displaying top 100 results
Portal Topic More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018
More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018
Portal Comment Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
Portal Comment Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
Portal Comment Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by Charlie Arehart
Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by Charlie Arehart
ColdFusion Security updates for ColdFusion 2016 and ColdFusion 11
Portal Topic Updating due to security bulletin
Updating due to security bulletin
Tracker Comment Comment on Java Script Security Exception CFGrid by External U.
2596805 CF-3705406 External U. This grid is used to edit my clients, clients accounts and is key for the use of his business. I believe it is because of the Java security update.
Portal Topic ColdFusion (2018 release) Update 1, ColdFusion (2016 release) Update 7, and ColdFusion 11 Update 15 Released
SauravGhosh ColdFusion (2018 release) Update 1, ColdFusion (2016 release) Update 7, and ColdFusion 11 Update 15 Released We are pleased to announce the updates for ColdFusion (2018 release), ColdFusion (2016 release), and ColdFusion 11. These updates address a few security issues, which
Tracker Comment Comment on coldfusion.runtime.Cast._double(J)D after Security Hotfix APSB13-03 by External U.
2596900 CF-3488663 External U. After the security update we experience thousands of errors while calling templates containing DateAdd() and/or DateDiff(). Please FIX THIS URGENTLY. It has nothing to do with client configurations it is a server bug after the security hotfix mentioned above.
Portal Comment Comment on ColdFusion (2018 release) Update 8 and ColdFusion (2016 release) Update 14 released by Priyank Shrivastava
Priyank Shrivastava Hi James, This is purely a security update and we did not include any other bug fix.
few security bugs and some other bugs, which are mentioned in the tech notes. For more information, see the tech notes below: ColdFusion (2018 release) Update 10 ColdFusion (2016 release) Update 16 These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB20
Security Analyzer (Update 2) - Misidentifying "Encrypted" files
Tracker Comment Comment on CFENCODE for OS X on CF2016 by Vamseekrishna N.
3133483 CF-4198786 Vamseekrishna N. Since this was a security update, non-security bug fixes were pushed out to the next update. We can evaluate how this fix can be shared once it is fixed.
2672570 CF-4187127 Vamseekrishna N. This fix will be made available in the next bug-fix update release. Note that a security release is not counted as a bug-fix release and the recently released updates were security updates.
Please update the Developer Security Guide for CF2018 (not updated since CF11)
fixing the security vulnerabilities, we’ve also added SameSite cookie support for cfcookie. For more information, see the tech notes below: ColdFusion (2018 release) Update 9 ColdFusion (2016 release) Update 15 These updates fix security vulnerabilities that are mentioned in the security bulletin
Tracker Issue Security Analyzer - case sensitivity for <cfqueryparam>
2673451 CF-4126536 Security Analyzer David Epler Security Analyzer - case sensitivity for Testing sample source code that had the following:
update comments set
subscribe = 0,
followup = 0
where commentid =
The security analyzer flagged it SQLi, Error, High. There is not SQLi
Portal Topic ColdFusion (2018 release) Update 7 released
SauravGhosh ColdFusion (2018 release) Update 7 released We are pleased to announce that we have released Update 7 of the 2018 release of ColdFusion. ColdFusion (2018 release) Update 7 addresses vulnerabilities that are mentioned in the security bulletin, APSB19-58. The update includes a fix
coldfusion.runtime.Cast._double(J)D after Security Hotfix APSB13-03
Tracker Comment Comment on Post ColdFusion Security Hotfix APSB13-10 - error on JSON returned with debug on by External U.
2596863 CF-3544895 External U. Any word yet Adobe? This issue needs to be resolved so we can properly patch our servers. What good is a security update if it breaks things instead of fixing them?
to the tech notes for each update: ColdFusion (2018 release) Update 8 ColdFusion (2016 release) Update 14 These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB20-16. The Docker images for these updates are also available. Please update your ColdFusion versions today
Tracker Comment Comment on Additional CF Administrator users unable to view Settings Summary by Anit K.
2609006 CF-3948798 Anit K. This will be fixed in CF11. It was supposed to go in the current update, but it was Security update. The fix will be there in next update of CF11 .
Portal Comment Comment on Preview builds of ColdFusion (2018 release) Update 6 and ColdFusion (2016 release) Update 13 released by Charlie Arehart
in the admin), so that you'll know about and can obtain future updates.
Here's hoping this update does resolve all the problems introduced in the Sept updates.
Speaking of that, I'll make one more plea for my proposal that Adobe offer an option for folks to get only security updates initially (if
Portal Topic ColdFusion (2018 release) Update 4, ColdFusion (2016 release) Update 11, and ColdFusion 11 Update 19 released
Fusion 11 Update 19 The following are links to the tech notes for each update: ColdFusion (2018 release) Update 4 ColdFusion (2016 release) Update 11 ColdFusion 11 Update 19 The releases address security vulnerabilities, which are documented in the bulletin APSB19-27. We have made the following updates
Tracker Issue Update esapi.jar to 2.2
6082444 CF-4205004 General Server,Security Update esapi.jar to 2.2 Problem Description:
Converting strings between HTML-encoding and JavaScript-encoding does not work even if canonicalize parameter is set to true.
ColdFusion currently comes with esapi-2.1.0.jar
According to my tests
Tracker Comment Comment on CFPOP doesn't create the query given by name="" with updater 7 installed by External U.
2608462 CF-4088896 External U. What other tags are impacted by this change in behaviour ? I'm very wary of updating at this point, which should not be the case with a security update !
Tracker Comment Comment on CFMAIL fails with IDN domains and German Umlauts and maybe other special chars by ALEXANDER H.
2671777 CF-4198082 ALEXANDER H. No. Last two updaters (CF2016 Updater 6 and 7) seems to be security updates only.
Tracker Comment Comment on Adobe should consider following the Java model for handling CF security fixes by Charlie A.
6271442 CF-4205334 Charlie A. Suresh (or anyone at Adobe), might you have any news on the broader issue brought up here? I do realize that the bugs that prompted it were fixed in the Nov update.
But what about the idea to offer a way to split off the security updates from the rest, in the way I
(Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.)
Portal Topic ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released
Fusion 11 Update 18 The following are links to the tech notes for each update: ColdFusion (2018 release) Update 3 ColdFusion (2016 release) Update 10 ColdFusion 11 Update 18 The releases address security vulnerabilities, which are documented in the bulletin APSB19-14. In these updates, we have also
Solved with Adobe ColdFusion 2018 appeared first on ColdFusion. CF2018 Updates,ColdFusion 2018,Question,cf2018 updates,coldfusion 2018,question,security
on this here or in the technote for its update 19. Of course, it's appreciated, especially given the security update included (and some bug fixes).
But can anyone from Adobe clarify things, about this update 19 and going forward about CF11?
Portal Topic ColdFusion (2018 release) Update 2, ColdFusion (2016 release) Update 8, and ColdFusion 11 Update 16 released
,Performance Monitoring Toolset,ColdFusion (2016 release) Update 8,ColdFusion (2018 release) Update 2,ColdFusion 11 Update 16,ColdFusion 11 updates,ColdFusion 2016 updates,ColdFusion 2018 updates,coldfusion builder updates,ColdFusion security updates,ColdFusion updates,Performance Monitoring Toolset updates,Server Auto
Portal Comment Comment on ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released by SauravGhosh
SauravGhosh Brian,
The add-ons contain the same security fix that are present in the update jars for both the versions.
Thanks.
Tracker Issue [ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3
[ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3
notes for each […]
The post ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released appeared first on ColdFusion. Adobe ColdFusion 2016,Adobe ColdFusion 2018,Blog,coldfusiom language updates,coldfusion 2016 update 12,coldfusion 2018 update 5,ColdFusion security updates
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by TigheLory
TigheLory Will Update 12 update the JDK to resolve the security issues or do I need to download it from Oracle and install separately to patch the vulnerability?
Portal Comment Comment on Oracle’s Java policy change by Peter Freitag
Peter Freitag FYI Oracle has released Java Security patches... So Java 10 is now EOL and presumably vulnerable to security issues. This is really the worst for CF2018 customers because it ships with Java 10 and there is no security update for Java 10.
We have heard that there is a CF update
Portal Topic OSGi Support is Needed to Assure Secure Code
faster (on compile) and more secure. Is there any forward looking plans to support OSGi (and Maven).
The post OSGi Support is Needed to Assure Secure Code appeared first on ColdFusion. Discussion,Updates,ColdFusion,discussion,security,updates
Portal Comment Comment on ColdFusion (2018 release) Update 6 and ColdFusion (2016 release) Update 13 released by Charlie Arehart
Charlie Arehart Can you clarify this "confirmation" you refer to? And by "this update", do you mean the one mentioned in this post? It is not offering any security issues. It only fixes problems in the previous update (from September).
But maybe you are referring to a situation where you had
Tracker Issue FCKeditor version is out of date
2673526 CF-4126448 AJAX : UI Components Peter Freitag FCKeditor version is out of date Problem Description: The version of FCKeditor included with Raijin is 2.6.4.1, the current version of FCKeditor is 2.6.10 which includes several security updates.
FCKeditor should be updated to 2
,ColdFusion security updates
More on today’s CF update, and the importance of securing CAR files
Charlie Arehart Miguel, I realize you as asking Adobe, but since it's been a day, I'll say that the answer seems "yes and no".
First, the tool does offer to update CF to the latest available update, so from that perspective, yes the tool is "updated to include" the new security features
Portal Comment Comment on ColdFusion (2018 release) Update 6 and ColdFusion (2016 release) Update 13 released by Charlie Arehart
Charlie Arehart Thanks for that, Saurav.
Readers should note that the reason you are encouraged to get THIS update in place is so that (by applying it) you get the earlier September update which this one "fixes". That update had important security protections, but these bugs (now corrected) had
2682265 CFB-4130102 CFwatson U. Added By:bukkittu Note Added: I am sorry. My bad. On saving an edited file, Eclipse can give me the latest positions of the markers. I can use these new positions in the security view and update it. Thus, there would be no overhead introduced that I thought initially
Tracker Comment Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Arpit G.
Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Arpit G.
3498609 CF-4199667 Security : General Timothy Niswander Update 4 and 5 break Update 3 fix for CFCOOKIE Null values Problem Description: Latest Updates breaks prior updates built into 2016 Installer Refresh Update 3
Steps to Reproduce: Install latest CF 2016 Enterprise installer, then install
ColdFusion 11 - Editing an existing Sandbox box security location does not update the path in the list under Security> Sandbox Security
Comment on cfquery sandbox security issue after CF2016 update 4 by Chris D.
Tracker Comment Comment on CFFTP to S-FTP server raises error "Algorithm negotiation fail" by Vamseekrishna N.
2608735 CF-4014234 Vamseekrishna N. Given that CF11 Update 13 and CF2016 Update 5 were both security updates, this fix was now be made available in the next bug-fix update release cycle for 11.0 and 2016.
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by Michael Charbonneau
Michael Charbonneau please place the updated DLL file on actual adobe servers. it's a security problem to have the hotfix sitting on a 3rd party site like dropbox!
6708143 CF-4206898 Security : Sandbox Intermittent issues with random templates, appears related to Sandbox Security We've been experiencing Intermittent but very similar errors since right after applying Update 5/Update 12 to each of our servers. When the problem arises, the application
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by Charlie Arehart
Charlie Arehart I realize you will want to hear from Adobe, but until then let me offer these thoughts if they may be helpful to anyone.
First, as for your question about Java and that APSB, I suspect your referring to this: "The security updates referenced in the above Tech Notes require JDK 8u
Tracker Comment Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Adobe D.
Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Adobe D.
Miguel Fernandez SauravGhosh – when you guys add security features like this in an update are you also updating the Server Auto-Lockdown installer to include them? (I realize this only applies to ColdFusion 2018)
Tracker Comment Comment on Security scanner SQLi odd guidance by CFwatson U.
Comment on Security scanner SQLi odd guidance by CFwatson U.
Tracker Comment Comment on SpreadSheetSetColumnWidth stops working after updating to ColdFusion 10 Update 11 by External U.
2611496 CF-3616845 External U. Client demands narrow columns in apps xls feature. Forced to downgrade to update 10. Concerned about security risks of this.
Tracker Issue Server Update > Updates > Settings - Submit Changes doesn't return to the settings tab
the RDS section of Security.
Steps to Reproduce: Make a change to Server Updates > Updates > Settings, submit your changes.
Actual Result: You get redirected to the Security > RDS.
Expected Result: You should be redirected to the Server Updates > Updates > Settings
Any Workarounds:
Tracker Comment Comment on Security Analyzer - Incorrect SQLi by CFwatson U.
Comment on Security Analyzer - Incorrect SQLi by CFwatson U.
Tracker Comment Comment on Security scanner: incorrect analysis by CFwatson U.
Comment on Security scanner: incorrect analysis by CFwatson U.
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by SauravGhosh
Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by SauravGhosh
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by SauravGhosh
Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by SauravGhosh
Comment on ColdFusion 11 - Editing an existing Sandbox box security location does not update the path in the list under Security> Sandbox Security by S V.
Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well
Tracker Comment Comment on coldfusion.runtime.Cast._double(J)D after Security Hotfix APSB13-03 by External U.
Comment on coldfusion.runtime.Cast._double(J)D after Security Hotfix APSB13-03 by External U.
Tracker Issue Bug 86494:We had severe problems with sessions after applying the Security HotFix APSB11-04
://shilpikm.blogspot.com/2011/02/security-hot-fix-update-for-coldfusion.html for details.We changed to domain/path cookies as advised on that blog post (although that was not mentioned in the official Adobe pages), but many of our users were still unable to maintain sessions: they would log in successfully and then be logged
Portal Comment Comment on ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15 released by Charlie Arehart
Charlie Arehart
Great to see the new updates, both addressing security issues and the samesite cookie issue.
That said, it’s quite unfortunate to see that the Tomcat version (underlying CF server) is STILL not updated. (To be clear, I applied update 9 for CF2016 and can confirm that the CF
6774822 CF-4206998 Security Apache Commons Beanutils needs updating to address CVE-2019-10086 Problem Description:
Security vulderablity with common-beanutils
Per CVE- In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker
Comment on cfquery sandbox security issue after CF2016 update 4 by S P.
Comment on Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well by External U.
Comment on Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well by External U.
Comment on Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well by External U.
Tracker Comment Comment on (Update 2) security analyzer does not detect xss and csrf (Japanese Ver.) by Arpit G.
Comment on (Update 2) security analyzer does not detect xss and csrf (Japanese Ver.) by Arpit G.
ColdFusion Request Throttling For Better Security / Performance
Portal Comment Comment on Oracle’s Java policy change by Peter Freitag
Peter Freitag Gary - Oracle is probably selling extended support for Java 8, so they will probably continue to provide security updates to Java 8 customers that purchase Oracle Java Extended Support. They have done that for Java 7 and 6 when they ended core support.
Tracker Comment Comment on [ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3 by S P.
Comment on [ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3 by S P.
Charlie Arehart
Good news, Christopher (and all): Adobe has now added at least update 8u212 to the downloads page, though curiously still not 11.0.3. Also curious, they offer only u212 and not u211, for those only wanting the latest security updates and not bug fixes/changes.
Once I see
Tracker Comment Comment on Scheduler ERROR by External U.
2609447 CF-3846716 External U. The error occure when update Coldfusion 11 patch 2,
and this update make coldfusion internal error.
I fixed by uninstall coldfusion 11 and reinstall without update security patch 2.
Tracker Issue CF 2016 Update 12 on Windows Server returns nesting errors in cases where CF 2016 Update 11 and lower does not
to avoid it but we have a huge and very old code base and tracking down all the instances of this type of code will take a long time which is not good when we need to install a security update like this one.
Any Workarounds:
Use CFLOOP
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by SauravGhosh
Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by SauravGhosh
Portal Comment Comment on ColdFusion (2016 release) Update 9 and ColdFusion 11 Update 17 released by CFDaddio2
CFDaddio2 Has anyone else experiencing an issue after installing CF11 Update 17 where a individual CFAdmin security user can no longer access the ‘Settings Summary’ page? Before I ran the update, my individual login could view the CFAdmin ‘Settings Summary’ page. Immediately after the CF11 Update
PiyushN Charlie,
The update primarily fixes a security issue, that affects only a windows based CF installation. It also contains a fix for the scrollbar issue (that is not platform dependent, of course). You can choose to ignore this update if you're not on Windows. You can always get the fix
Portal Topic ColdFusion 2016 API Manager Update 1 released
ColdFusion 2016 API Manager Update 1 released
Tracker Issue Unable to initialise Security service, Client Storage service, and WatchService service
3022904 CF-4198542 Installation/Config ANDREW LORIEN Unable to initialise Security service, Client Storage service, and WatchService service Problem Description:
When testing Java update (Java SE Development Kit 8u131) on our CF 10 server, I was not able to load CF admin and had the following
Tracker Comment Comment on CFPOP doesn't create the query given by name="" with updater 7 installed by External U.
their codebase because of a cock-up you've introduced in an updater. You need to own it, and you need to *fix it*. And given this was a security update, you need to fix it *ASAP*.
Tracker Comment Comment on Nest CFOUTPUT error in hotfix 5 (hf-2018-00005-315699) by Vamseekrishna N.
.5 and 2016.12 were not pulled back, there were a couple of reasons - a) It was a security update with important fixes and b) A patch with fixes was made available within a couple of days of the release to unblock users.
Tracker Comment Comment on Nested CFLAYOUT/CFLAYOUTAREA tags with source attributes throw javascript error by Michael C.
5847488 CF-4204514 Michael C. Hi Mukesh/anyone at Adobe,
Please could you let me know if there is anything else you need from me to proceed with this issue? We would desperately like to move forward from CF2016 Update 7 ASAP, to apply both current security updates, and to move onto Java 11, which
Tracker Comment Comment on Automatic updates improvements by External U.
2612134 CF-3554978 External U. If Adobe wants to help ensure systems around the world running their software really are secure then the update process needs to be as simple and fool proof as possible.
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by Vamseekrishna Nanneboina
Vamseekrishna Nanneboina @TigheLory, Java 12 support isn't necessary for the security fixes to take effect. As a general recommendation, we always encourage our users to be on the latest JDK/update level. We will be adding support for JDK 13 soon, FYI.
Portal Comment Comment on ColdFusion (2018 release) Update 8 and ColdFusion (2016 release) Update 14 released by James Moberg
James Moberg I understand that the SameSite cookie issue would be fixed in this update, but there don't appear to be any release notes. What else has been fixed apart from "security vulnerabilities that were reported in APSB20-16"?
(Update 2) security analyzer does not detect xss and csrf (Japanese Ver.)
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by Charlie Arehart
some to think that it does not apply to them, but it is the only connector update I've seen offered so far for the Sept CF updates, so it's worth giving it a shot to see if it solves your problems. (Of course, getting to the Sept. updates is important for the security fixes they offer
Tracker Comment Comment on cfstoredproc - Last OUTPUT parameter - ColdFusion 11 Update 5 by Nimit S.
2608884 CF-3971083 Nimit S. Hi Byron,
Sorry for the inconvenience.
This fix is not included in ColdFusion 11 Update 6, because it was only a security hotfix.
However, this issue is fixed in ColdFusion 11 Update 7 which is available on pre-release.
For more details, please refer the article
Tracker Issue Null pointer exception thrown while running Security Analyzer repeatedly over same files
:
java.lang.NullPointerException
at java.util.HashMap.putMapEntries(HashMap.java:500)
at java.util.HashMap.putAll(HashMap.java:784)
at com.adobe.ide.coldfusion.securityanalyzer.jobs.SecurityAnalyzerJob.updateIgnoreList(SecurityAnalyzerJob.java:261)
at com.adobe.ide.coldfusion.securityanalyzer.jobs.SecurityAnalyzerJob.run(Security
Comment on Security Analyzer - Incorrect flagging SQLi (BlogCFC - blog.cfc) by S P.
Tracker Comment Comment on Error connecting to Oracle servers using Oracle Advanced Security by CFwatson U.
Comment on Error connecting to Oracle servers using Oracle Advanced Security by CFwatson U.
Comment on Security Analyzer - Show full path & filename by Mukesh K.
Comment on Security Analyzer - CSRF Attack detection does not work by CFwatson U.
Tracker Comment Comment on Security Analyzer - incorrect flagging of method="post" on <form> by CFwatson U.
Comment on Security Analyzer - incorrect flagging of method="post" on