Showing posts with label ColdFusion 10. Show all posts
Showing posts with label ColdFusion 10. Show all posts

Sunday 25 October 2015

ColdFusion: new updates for CF10 and 11 available for pre-release testing

G'day:
I'm a day or so behind on this, but in case you're a ColdFusion user but don't follow the Adobe ColdFusion Blog, this is for you.

Adobe have release a pre release version of the latest updates for ColdFusion 10 and ColdFusion 11.

Official word here:
Note that these are prerelease updaters, so are not fit for putting in production. What they are for is for you to install in your lab so you can run your regression tests, or this release has a bug that has been impacting you, for testing the fix works.

If you're running ColdFusion 10 and/or 11, make sure you go subscribe to those comment threads if nothing else. It's important to know about other people's experiences with the updaters, which often gets reported on these threads.

Here are the bugs fixed in each:

ColdFusion 10 update 18


Bug IDTitleProduct Area
4034570Ehcache with CFQuery: not responsive and stops caching after Query Cache Size reachedCaching
3982337cfinput is not working for some characters with HF5/HF 16CFForm
4010041Image Functions All Fail on MacCFIMAGE
3634391null pointer exception thrown every now and thenCore Runtime
3982713Through Proxy authentication Hotfixes couldn't be downloaded with update 15 and later/CF 11 alsoHot Fix Installer
3490112SEVERE: Error in getRealPathFromConn persists after Updating ColdfusionInstallation/Config
3536673Problem with empty CGI variables/Windows authentication in CF10/IIS 7.5Installation/Config
3982328IIS not displaying content of OnMissingTemplateInstallation/Config
3987369CGI.http_url encoding inconsistent with CF9Installation/Config
4071931Same site is getting multiples times if we configure connector multiple times from command prompt in win 10Installation/Config
4072189Unable to start colldfusion main instance server after hotfix upgrade to HF18Installation/Config
3598342CFHTTP does not work with SNI enabledSSL Net Protocols
3980257http proxy authentication failNet Protocols
3918758System Probe Failing because of csrftokenSecurity
3941059Incorrect behaviour of SerializeJSON() on strings that contain U+xxxx in CF10 Update 15Serialization
4027176unable to invoke / Register web servicesWeb Services

ColdFusion 11 update 7


Bug IDTitleProduct Area
3741324cfgrid with a boolean type gridcolumn, displaysdropdown listbox outside the confines of the grid control.AJAX
4034570Ehcache with CFQuery: not responsive and stops caching after Query Cache Size reachedCaching
3982337cfinput is not working for some characters with HF5/HF 16CFForm
3952949ColdFusion 11 CFPrint not printing portion of PDF generated by Adobe Central (jetForms)CFPRINT
3971083cfstoredproc - Last OUTPUT parameter - ColdFusion 11 Update 5Database
4043047query of query WHERE filter no longer disregards filler spaces in fixed with data fieldsDatabase
3822982"Report Execution Times" is prohibitively slow on large appsDebugging
4031773PDFg services break with Update 5Document Management
3982713Through Proxy authentication Hotfixes couldn't be downloaded with update 15 and later/CF 11 alsoHot Fix Installer
3490112SEVERE: Error in getRealPathFromConn persists after Updating ColdfusionInstallation/Config
3536673Problem with empty CGI variables/Windows authentication in CF10/IIS 7.5Installation/Config
3982328IIS not displaying content of OnMissingTemplateInstallation/Config
3980257http proxy authentication failNet Protocols
3918758System Probe Failing because of csrftokenSecurity
3926238[ANeff] Bug for: breaks Admin API accessSecurity
3941059Incorrect behaviour of SerializeJSON() on strings that contain U+xxxx in CF10 Update 15Serialization
4027176unable to invoke / Register web servicesWeb Services


The ColdFusion 10 update seemed to apply fine, but it took me about four goes for the ColdFusion 11 update to "take" on my CF11 Express install. This is par for the course with installing updates on Express, so that's nothing new.

Anyway... there you go... an opportunity to lab-test these updates and report any issues to Adobe.

Cheers Adobe for pre-releasing this!

Righto.

--
Adam

Sunday 30 August 2015

ColdFusion: exactly what you are installing when you install this recent security "hot fix"

G'day:
Adobe recently released a security fix for a security issue in ColdFusion's Flash Remoting services. It impacts all versions of ColdFusion which ship with Flash Remoting (that's at least ColdFusion 9 through ColdFusion 11, but possibly older versions too). Only CF10 and CF11 have been patched, although Piyush claims to have instructions for patching CF9 although is not being helpful about sharing this info with the ColdFusion community for some reason.

This morning I read an article from ZDNet ("Adobe issues hotfix patch for ColdFusion vulnerability") wherein Adobe appear to have claimed that this fix is a "A hotfix, otherwise known as a Quick Fix Engineering update (QFE update), is a lightweight software patch". This is somewhat of a misrepresentation of reality on the part of either Adobe or ZDNet. I suspect ZDNet are just reporting what Adobe told them.

The "patch" that was released was rolled into all other previous fixes released for ColdFusion, and one does not have the option to simply apply the one-off security fix; one also needs to apply every single other fix Adobe have ever released for the product.

This represents quite a heavy regression-testing burden for anyone thinking of applying the patch. It is not just a matter of installing one small patch and then regression testing a small subset of potential touchpoints in one's CFML application; it means a complete regression testing of everything Adobe have "fixed" in previous patches. And given the ColdFusion Team have a habit of introducing new bugs with these monolithic updates they give us, this is not something that ought to be taken lightly.

To put things in perspective, here is a list of all the fixes shipped with this "quick fix engineering update", for ColdFusion 11:

Thursday 27 August 2015

ColdFusion: another security hole has been patched (CF10 and CF11)

G'day:
Just so yer aware, another update for ColdFusion was released this afternoon (UK time). Apparently there's a security hole in ColdFusion's BlazeDS integration which has been fixed. I don't actually know what CF uses BlazeDS for, I have to admit. I don't even know what BlazeDS even is, now that I come to think of it. [quickly googles...]

BlazeDS is a server-based Java remoting and web messaging technology that allows you to connect to back-end distributed data and push data to Adobe Flex and Adobe Integrated Runtime (AIR) Rich Internet applications (RIA).

So no wonder I didn't know what it was.

Anyway, Anit said on the Slack channel that it will on affect you if yer using BlazeDS, so that's probably not most people.

Update:

Seems I've misinterpreted what Anit said, or something, as Rupesh - who is now on the CFML Slack Channel too - has just clarified with this:

Regarding the blazeds 0-day vulnerability that we patched a day back, It seems like there is an impression that the server is not impacted if you are not using blazeds. Your server is not impacted *only* if you have disabled flash remoting. By default it is enabled and hence your server is impacted.

Please make sure to apply this update

The Adobe blog article about it is here: "ColdFusion 11 Update 6 and ColdFusion 10 Update 17 now available". Make sure to subscribe to the comments on that thread to keep yourself up to date with anything "untoward" in the update process. I've not installed it myself yet. Obviously make sure to test the update in your test lab first. Don't just stick it straight on your live boxes. Also bear in mind that CF updates are cumulative, so as well as this particular fix, it'll include all the other bugfixes too, so there's a lot of moving parts that could cause you grief. Regression test thoroughly.

I guess if you're using CF9 or older you're SooL, I'm afraid.

Update re ColdFusion 9:

Piyush has indicated Adobe do have instructions as to how to patch ColdFusion 9 servers, but instead of just posting them like a responsible vendor would do, one has to email him to get them. Groan. However Dave Epler has documented his steps to patch CF9 on his blog: "Manually Patching ColdFusion 9 with APSB15-21 (CVE-2015-3269)". Dave knows what he's doing, so you'll be safe in his hands. Safer than in Adobe's, it would seem.

That's it.

--
Adam

Tuesday 14 April 2015

ColdFusion 10 & 11: new updaters released

G'day:
This just came to my attention courtesy of Ron Stewart on Twitter:


Tuesday 9 December 2014

ColdFusion 11 update 3 and ColdFusion 10 update 15 are out

G'day:
Adobe have finalised ColdFusion 11's update 3, and ColdFusion 10's update 15. Official word is on their blog "ColdFusion 11 Update 3 and ColdFusion 10 Update 15 are available now".

I'm in the process of running them now...

ColdFusion 11 updates to version 11,0,03,292480. It claims to fix 195 issues, btw. That's pretty impressive. Although, equally, not before time.

The update installation process went smoothly (I am just running the Express install).

ColdFusion 10 updates to version 10,0,15,292549. It just mentions a security update.

Note: both updates require reconfiguring the web server connectors. As I'm just running the internal web server on both of these, I've not needed to bother with that.

I'll probably go ahead and install Java 8 now, and reconfigure these CF instances to run atop of that.

Adobe have done a good job with their fixes for ColdFusion 10 and 11 recently. However they need to reduce their cycle duration down to 2-3 monthly minimum. Once a month would be better. They don't need to fix 195 bugs every month, just the most recent ones, and a few of the longer standing ones each time. Here's hoping they can achieve this.

But: good work, Adobe. Nice one.

--
Adam

Wednesday 15 October 2014

Warning: people have been having issues with ColdFusion 10 update 14

G'day:
I've nothing much to say other than what it says in the headline: people have reported issues with the ColdFusion 10 update 14 that was released yesterday ("ColdFusion: new security patches for 9.0, 9.0.1, 9.0.2, 10.x, 11.x"):

As is my advice with anything the Adobe ColdFusion Team produces: it does not pay to be an early adopter. Let other people find the issues first, and let the resolutions bubble up before you run the risk of experiencing them yourselves.

And if you feel you must install it immediately, as I said yesterday: install it in a test environment and fully regression test your applications first.

Don't just install it on production servers without first testing it. This obviously applies to any change you're thinking of making to the system.

Oh... the ColdFusion Team have also got around to mentioning these new updates on their blog: "Updates for ColdFusion 11, ColdFusion 10 and ColdFusion 9 released". I recommend you go and read the comments and subscribe to the thread so as to stay on top of people's findings, and Adobe's responses.

--
Adam

Tuesday 14 October 2014

ColdFusion: new security patches for 9.0, 9.0.1, 9.0.2, 10.x, 11.x

G'day:
Patches just came out for all versions of ColdFusion from 9.0 upwards. Details in their security document: "ColdFusion Help / ColdFusion Security hot fix APSB14-23".

I've not checked the content of it, but I will say that if at this late stage of ColdFusion 9's like (it's EOL on Dec 31 this year) they're releasing individual patches for all of 9.0, 9.0.1, 9.0.2, then I am guessing it's fairly serious. So get your test machines updated as soon as possible and regression-test your apps, then look to move it to live as soon as it seems stable.

And in the mean time, we're still waiting for a more useful bug-patch for both CF10 and CF11. Wonder when to expect thosethat? They'reIt's been promised as coming out "soon" since about August, I think..?

I've just notice that the ColdFusion 10 one is actually a fairly substantial patch, fixing 60-odd issues! So that's quite good. Details in "ColdFusion Help / Bugs fixed in ColdFusion 10 Update 14".


Anyway, there you go.

--
Adam

Thursday 17 July 2014

Warning: don't de-install patches from ColdFusion 10

G'day:
Here's a warning... it's a bit of an edge-case, but worth knowing. I just tried to de-install some patches from two of my ColdFusion 10 servers, and in both cases it has rendered CF Administrator inaccessible due to a ColdFusion error.

Where are the ColdFusion 10 & 11 updates, Adobe?

G'day:
Here's a quick thought that's been bugging me for a month or two now. What's happened with the ColdFusion updater?

Checking Wikipedia, the update history for ColdFusion 10 is as follows:
2012-May-15: Adobe ColdFusion 10 (build 10,0,0,282462)
2012-August-31: Adobe ColdFusion 10 Update 1 (build 10,0,0,282462)
2012-September-11: Adobe ColdFusion 10 Update 2 (build 10,0,0,283111)
2012-October-16: Adobe ColdFusion 10 Update 3 (build 10,0,3,283145)
2012-November-02: Adobe ColdFusion 10 Update 4 (build 10,0,4,283281)
2012-November-19: Adobe ColdFusion 10 Update 5 (build 10,0,5,283319)
2012-December-11: Adobe ColdFusion 10 Update 6 (build 10,0,6,283435)
2013-January-15: Adobe ColdFusion 10 Update 7 (build 10,0,7,283649)
2013-February-27: Adobe ColdFusion 10 Update 8 (build 10,0,8,284032)
2013-Apr-10: Adobe ColdFusion 10 Update 9 (build 10,0,9,284568)
2013-May-14: Adobe ColdFusion 10 Update 10 (build 10,0,10,284825)
2013-July-09: Adobe ColdFusion 10 Update 11 (build 10,0,11,285437)
2013-November-12: Adobe ColdFusion 10 Update 12 (build 10,0,12,286680)
2014-January-10: Adobe ColdFusion 10 Update 13 (build 10,0,13,287689)

So there's a steady stream of updates and hotfixes there, up until Jan this year. Then nothing for over six months now. And it's not as if there's no bugs to fix in ColdFusion 10. I posted some analysis of "significant" ColdFusion 10 bugs a while back: "What should Adobe be retro-fitting into ColdFusion 10? Here's a potential list", and there's a reasonable case that Adobe should be dripping out fixes from that list (or similar) pretty much constantly. But nothing.

Some will leap to Adobe's defence saying "but they were busy working on ColdFusion 11", sorry but we oughtn't give a shit. Life goes on, and we've already paid for ColdFusion 10, so they should be making good on the bill of goods they're already sold us before prioritising the next thing they expect us to buy.

I also think by now there ought to have been a few hotfixes for ColdFusion 11... it's not short in the bug / half-finished department either.

So what's going on, Adobe?

--
Adam

Friday 13 June 2014

What should Adobe be retro-fitting into ColdFusion 10? Here's a potential list

G'day:
Adobe fixed a helluva lot of bugs during development of ColdFusion 11 (as per "Adobe ColdFusion Splendor (codename) & Adobe ColdFusion Thunder (codename)" (PDF)).

However there's been no patch for ColdFusion 10 for a while, and an awful lot of those bugs were raised against ColdFusion 10. So by rights they should be fixed in ColdFusion 10 too.

But fair's far... not every bug is important. So I've distilled that list down to just the ColdFusion 10 bugs, and the ones that were listed as "High".

Here they are:

Tuesday 29 April 2014

ColdFusion 10: be prepared, Adobe is removing the downloads

G'day:
Amongst the (fairly muted) hubbub around ColdFusion 11 shipping today ("Announcing the launch of ColdFusion 11 and ColdFusion Builder 3"), Adobe slipped some bad news into the mix as well. In a few weeks they will be removing the ColdFusion 10 downloads from their site:
Availability of installers for CF10 and CFB 2.0.1
ColdFusion 10 installers and ColdFusion Builder 2.0.1 installers will only be available for download on adobe.com for a limited time – till the 14th of May, 2014. If you need these installers for later use, then please download them before the 14th of May, 2014.

Wednesday 19 March 2014

ColdFusion 11: bug triage (and fixing?) seems to have stalled

G'day:
Ages back I wrote an article "212 untriaged ColdFusion 10 bugs", and indicated my horror at how many bugs in the current version of ColdFusion that Adobe had seen fit to simply ignore. I don't mean "not fix", I meant "just completely ignore; ie: not even acknowledge the bug had been raised".

I followed this up a coupla months later with "Bug watch: 212206 untriaged ColdFusion 10 bugs"; in that two months they had managed to triage a net of six tickets that had been raised.

Just a week later we were down to 165 untriaged bugs: "Good work Adobe ColdFusion Team!", and they had made good progress from there, getting it well below 100 untriaged bugs, and got it down to a low of 40 on Jan 22 this year. Again: good work!

Thursday 30 January 2014

Underlying Java methods of CFML objects

G'day:
A week or so ago, I wrote an article 'Using "undocumented" methods'. This got mention on CFHour last week: "Show #206 - Mucho Happy Box", and one observation I think Scott made was that it'd be useful to know what methods were available, even if one might not necessarily want to use 'em (see the earlier article and its comments as to why one might not want to use 'em).

Anyway, ages ago I came across a handy Java class, ClassViewer, which enables one to inspect the underlying methods of CFML objects using Java reflection. I wrote an article about it "ClassViewer.java", and posted the source code. I hasten to add it is not my own work, but it is jolly handy code. I also knocked together a CFML version of it: "ClassViewer.cfc" (Gist). I've gone through a pumped a bunch of CFML objects through this, and saved the output on my CFMLDeveloper account. Here's links to 'em all:


Friday 10 January 2014

ColdFusion 10 Update 13: "This update introduces support for OS X 10.9 Mavericks"

G'day:
Just a heads-up for you Mac users out there who have been caught out by issue 3653076 "Bad apache / tomcat connector for Mac OSX Mavericks 10.9".

Adobe just posted this: "ColdFusion 10 Update 13 released", and this includes the fix for the Mavericks thing.

I have not attempted to install the updater yet. Let us know how you get on with it.

Update:

I have now. Please note that the fix for 3653076 is the only fix in this update. Which is pretty bloody disappointing, actually!

--
Adam

Tuesday 31 December 2013

(1/4): it's not all about ColdFusion 10 bugs. CF 9.x has outstanding bugs too...

G'day:
First the "1/4" thing. Matt Bourke has just challenged me to release another four blog articles today. Let's see if I can do it. I make no apologies for the quality (or length) of the writing today. I'm not in the pub for one thing ;-)

This one is really short, but was underway before Matt challenged me.

Friday 20 December 2013

Bouquet for Adobe: Frank Jennings is a star

G'day:
Myself along with a coupla others gave the poor quality of the ColdFusion docs a bit of a battering on Twitter last night:



And it continues...

Monday 18 November 2013

Request for clarification on some stuff from Adobe

G'day:
I've encountered some questions regarding the recent update, and have questions of my own... and I don't know the answers. So I'm gonna raise 'em here and bring 'em to Adobe's attention and see if we can get some answers. It's nothing major, and for once not a gripe (well... not on the scale that I often gripe, anyhow...).

Thursday 14 November 2013

Weirdness with installing ColdFusion 10 update 12

G'day:
A coupla days back update 12 came out for ColdFusion 10: "ColdFusion Help / ColdFusion 10 Update 12". I had some installation "challenges" with it, and have now heard of two other people with the same experience.

Tuesday 29 October 2013