This just presented itself on Twitter:
Initially I couldn't find anything else about it, and other people are asking too.New security fix for #Lucee available. Update ASAP.— Lucee Open Source (@lucee_server) August 6, 2015
This is a pretty crap way of announcing a security issue. I'd like to know who is responsible for that Twitter account, as they need a bullet.
What needs to be done is:
- Create release notes.
- Stick the download on the download site, and via the upgrade channel.
- Write a blog article covering the update.
- Probably put something on the LAS website too.
- Then announce it on the Google Group (they have done this, I note).
- Then announce it on Twitter, with links back to one of the above.
Here's the info from the Lucee Google Group:
This security fix is available for our current stable release (4.5.1.023) on the stable release channel and for our BER release (4.5.2.005) on the develop release channel.
For a manual installation you can download the core files from here (https://bitbucket.org/lucee/lucee/downloads)
So, anyway... comms shortfalls aside... go update your Lucee server.
Oh, and I'll try to find out if it impacts Railo too...