Showing posts with label ColdFusion 11. Show all posts
Showing posts with label ColdFusion 11. Show all posts

Thursday 19 November 2015

... and... Adobe hot fixes it

G'day:
Just a quick follow-up to this morning's article: "CAUTION: Latest ColdFusion 11 patch breaks (at least some) code using "/>" in CFML tags"

Well knock me over with a feather... they're released a hot-fix for it! How good is that?

It's attached to the ticket: "CFPOP doesn't create the query given by name="" with updater 7 installed".

I still think they need to withdraw update 7, bake that hot fix into it, and release it again (as update 8), but at least this should get Tom going.

I haven't tested it as I'm behind a firewall here and cannot get to a POP server, but I'll report back when I have confirmation it actually fixes the problem.

Good snappy work there Adobe. And good to see it's possible for you to release individual hot fixes.

Righto.

--
Adam

CAUTION: Latest ColdFusion 11 patch breaks (at least some) code using "/>" in CFML tags

G'day:
I twittered about this yesterday, but didn't have time to follow it up here for one reason or other.

I think one should hold off on installing ColdFusion 11 update 7 for the time being, as it definitely has a minor code-breaking glitch, but it could be more far-reaching. This still needs to be clarified by the Adobe ColdFusion Team.

Yesterday Tom Chiverton drew my attention to this new issue: CFPOP doesn't create the query given by name="" with updater 7 installed, wherein:

Pre-updater 7, and as documented, CFPOP's name argument can be used to name the query returned.

Post-updater 7, this errors with " Variable MAIL is undefined. <br>The error occurred on line 10. "
Line 10 being the CFDUMP. Trying to use it in a QoQ also fails.

Test Configuration

<cfpop server="xxx"
action="getHeaderOnly"
username="xxx"
password="xxx"
timeout="60"
name="mail"
maxRows="100"
startRow="5"
/>
<cfdump var="#mail#" />

Seems inconvenient, and I think <cfpop> is a common enough tag that it needs an immediate fix. Bear inind that Update 7 is a security update, so all things being equal, ColdFusion 11 users really ought to have it in production as soon as they can.

Adobe then fed-back on the issue (props for feeding back quickly, btw), but the news ain't cool:

The work-around for this issue is to remove the "/" end tag "/" in cfpop tag, it would work.

Modified the code :

<cfpop server="xxx"
action="getHeaderOnly"
username="xxx"
password="xxx"
name="mail">

<cfdump var="#mail#" />


There is already a bug logged for this bug #3969304(though the description of the bug and the behavior is different. These are the side effects of having end tag), which is fixed and would be available in the next update.

My first reaction here is that "the next update" - unless otherwise stated - could be a coupla months off: the gap between update 6 and update 7 was 2.5 months or so. This is unacceptable. This bug was clearly introduced in update 7 - Adobe are not even contesting that - so they need to fix update 7. We can't be waiting around for 2-3 months until update 8 comes out.

Adobe, you need to own situations wherein you cause your clients grief.

Secondly... and this didn't occur to me initially... if closing the <cfpop /> tag causes it to not work... how many other tags are impacted by this? I don't see how the closed / not closed behaviour change can be individual-tag-specific. This needs clarification from Adobe.

[Actually "secondly" was a sense of epicaricary that people who unnecessarily close their CFML tags, further cluttering up already cluttered code have had their chickens come home to roost. But that is counterproductive in this situation].

Thirdly. This just demonstrates that Adobe need to rethink their security patching, and their approach to patching in general. A security patch should only impact the security issue. It should not be a roll-up of all previous patches, because it's too big a regression burden for the urgency of these security holes they keep finding in the sieve that is ColdFusion. Adobe need to change their work focus away from what's convenient for them, to be what's convenient for their clients. They also need to bear in mind that all of this, irrespective of the patch size and complexity is a) their fault; b) causing their clients work. This is another thing the Adobe ColdFusion Team need to start owning. They need to start acting like they're the stewards of enterprise grade software, basically.

So I think there's some question marks over ColdFusion 11 update 7 at the moment, and the ColdFusion Team need to get a hustle on to release update 8 as soon as they can.

I will be hitting the #CFML Slack channel to try to get this followed up ASAP, so we can get some visibility on all this.

Righto.

--
Adam

Sunday 25 October 2015

ColdFusion: new updates for CF10 and 11 available for pre-release testing

G'day:
I'm a day or so behind on this, but in case you're a ColdFusion user but don't follow the Adobe ColdFusion Blog, this is for you.

Adobe have release a pre release version of the latest updates for ColdFusion 10 and ColdFusion 11.

Official word here:
Note that these are prerelease updaters, so are not fit for putting in production. What they are for is for you to install in your lab so you can run your regression tests, or this release has a bug that has been impacting you, for testing the fix works.

If you're running ColdFusion 10 and/or 11, make sure you go subscribe to those comment threads if nothing else. It's important to know about other people's experiences with the updaters, which often gets reported on these threads.

Here are the bugs fixed in each:

ColdFusion 10 update 18


Bug IDTitleProduct Area
4034570Ehcache with CFQuery: not responsive and stops caching after Query Cache Size reachedCaching
3982337cfinput is not working for some characters with HF5/HF 16CFForm
4010041Image Functions All Fail on MacCFIMAGE
3634391null pointer exception thrown every now and thenCore Runtime
3982713Through Proxy authentication Hotfixes couldn't be downloaded with update 15 and later/CF 11 alsoHot Fix Installer
3490112SEVERE: Error in getRealPathFromConn persists after Updating ColdfusionInstallation/Config
3536673Problem with empty CGI variables/Windows authentication in CF10/IIS 7.5Installation/Config
3982328IIS not displaying content of OnMissingTemplateInstallation/Config
3987369CGI.http_url encoding inconsistent with CF9Installation/Config
4071931Same site is getting multiples times if we configure connector multiple times from command prompt in win 10Installation/Config
4072189Unable to start colldfusion main instance server after hotfix upgrade to HF18Installation/Config
3598342CFHTTP does not work with SNI enabledSSL Net Protocols
3980257http proxy authentication failNet Protocols
3918758System Probe Failing because of csrftokenSecurity
3941059Incorrect behaviour of SerializeJSON() on strings that contain U+xxxx in CF10 Update 15Serialization
4027176unable to invoke / Register web servicesWeb Services

ColdFusion 11 update 7


Bug IDTitleProduct Area
3741324cfgrid with a boolean type gridcolumn, displaysdropdown listbox outside the confines of the grid control.AJAX
4034570Ehcache with CFQuery: not responsive and stops caching after Query Cache Size reachedCaching
3982337cfinput is not working for some characters with HF5/HF 16CFForm
3952949ColdFusion 11 CFPrint not printing portion of PDF generated by Adobe Central (jetForms)CFPRINT
3971083cfstoredproc - Last OUTPUT parameter - ColdFusion 11 Update 5Database
4043047query of query WHERE filter no longer disregards filler spaces in fixed with data fieldsDatabase
3822982"Report Execution Times" is prohibitively slow on large appsDebugging
4031773PDFg services break with Update 5Document Management
3982713Through Proxy authentication Hotfixes couldn't be downloaded with update 15 and later/CF 11 alsoHot Fix Installer
3490112SEVERE: Error in getRealPathFromConn persists after Updating ColdfusionInstallation/Config
3536673Problem with empty CGI variables/Windows authentication in CF10/IIS 7.5Installation/Config
3982328IIS not displaying content of OnMissingTemplateInstallation/Config
3980257http proxy authentication failNet Protocols
3918758System Probe Failing because of csrftokenSecurity
3926238[ANeff] Bug for: breaks Admin API accessSecurity
3941059Incorrect behaviour of SerializeJSON() on strings that contain U+xxxx in CF10 Update 15Serialization
4027176unable to invoke / Register web servicesWeb Services


The ColdFusion 10 update seemed to apply fine, but it took me about four goes for the ColdFusion 11 update to "take" on my CF11 Express install. This is par for the course with installing updates on Express, so that's nothing new.

Anyway... there you go... an opportunity to lab-test these updates and report any issues to Adobe.

Cheers Adobe for pre-releasing this!

Righto.

--
Adam

Sunday 30 August 2015

ColdFusion: exactly what you are installing when you install this recent security "hot fix"

G'day:
Adobe recently released a security fix for a security issue in ColdFusion's Flash Remoting services. It impacts all versions of ColdFusion which ship with Flash Remoting (that's at least ColdFusion 9 through ColdFusion 11, but possibly older versions too). Only CF10 and CF11 have been patched, although Piyush claims to have instructions for patching CF9 although is not being helpful about sharing this info with the ColdFusion community for some reason.

This morning I read an article from ZDNet ("Adobe issues hotfix patch for ColdFusion vulnerability") wherein Adobe appear to have claimed that this fix is a "A hotfix, otherwise known as a Quick Fix Engineering update (QFE update), is a lightweight software patch". This is somewhat of a misrepresentation of reality on the part of either Adobe or ZDNet. I suspect ZDNet are just reporting what Adobe told them.

The "patch" that was released was rolled into all other previous fixes released for ColdFusion, and one does not have the option to simply apply the one-off security fix; one also needs to apply every single other fix Adobe have ever released for the product.

This represents quite a heavy regression-testing burden for anyone thinking of applying the patch. It is not just a matter of installing one small patch and then regression testing a small subset of potential touchpoints in one's CFML application; it means a complete regression testing of everything Adobe have "fixed" in previous patches. And given the ColdFusion Team have a habit of introducing new bugs with these monolithic updates they give us, this is not something that ought to be taken lightly.

To put things in perspective, here is a list of all the fixes shipped with this "quick fix engineering update", for ColdFusion 11:

Thursday 27 August 2015

ColdFusion: another security hole has been patched (CF10 and CF11)

G'day:
Just so yer aware, another update for ColdFusion was released this afternoon (UK time). Apparently there's a security hole in ColdFusion's BlazeDS integration which has been fixed. I don't actually know what CF uses BlazeDS for, I have to admit. I don't even know what BlazeDS even is, now that I come to think of it. [quickly googles...]

BlazeDS is a server-based Java remoting and web messaging technology that allows you to connect to back-end distributed data and push data to Adobe Flex and Adobe Integrated Runtime (AIR) Rich Internet applications (RIA).

So no wonder I didn't know what it was.

Anyway, Anit said on the Slack channel that it will on affect you if yer using BlazeDS, so that's probably not most people.

Update:

Seems I've misinterpreted what Anit said, or something, as Rupesh - who is now on the CFML Slack Channel too - has just clarified with this:

Regarding the blazeds 0-day vulnerability that we patched a day back, It seems like there is an impression that the server is not impacted if you are not using blazeds. Your server is not impacted *only* if you have disabled flash remoting. By default it is enabled and hence your server is impacted.

Please make sure to apply this update

The Adobe blog article about it is here: "ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available". Make sure to subscribe to the comments on that thread to keep yourself up to date with anything "untoward" in the update process. I've not installed it myself yet. Obviously make sure to test the update in your test lab first. Don't just stick it straight on your live boxes. Also bear in mind that CF updates are cumulative, so as well as this particular fix, it'll include all the other bugfixes too, so there's a lot of moving parts that could cause you grief. Regression test thoroughly.

I guess if you're using CF9 or older you're SooL, I'm afraid.

Update re ColdFusion 9:

Piyush has indicated Adobe do have instructions as to how to patch ColdFusion 9 servers, but instead of just posting them like a responsible vendor would do, one has to email him to get them. Groan. However Dave Epler has documented his steps to patch CF9 on his blog: "Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)". Dave knows what he's doing, so you'll be safe in his hands. Safer than in Adobe's, it would seem.

That's it.

--
Adam

Tuesday 14 April 2015

ColdFusion Team & especially Anit: bloody well done

G'day:
This is a quick adjunct to the article I put up a few min ago: "ColdFusion 10 & 11: new updaters released".

During install, Ray found that the update didn't show up in his CFAdmin. Anit reported back straight away:



And before you knew it, he was reporting back:


Elapsed time: 17 minutes.

Good work, Adobe ColdFusion Team. And good being so responsive, and keeping us in the loop, Anit.

Righto.

--
Adam

ColdFusion 10 & 11: new updaters released

G'day:
This just came to my attention courtesy of Ron Stewart on Twitter:


Sunday 22 February 2015

ColdFusion: testing the recent updates

G'day:
As I'd raised a few of the issues Adobe claims to have fixed in these recent ColdFusion updaters, I figure I should probably do some testing for them.

First up, ColdFusion 11 update 5

Thursday 19 February 2015

ColdFusion 11 update 4 released

G'day:
This'll be quick as I'm sitting in some dodgy motel room in Wellington, in the dark, with internet that is hamster-wheel powered.

I just noticed ColdFusion 11 update 4 has finally been released. That took longer than it should have. I suspect Adobe forgot they hadn't released it.

This is the one that basically fixes everything that updater 3 broke. So not exactly a forward move, but hey. At least Adam Tuttle will be pleased the ?: will be working again.

Oh, and make sure you pay attention to this guidance:



It's great to see they still haven't managed to automate that step.

Obviously if you install this, put it on a test machine first, and do your unit and regression tests. Do not put it straight into production.

The details are here, and you install most of it via CFAdmin.

--
Adam

Sunday 11 January 2015

CFML: design brain-fart in Application-specific DSN definitions on ColdFusion

G'day:
This article is just some analysis (and opinion, unsurprisingly) on the situation described in this bug ticket: "THIS.datasources changes ignored until CF restart".

In ColdFusion 11 (and Railo 4) one can specify data source definitions in Application.cfc, for example:

// Application.cfc
component {
    this.name = "myApp";

    this.datasources = {
        myDsn    = {
            database    = "dbName",
            host        = "localhost",
            port        = "3306",
            driver        = "MySQL5",
            username    = "dbUser",
            password    = "dbPassword"
        }
    };
    this.datasource    = "myDsn";
}

(That's for ColdFusion 11. Railo's syntax differs slightly: there's an example of it further down).

Tuesday 9 December 2014

ColdFusion 11 update 3 and ColdFusion 10 update 15 are out

G'day:
Adobe have finalised ColdFusion 11's update 3, and ColdFusion 10's update 15. Official word is on their blog "ColdFusion 11 Update 3 and ColdFusion 10 Update 15 are available now".

I'm in the process of running them now...

ColdFusion 11 updates to version 11,0,03,292480. It claims to fix 195 issues, btw. That's pretty impressive. Although, equally, not before time.

The update installation process went smoothly (I am just running the Express install).

ColdFusion 10 updates to version 10,0,15,292549. It just mentions a security update.

Note: both updates require reconfiguring the web server connectors. As I'm just running the internal web server on both of these, I've not needed to bother with that.

I'll probably go ahead and install Java 8 now, and reconfigure these CF instances to run atop of that.

Adobe have done a good job with their fixes for ColdFusion 10 and 11 recently. However they need to reduce their cycle duration down to 2-3 monthly minimum. Once a month would be better. They don't need to fix 195 bugs every month, just the most recent ones, and a few of the longer standing ones each time. Here's hoping they can achieve this.

But: good work, Adobe. Nice one.

--
Adam

Friday 7 November 2014

ColdFusion: Adobe kinda trumped me to this

G'day:
An article I've been drafting in my head is a suggestion for Adobe as to how they can make the ColdFusion release cycle less painful for their clients. They've actually done part of what I was thinking of advising today, by releasing the latest updater for ColdFusion 11 to beta for us to test ("ColdFusion 11: a decent bugfix update has been released to beta"). But I'll write down what I was thinking anyhow.

ColdFusion 11: a decent bugfix update has been released to beta

G'day:
I just noticed this: "ColdFusion 11 Update 3 is available for early access".

Looking at it, it's pretty impressive / optimistic: over 100 issues fixed.

As with all ColdFusion updates, test it in your lab environment thoroughly before thinking about putting it into production. This would always apply to anything Adobe release for ColdFusion, but especially bear in mind this is - at best - a beta.

--
Adam


Thursday 30 October 2014

ColdFusion bug challenge: how quickly can one find a bug in ColdFusion 11?

G'day:
Yesterday at lunchtime, I set myself a challenge: how quickly could I find a new, unreported bug in ColdFusion 11.

Tuesday 14 October 2014

ColdFusion: new security patches for 9.0, 9.0.1, 9.0.2, 10.x, 11.x

G'day:
Patches just came out for all versions of ColdFusion from 9.0 upwards. Details in their security document: "ColdFusion Help / ColdFusion Security hot fix APSB14-23".

I've not checked the content of it, but I will say that if at this late stage of ColdFusion 9's like (it's EOL on Dec 31 this year) they're releasing individual patches for all of 9.0, 9.0.1, 9.0.2, then I am guessing it's fairly serious. So get your test machines updated as soon as possible and regression-test your apps, then look to move it to live as soon as it seems stable.

And in the mean time, we're still waiting for a more useful bug-patch for both CF10 and CF11. Wonder when to expect thosethat? They'reIt's been promised as coming out "soon" since about August, I think..?

I've just notice that the ColdFusion 10 one is actually a fairly substantial patch, fixing 60-odd issues! So that's quite good. Details in "ColdFusion Help / Bugs fixed in ColdFusion 10 Update 14".


Anyway, there you go.

--
Adam

Friday 22 August 2014

Have found some evidence for that "There was an error accessing this page. Check logs for more details." issue in CFAdmin

G'day:
I dunno if you've had this before, but I fairly frequently am confronted with this whenever I try to change something in CFAdmin:


This is after I successfully login, and can click around no worries, but as soon as I go to change anything, I get this error. This is a concern because it looks like there's a disconnect between CFAdmin's authentication (logging in) and authorisation (what one can do once logged in).

Wednesday 20 August 2014

Go and vote, pls

G'day:
Sorry for the silence recently... my life is getting very... complex of late.

Anyway, Adobe are playing at silly buggers with a bug that they're dragging their heels about, and they are saying it needs more votes to get more attention.

It's to do with CFClient, but just on principal, I've voted for it because they need to stop with these sloppy implementations. Hopefully you think likewise, so will go vote for this: "queryExecute params not working in mobile".

Sloppy, inconsistent implementations ought not need votes to get fixed. Adobe ought to have more pride in their work. But if instead they need votes... let's give them votes.

Cheers.

--
Adam

Tuesday 5 August 2014

CFML: <cfchart> / <cfchartseries> bug details for Adobe & Railo

G'day:
I need a place to put some pictures for a coupla bugs I need to raise, so I'll slap 'em in here and point Adobe & Railo at them. There's not much of interest going on below the fold, so don't bother reading it if you have something better to do.

Thursday 17 July 2014

My position on running ColdFusion 11.0.0 in production

G'day:
I've seen a few people claim they're about to go into production with ColdFusion 11. My reaction to that is "are you a lunatic" (note lack of question mark).