks, the above is all they need to hear. For others, whether this your first time updating Java or your fiftieth, there are some things that you may or may not know, as I cover here.

[....Continue Reading....]

In brief, this update (for both versions) addresses a P1 (Priority 1, "Critical") security vulnerability, related to the Apache Tika java framework which Adobe embeds for certain processing with CF.

Before proceeding, it's of some concern to note that unlike recent CF security updates, Adobe does NOT report (in the APSB, linked to below) that they are, "not aware of any exploits in the wild for any of the issues addressed in these updates." That omission would seem to imply that they ARE aware of this vuln being exploited, which raises the urgency of getting it applied. (It also raises the concern all the more for those on CF2021 or earlier, for whom Adobe will no longer offers ANY updates, including security updates.)

In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update.

For more, read on.

[....Continue Reading....]

In brief, this update (for all 3 versions) addresses several P1 (Priority 1, "Critical") security vulnerabilities, and also updates Tomcat, along with updating several CF packages, and makes some other changes (see below). Note that Adobe is also reporting currently that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update. 

Having installed the update for each of the releases on multiple machines, I can report that it went well expect for this:

Warning: beware that some folks implementing the update for CF2023 the first day (myself included) found that after applying the update, the CF Admin was inaccessible and packages that were updates were unexpectedly uninstalled. I have offered a follow-up blog post on that, One explanation and solution for when applying CF updates uninstalls new packages unexpectedly, including how to solve the problem as I see it, and how to ensure your own manual efforts to solve it are complete.

[....Continue Reading....]

TLDR: The new updates are 1.8.0_471 (aka 8u471), 11.0.29, 17.0.17, 21.0.9, and 25.0.1, respectively. More on the updates below, including links to more info on each of them including what changed, bug fixes, and the security fixes each version contains. (I also offer a quick assessment of the updates with respect to my primary audience, users of CFML engines.)

[....Continue Reading....]

As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (there are more than one), and some info that I share below based on my experience helping people apply this and past updates.

In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.

[....Continue Reading....]

TLDR: The new updates are 1.8.0_461 (aka 8u461), 11.0.28, 17.0.16, 21.0.8, and 24.0.2, respectively. More on the updates below, including links to more info on each of them including what changed, bug fixes, and the security fixes each version contains. (I also offer a quick assessment of the updates with respect to my primary audience, users of CFML engines.)

[....Continue Reading....]

First, for more on the many features and changes, I share many Adobe resources--about which I also offer some additional comment. I also discuss changes regarding OS and DB support as well as the fact that CF2025 now runs on Java 21-- and that the traditional server deployment of CF comes installed atop Tomcat 10.1. I then share still more info on other matters and resources related to the new version.

I then focus on the major change in licensing, for CF2025 and forward, to being subscription only--which I'll note has no effect on those currently running CF2023 or earlier. I share pricing info and also help in assessing differences in the EULA, and more.

Finally I discuss some migration considerations--including important REMOVAL of some older features from CF2025, as CF continues to be made more secure and modernized. I also identify tools and resources to help aid you in that migration, when you're ready to begin attempting it.

For all that and more, read on.

[....Continue Reading....]

In this case, it's about if you use CF encryption-related functions, the default encryption algorithm is changing--and that means that those who encrypt/decrypt (or hash or randomize) data in their apps MUST take steps before applying this updates. For more, read on.

Update: As a heads-up, a few weeks after this post ANNOUNCING the update and its key change, I created another that address confusion many still seem to have after reading the Adobe technote on the update (links below).You may want to skip to reading that post first, On handling the June 2024 CF update change of default algorithm from CFMX_COMPAT.

Otherwise, read on for what I wrote originally.

[....Continue Reading....]

[....Continue Reading....]

TLDR; For some folks, the above may be all you need to hear: you may be dropping your coffee and donuts now to get the update applied. Still others will see this "huge post" and think, "crap, I don't have time for this". For you, skip to the bottom and its "concluding key points". You can then decide what you think you do or don't "need to know" and pick and choose from the sections as you like.

Finally, for those who prefer because of the importance of all this to be led more carefully through understanding things (in a way that's worked for the many people I have helped so far this week, and is far more than either Adobe or Hackernews has shared), please do read on.

[....Continue Reading....]