Thursday 6 August 2015

Lucee: FUD from their own comms channel regarding an urgent security fix

This just presented itself on Twitter:

Initially I couldn't find anything else about it, and other people are asking too.

This is a pretty crap way of announcing a security issue. I'd like to know who is responsible for that Twitter account, as they need a bullet.

What needs to be done is:
  1. Create release notes.
  2. Stick the download on the download site, and via the upgrade channel.
  3. Write a blog article covering the update.
  4. Probably put something on the LAS website too.
  5. Then announce it on the Google Group (they have done this, I note).
  6. Then announce it on Twitter, with links back to one of the above.

Here's the info from the Lucee Google Group:

Security fix and new BER release

There is a new security fix available for Lucee 4.5 on the stable and dev update provider you can install now, as is normal in this type of situation, we will not disclose the issue being addressed so as to protect our current user base, but it is recommended to update as soon as possible.

This security fix is available for our current stable release  ( on the stable release channel and for our BER release ( on the develop release channel.

For a manual installation you can download the core files from here (


So, anyway... comms shortfalls aside... go update your Lucee server.

Oh, and I'll try to find out if it impacts Railo too...