Friday, 3 July 2015

Critical Lucee Update (also attn Railo users)

There's a security patch for Lucee released today, and if you're running Lucee 4.5, you really must apply it.


Actually don't do what I say here. LAS have ballsed-up and rolled this critical fix in with a bunch of other fixes, and as a result, I can't confidently say you should automatically apply this fix. The fix they're espousing needs to go through full regression testing on your system, rather than being a quick fix: I know of at least one upgrade that has failed because of this. I'm fucked off about having delivered this message and the having to back out of it, and I am following it up.

Lucee have released a blog article about it: "Lucee Stable Release - Security Update Included", and the executive summary is:

Today Lucee would like to announce the latest 4.5 stable release and point out that this release includes a very important security update, so we are recommending that you update to this release as soon as possible. We are however not releasing details of the security issue at this time for several reasons.

That's fair enough, and this is a good way of handling this sort of news, I think. Good work.

One other excellent thing is that Lucee have reached out to Railo with an offer to help them get the Railo codebase patched too. Nice work LAS.

So go patch your servers. I'll be hitting up the Railo bods too, to make sure they can action this as well. I'll report back on an update on this when I get one.