portal entry

This is great to see, Saurav. Thanks. (Folks have been left to dig through forum posts and bug tracker tickets to find this info and these links, formally shared from someone at Adobe.) Could we now get a post for that other hotfix jar that Adobe is sharing, addressing the few other issues introduced in the most recent update? That (including info on how to apply it) would be VERY helpful.

Comment by Charlie Arehart

<p>This is regarding CF 2016 Update 12.</p><p>There are two (at least) versions of the updated isapi_redirect.dll available. I’m using the bug tracker (<a href="https://tracker.adobe.com/#/view/CF-4205361" rel="nofollow">CF-4205361</a>) for reference, though I have seen the links shared elsewhere.</p><p>In one comment, Charlie <a href="https://www.dropbox.com/sh/q2hv32vuw25oiho/AADpPdNBKC82IXXIxBM60m-ya?dl=0" rel="nofollow">shared a link (ISAPI_Redirect_Patch)</a> that had two folders (Binaries and CF2016 Binaries) and the DLL. I download the DLL and it resolved the the 404 error reported by the connector. Interestingly, this DLL is the exact same size (515,584 bytes, 504k) as the buggy connector file that came with update 12, though they are different.</p><p>In another comment, Kailash <a href="https://www.dropbox.com/sh/zqfn58y3k81nwoj/AAAj1JWbqxr6vcSRacKx9af5a?dl=0" rel="nofollow">shared a link (CF2016 Binaries)</a> that has four folders for various operating systems. I assume that CF2016 Binaries folder is the same as the one that’s in Charlie’s link, though you can’t tell by the URLs, and you can’t navigate up the tree. I downloaded the DLL in Windows/IIS/64bit, and noticed that it’s smaller (488,448 bytes, 477k) than the other one, as well as the one that came with the update. The previous connector used on the server from (I think) updates 8/9, is 486,400 bytes.</p><p>This post links to a zip file that contains basically the contents of the CF2016 Binaries folder shared on Dropbox, though the 32-bit version is missing for IIS. The DLL in this file is identical to the one found in the link shared by Kailash.</p><p>So which of these is correct? The first one is the same size as the connector that came with the update (which seems reasonable since it’s a fix). The second is only slightly larger than the previous connector, which would make sense if a bunch of code was removed.</p><p>Thanks.</p>

Comment by sthompson

ST, a couple of things: I didn't share any link to files. Instead, I quoted Kailash who shared the link. And that was on the 7th (in a comment on that ticket you point to). then it was on the 8th that Kailash made another comment, sharing yet another link. Why they differ, I can't say, but it was a day later. It could be that the second was newer. More important, you don't seem to discuss comparing things to what Saurav has shared here in THIS post, which is yet a day later? Really, these files he has shared here would seem to take precedence over even the two sets shared Kailash so far. Make sense?

Comment by Charlie Arehart

Thanks a lot Charlie. Let me check with the team.

Comment by SauravGhosh

Charlie, Both sets contain the same dll and so files. That only change is in the locations specified to host the files. Earlier, we'd shared via Dropbox, but now we've changed it to Document cloud. Thanks.  

Comment by SauravGhosh

I've tried to access the links for both 2016 and 2018, but neither one is working now.  Did they pull these patches?

Comment by Scott15205

Scott, The links are working for us. Could you re-try or post the error message, if any? Thanks

Comment by SauravGhosh

While this is great creating a post for folks to download update jar/dll connector, it would be better for everyone to issue a separate HF to address all patch fixes. What do you think?

Comment by Chris Reese

Thanks Chris. As far as a separate HF is concerned, we are looking into the possibilities. We'll announce accordingly.

Comment by SauravGhosh

Considering that both CFOUTPUT and the ISAPI connector are broken in Updated 5, has Adobe given any thought to pulling the update?  I mean - why do you continue to distribute what you know to be a problematic update? Also, what is going on with the QA for ColdFusion?   I have not been able to deploy CF2018 to production yet because every single updater has broken a major feature.  The ternary operator was broken up until Update 5, and then update 5 broke CFOUTPUT and the ISAPI connector.  The team is cranking out tons of new features, but that doesn't mean squat if we literally can't use the product because core features are being broken in the process. What gives?  This team has to do better.

Comment by roland.collins

Did the JQuery UI update from 1.8.16  to 1.12.1 in Cold Fusion 2016 update 12?   If not release 12 then what release?  How come the JQuery UI update is not noted in the release notes?

Comment by CRAIG PENROSE_39

I am not in a position to quickly report if/when it updated, but I will say that since it's there for the sake of the CF features that use it, Adobe wouldn't necessarily be compelled to point it out.  It's not really meant for others to leverage in their own code, though of course some do. I just mean to say that they don't make a commitment about expectations regarding it beyond whether it works for the CF features that leverage it. For what it's worth, I can confirm for you that there is no mention of jquery regarding any of the previous 11 CF2016 updates, either at the release notes page covering all of them at <a href="https://helpx.adobe.com/coldfusion/release-note/coldfusion-2016-updates-release-notes.html" rel="nofollow">https://helpx.adobe.com/coldfusion/release-note/coldfusion-2016-updates-release-notes.html</a>, nor in any of the individual technotes, per this google search: site:helpx.adobe.com inurl:coldfusion-2016-update "jquery" (To be clear, that search WILL find even the latest update 12 technote, if you search for "jdk 12" instead.) Maybe someone at Adobe will confirm for you if/when it may have changed versions over the life of CF2016, or perhaps someone will do a close analysis of the lib folder and the jquery files to detect if/when it may have changed versions. HTH

Comment by Charlie Arehart

Thanks for the feedback. I asked about it because I received vulnerability notices from our internal Cyber division about using an out of compliance JQUERY UI version (1.8.16).   Thankfully it was updated to 1.12.1 in Cold Fusion update 12 (as far as I can tell).    I am received a vulnerability notice about Cold fusion having JQUERY version 3.3.1 and am being directed to upgrade to JQUERY 3.4.0 per CVE 2019-11358. I do think Cold Fusion should notify when they upgrade or plan to upgrade their embedded  components - especially when those components are subject of vulnerability notices (e.g. CVEs).

Comment by CRAIG PENROSE_39

That's a fair point. I will leave it for them to respond to.

Comment by Charlie Arehart

CVE-2019-8074 CentOS7 Apache CF2016 (HTTP response 403) /CFIDE/... (HTTP response 403) /not-CFIDE/ (HTTP response 403) /not-CFIDE/index.cfm (HTTP response 400) /index.cfm/..;/CFIDE/... (HTTP response 400) /index.cfm/..;/not-CFIDE/ (HTTP response 200) /index.cfm/..;/not-CFIDE/index.cfm

Comment by kazu98296633

The links don't work for me, either. All I get is a Document Cloud header and the message: <blockquote>Something went wrong. Please try again later.</blockquote>

Comment by AKAndy

thank u

Comment by semihakartuna