An update for ColdFusion has been released today, May 13, 2025, for both cf2025 (update 2), cf2023 (update 14) and cf2021 (update 20). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update.

The update also incorporates potentially breaking changes (with Adobe trading compatibility for security), while it also includes configurable options to undo those changes (if you prefer to trade away security for compatibility). Finally, the update corrects some issues introduced in the previous updates, released in April.

In this post, I share the details about the update (from Adobe and from others). I can report I have installed both updates on multiple machines and operating systems without incident. As for challenges or lessons learned, I may do a follow-up post as I/we all learn more.

For more details, read on.

[....Continue Reading....]

Have you had problems installing CF updates, whether the most recent or past ones?

I'll be presenting a talk on this topic, online today, at noon US Eastern, on the CFMeetup Youtube livestream (which will be recorded). Folks who are members of the Online ColdFusion Meetup will have already gotten email notification about this, including the meeting URL, but for those who are not members here are the details:

[....Continue Reading....]

It's that time again: there are new JVM updates released today (Apr 15, 2025) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, and 21, as well as the new short-term release 24. (The previous short-term release, Java 23, is no longer updated.)

TLDR: The new updates are 1.8.0_451 (aka 8u451), 11.0.27, 17.0.15, 21.0.7, and 24.0.1, respectively. Crazy that there are now 5 current Java releases, I do realize. More below, including links to more on each of them including what changed, bug fixes, and the security fixes each version contains, which are offered in Oracle resources I list below.

Oracle calls these updates "critical patch updates" (yep, "CPU"), but they are in fact scheduled quarterly updates (Jan, Apr, Jul, Oct, with specific dates listed here), so that the "critical" aspect of this nomenclature may sometimes be a bit overstated. As is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

It's that time again: there are new JVM updates released today (Jan 21, 2025) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, and 21, as well as the new short-term release 23. (The previous short-term release, Java 22, is no longer updated.)

TLDR: The new updates are 1.8.0_441 (aka 8u441), 11.0.26, 17.0.14, 21.0.6, and 23.0.2, respectively. Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed as well as bug fixes and the security fixes each version contains (including their CVE scores regarding urgency of concerns), which are offered in Oracle resources I list below.

Oracle calls these updates "critical patch updates" (yep, "CPU"), but they are in fact scheduled quarterly updates, so that the "critical" aspect of this nomenclature may sometimes be a bit overstated. As is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

An update for ColdFusion has been released today for both cf2023 (update 12) and cf2021 (update 18). In brief, it addresses a P1 (Priority 1, "Critical") security vulnerability, as indicated in the associated ASPB (security bulletin) for the update (CVSS Base Score of 7.4 out of 10).

In this post, I share the details about the update (from Adobe and from others, including pointing to some discussions I've already started online about the update). Note also that while you may read that the update is related to the CF PMT feature, beware presuming it therefore "doesn't apply to you" because you "don't use it". See the next section for more.

Of course, this is terrible timing for an update, but it is what it is. I can report I have installed both updates on multiple machines and operating systems without incident. And I may do a follow-up post on the update as I/we all learn more.

For more details, read on.

[....Continue Reading....]

An update for ColdFusion has been released yesterday for both cf2023 (as update 11) and cf2021 (as update 17). In brief, the update has no security fixes, but it does fix dozens of issues that folks have stumbled over recently. It also upgrades some "OEM" libraries underlying CF, and it offers some modest enhancements.

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes introduced in those updates from March and June of this year.

For more details, read on.

[....Continue Reading....]

It's that time again: there are new JVM updates released today (Oct 15, 2024) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, and 21, as well as the new short-term release 23. (The previous short-term release, Java 22, is no longer updated.)

TLDR: The new updates are 1.8.0_431 (aka 8u431), 11.0.25, 17.0.13, 21.0.5, and 23.0.1 respectively. Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed as well as bug fixes and the security fixes each version contains (including their CVE scores regarding urgency of concerns), which are offered in Oracle resources I list below.

Oracle calls these updates "critical patch updates" (yep, "CPU"), but they are in fact scheduled quarterly updates, so that the "critical" aspect of this nomenclature may sometimes be a bit overstated. As is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

Though the news is a couple of days old, I want to share with my readers that an update for ColdFusion has been released Tuesday, Sep 10, for both cf2023 (update 10) and cf2021 (update 16). In brief, the "only" change is to address a security vulnerability, which is listed in the associated ASPB (security bulletin) for the update as a "critical" severity (CVSS Base Score of 9.8 out of 10)...though curiously that also lists it as being merely a "moderate" priority (3 out of 3).

Also, if you may be skipping to this update from prior to CF2023 update 7 or earlier, or CF2021 update 13 or earlier, please don't apply the update before reading below my discussion about possible breaking changes in those updates from March and June of this year.

And there's still more to consider. Note that if somehow "it's all too much" for you, I can help directly and likely VERY quickly. See my discussion at the bottom here. Otherwise, for the details, read on.

[....Continue Reading....]

If you've recently applied CF2021 update 15 or are planning to, you need to be aware of a known issue which can cause unexpected removal of some CF packages (modules) which occurs upon the CF restart after installing the update: specifically it's the document, htmltopdf, pdf, presentation, print, and report modules. The good news is that these are easily added back, either using the CF Admin or via the cfpm command-line tool (added in CF2021).

In this post, I discuss this issue, those options for adding them back, and I also share how I'd found the underlying root cause of the problem: the update has a mistaken internal indication that these packages were updated in this update, when they were not. I'm hoping that Adobe may soon be fixing the problem by creating a new update file, to at least benefit those doing this update going forward. I'll share also the bug report for that (and another on a related matter, about installing multiple packages via cfpm).

TLDR

If you just want to "solve the problem" caused in applying this update 15, simply go into the CF Admin and its "Package Manager" page, go to its "Available Packages" section, and click each of those to install them. (Couldn't you also click the "Install All" button offered there? Yes, but there are reasons to be careful about that. Couldn't you use the cfpm tool? Again, yes. I will address both these points and more, below.)

[....Continue Reading....]

An update for ColdFusion has been released today for both cf2023 as update 9 and and cf2021 as update 15. In brief, the only change is an update to Tomcat, which underlies traditional CF installations (whether implemented with the ColdFusion installer or zip extraction process). I'll have more to share on the Tomcat aspects of the update below.

[UPDATE since original posting: it's turned out that there's a bug in update 15 of cf2021--which is NOT affecting cf2023 update 9--that causes unexpected remove of 5 packages. There's now a new "known issues" section at the top of update 15's technote discussing the matter, only briefly. The simple solution is to add back the missing packages. For more on the original discovery, see comments below starting Aug 23,three days after this post and the updates release. For more on the root cause and other more automated solutions, see my comments below those, as well as a subsequent post I created. Now, back to my original post's contents.]

In addition, before applying the update note that there are two other things to beware--related to recent previous CF updates, and that whether you are currently running the immediately preceding update (from June) or the one from March or earlier.

[....Continue Reading....]