Showing posts with label Anit Kumar Panda. Show all posts
Showing posts with label Anit Kumar Panda. Show all posts

Thursday 27 August 2015

ColdFusion: another security hole has been patched (CF10 and CF11)

G'day:
Just so yer aware, another update for ColdFusion was released this afternoon (UK time). Apparently there's a security hole in ColdFusion's BlazeDS integration which has been fixed. I don't actually know what CF uses BlazeDS for, I have to admit. I don't even know what BlazeDS even is, now that I come to think of it. [quickly googles...]

BlazeDS is a server-based Java remoting and web messaging technology that allows you to connect to back-end distributed data and push data to Adobe Flex and Adobe Integrated Runtime (AIR) Rich Internet applications (RIA).

So no wonder I didn't know what it was.

Anyway, Anit said on the Slack channel that it will on affect you if yer using BlazeDS, so that's probably not most people.

Update:

Seems I've misinterpreted what Anit said, or something, as Rupesh - who is now on the CFML Slack Channel too - has just clarified with this:

Regarding the blazeds 0-day vulnerability that we patched a day back, It seems like there is an impression that the server is not impacted if you are not using blazeds. Your server is not impacted *only* if you have disabled flash remoting. By default it is enabled and hence your server is impacted.

Please make sure to apply this update

The Adobe blog article about it is here: "ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available". Make sure to subscribe to the comments on that thread to keep yourself up to date with anything "untoward" in the update process. I've not installed it myself yet. Obviously make sure to test the update in your test lab first. Don't just stick it straight on your live boxes. Also bear in mind that CF updates are cumulative, so as well as this particular fix, it'll include all the other bugfixes too, so there's a lot of moving parts that could cause you grief. Regression test thoroughly.

I guess if you're using CF9 or older you're SooL, I'm afraid.

Update re ColdFusion 9:

Piyush has indicated Adobe do have instructions as to how to patch ColdFusion 9 servers, but instead of just posting them like a responsible vendor would do, one has to email him to get them. Groan. However Dave Epler has documented his steps to patch CF9 on his blog: "Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)". Dave knows what he's doing, so you'll be safe in his hands. Safer than in Adobe's, it would seem.

That's it.

--
Adam

Friday 10 July 2015

500+

G'day:
This is yet another code-free article, I'm afraid. I know I've been slack recently :-( I do have a coupla code-centric articles in the pipeline, which should be out the door over the weekend, with luck.

Anyway, this is all about the #CFML Slack channel. Here's the good news:


That 500 (at time of writing... it should be higher than that by the time you read this) is the number of CFML community members signed up to the #CFML Slack channel. That's not bad given it's only existed for a coupla weeks. If you haven't signed up yet... get on over there. Just click the thing above to get invited.

Tuesday 14 April 2015

ColdFusion Team & especially Anit: bloody well done

G'day:
This is a quick adjunct to the article I put up a few min ago: "ColdFusion 10 & 11: new updaters released".

During install, Ray found that the update didn't show up in his CFAdmin. Anit reported back straight away:



And before you knew it, he was reporting back:


Elapsed time: 17 minutes.

Good work, Adobe ColdFusion Team. And good being so responsive, and keeping us in the loop, Anit.

Righto.

--
Adam

Monday 30 March 2015

So exactly what does Adobe's ColdFusion 'Extended Support' get you?

G'day:
This comment from Anit was fairly astonishing:


Saturday 22 November 2014

The Adobe ColdFusion Team are doing a bloody good job at the moment

G'day:
I know I am the first (and loudest, and most repetitive...) to whinge about Adobe's ColdFusion lads (/ladesses), but... fair's fair... there's very bloody little to complain about at the moment.

Monday 15 September 2014

Come on Adobe: bring Anit to CFSummit

G'day:
OK ColdFusion community: time to voice your will again.

Brad started this conversation off:

And the notion needs support: currently Anit is not attending CFSummit, and that's not really on.

Saturday 3 May 2014

List of articles on Adobe ColdFusion Forums for Anit

G'day:
This is not an article, per-se, but just a list of links for Anit, I'll then be posting the link to this on Twitter. The links below are simply reproductions of my existing blog articles on the given topics, and do not represent new writing on my part.

Anit, these are the questions I wanted to ask the Adobe ColdFusion Team about some features of ColdFusion 11. As you suggested, I have posted them on the Adobe ColdFusion Forums. Here are links to the forum articles.



Thanks mate.

--
Adam