displaying top 100 results
Tracker Issue cfquery sandbox security issue after CF2016 update 4
cfquery sandbox security issue after CF2016 update 4
Comment on cfquery sandbox security issue after CF2016 update 4 by Chris D.
Comment on cfquery sandbox security issue after CF2016 update 4 by S P.
Comment on cfquery sandbox security issue after CF2016 update 4 by Chris D.
Comment on cfquery sandbox security issue after CF2016 update 4 by S P.
Portal Topic Updating due to security bulletin
Updating due to security bulletin
ColdFusion 11 - Editing an existing Sandbox box security location does not update the path in the list under Security> Sandbox Security
Comment on ColdFusion 11 - Editing an existing Sandbox box security location does not update the path in the list under Security> Sandbox Security by S V.
Portal Topic More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018
More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018
Tracker Comment Comment on Adobe should consider following the Java model for handling CF security fixes by Charlie A.
6271442 CF-4205334 Charlie A. Suresh (or anyone at Adobe), might you have any news on the broader issue brought up here? I do realize that the bugs that prompted it were fixed in the Nov update.
But what about the idea to offer a way to split off the security updates from the rest, in the way I
Tracker Issue cfhtmltopdf with sandbox security throwing "coldfusion.document.webkit.PDFgRequestUtil"
cfhtmltopdf with sandbox security throwing "coldfusion.document.webkit.PDFgRequestUtil"
(Update 2) security analyzer does not detect xss and csrf (Japanese Ver.)
6271442 CF-4205334 Installation/Config Adobe should consider following the Java model for handling CF security fixes I would like to publicly propose a new model that Adobe should consider following for handling CF updates, specifically allowing for one to implement security fixes as soon
Tracker Comment Comment on (Update 2) security analyzer does not detect xss and csrf (Japanese Ver.) by Arpit G.
Comment on (Update 2) security analyzer does not detect xss and csrf (Japanese Ver.) by Arpit G.
Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well
Tracker Comment Comment on (Update 2) security analyzer does not detect xss and csrf (Japanese Ver.) by Arpit G.
Comment on (Update 2) security analyzer does not detect xss and csrf (Japanese Ver.) by Arpit G.
Comment on Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well by External U.
Comment on Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well by External U.
Comment on Bug 78754:[JFERNANDES] Server admin AIR app should have a feed to list all available hotfixes (by version) and security bulletins updates as well by External U.
Tracker Comment Comment on CFENCODE for OS X on CF2016 by Vamseekrishna N.
3133483 CF-4198786 Vamseekrishna N. Since this was a security update, non-security bug fixes were pushed out to the next update. We can evaluate how this fix can be shared once it is fixed.
Portal Comment Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
2672570 CF-4187127 Vamseekrishna N. This fix will be made available in the next bug-fix update release. Note that a security release is not counted as a bug-fix release and the recently released updates were security updates.
Please update the Developer Security Guide for CF2018 (not updated since CF11)
Tracker Comment Comment on Java Script Security Exception CFGrid by External U.
2596805 CF-3705406 External U. This grid is used to edit my clients, clients accounts and is key for the use of his business. I believe it is because of the Java security update.
Tracker Comment Comment on Additional CF Administrator users unable to view Settings Summary by Anit K.
2609006 CF-3948798 Anit K. This will be fixed in CF11. It was supposed to go in the current update, but it was Security update. The fix will be there in next update of CF11 .
ColdFusion Security updates for ColdFusion 2016 and ColdFusion 11
Portal Comment Comment on ColdFusion (2018 release) Update 8 and ColdFusion (2016 release) Update 14 released by Priyank Shrivastava
Priyank Shrivastava Hi James, This is purely a security update and we did not include any other bug fix.
Tracker Comment Comment on CFPOP doesn't create the query given by name="" with updater 7 installed by External U.
2608462 CF-4088896 External U. What other tags are impacted by this change in behaviour ? I'm very wary of updating at this point, which should not be the case with a security update !
Tracker Comment Comment on CFMAIL fails with IDN domains and German Umlauts and maybe other special chars by ALEXANDER H.
2671777 CF-4198082 ALEXANDER H. No. Last two updaters (CF2016 Updater 6 and 7) seems to be security updates only.
Tracker Comment Comment on deserializeJSON() invokes java.lang.System.getProperty() which is slow with sandbox security enabled by Nimit S.
Comment on deserializeJSON() invokes java.lang.System.getProperty() which is slow with sandbox security enabled by Nimit S.
Tracker Comment Comment on Adobe should consider following the Java model for handling CF security fixes by Charlie A.
6271442 CF-4205334 Charlie A. Just a minor grammatical revision to the above. The first bullet item should have read (slight change in wording in parentheses):
- one would have JUST the latest security fixes (AND it it would have any bug fixes/new features from the PREVIOUS update)....
Portal Topic ColdFusion (2018 release) Update 1, ColdFusion (2016 release) Update 7, and ColdFusion 11 Update 15 Released
SauravGhosh ColdFusion (2018 release) Update 1, ColdFusion (2016 release) Update 7, and ColdFusion 11 Update 15 Released We are pleased to announce the updates for ColdFusion (2018 release), ColdFusion (2016 release), and ColdFusion 11. These updates address a few security issues, which
few security bugs and some other bugs, which are mentioned in the tech notes. For more information, see the tech notes below: ColdFusion (2018 release) Update 10 ColdFusion (2016 release) Update 16 These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB20
Portal Comment Comment on Oracle’s Java policy change by Peter Freitag
Peter Freitag FYI Oracle has released Java Security patches... So Java 10 is now EOL and presumably vulnerable to security issues. This is really the worst for CF2018 customers because it ships with Java 10 and there is no security update for Java 10.
We have heard that there is a CF update
Portal Topic OSGi Support is Needed to Assure Secure Code
faster (on compile) and more secure. Is there any forward looking plans to support OSGi (and Maven).
The post OSGi Support is Needed to Assure Secure Code appeared first on ColdFusion. Discussion,Updates,ColdFusion,discussion,security,updates
Tracker Issue FCKeditor version is out of date
2673526 CF-4126448 AJAX : UI Components Peter Freitag FCKeditor version is out of date Problem Description: The version of FCKeditor included with Raijin is 2.6.4.1, the current version of FCKeditor is 2.6.10 which includes several security updates.
FCKeditor should be updated to 2
Tracker Comment Comment on coldfusion.runtime.Cast._double(J)D after Security Hotfix APSB13-03 by External U.
2596900 CF-3488663 External U. After the security update we experience thousands of errors while calling templates containing DateAdd() and/or DateDiff(). Please FIX THIS URGENTLY. It has nothing to do with client configurations it is a server bug after the security hotfix mentioned above.
More on today’s CF update, and the importance of securing CAR files
Tracker Comment Comment on HTML security header "X-Content-Type-Options: nosniff" breaks various '.gif' icons in CF admin w/ IE11 by Chris D.
Comment on HTML security header "X-Content-Type-Options: nosniff" breaks various '.gif' icons in CF admin w/ IE11 by Chris D.
Tracker Comment Comment on Adobe should consider following the Java model for handling CF security fixes by Suresh J.
Comment on Adobe should consider following the Java model for handling CF security fixes by Suresh J.
Tracker Comment Comment on Adobe should consider following the Java model for handling CF security fixes by Charlie A.
Comment on Adobe should consider following the Java model for handling CF security fixes by Charlie A.
Tracker Comment Comment on CFFTP to S-FTP server raises error "Algorithm negotiation fail" by Vamseekrishna N.
2608735 CF-4014234 Vamseekrishna N. Given that CF11 Update 13 and CF2016 Update 5 were both security updates, this fix was now be made available in the next bug-fix update release cycle for 11.0 and 2016.
Tracker Comment Comment on Post ColdFusion Security Hotfix APSB13-10 - error on JSON returned with debug on by External U.
2596863 CF-3544895 External U. Any word yet Adobe? This issue needs to be resolved so we can properly patch our servers. What good is a security update if it breaks things instead of fixing them?
fixing the security vulnerabilities, we’ve also added SameSite cookie support for cfcookie. For more information, see the tech notes below: ColdFusion (2018 release) Update 9 ColdFusion (2016 release) Update 15 These updates fix security vulnerabilities that are mentioned in the security bulletin
Security Analyzer (Update 2) - Misidentifying "Encrypted" files
6774822 CF-4206998 Security Apache Commons Beanutils needs updating to address CVE-2019-10086 Problem Description:
Security vulderablity with common-beanutils
Per CVE- In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker
(Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.)
Tracker Issue Try to update DSN but got an error
2596840 CF-3587181 Administrator Jerome Lepage Try to update DSN but got an error Problem Description:
From a fresh new install on a CF9.0.2 with cumulativ hotfix 1 and Security hotfix APSB13-13;
I create a Oracle DSN with a wrong password (bad typing).
Then I try to correct it, but I got an error
Fusion Builder items and click Next.
6. Accept the license agreement and click Finish.
7. If you see a Security Warning message, click OK to continue installing the update.
8. To restart ColdFusion Builder, click Yes.
Thanks,
Mukesh
Portal Comment Comment on Preview builds of ColdFusion (2018 release) Update 6 and ColdFusion (2016 release) Update 13 released by Charlie Arehart
in the admin), so that you'll know about and can obtain future updates.
Here's hoping this update does resolve all the problems introduced in the Sept updates.
Speaking of that, I'll make one more plea for my proposal that Adobe offer an option for folks to get only security updates initially (if
Tracker Comment Comment on SELinux issues with ColdFusion 10 update 18 connector (10,0,18,296330) by External U.
should be installed within 30 days of release because it is priority 2.
https://helpx.adobe.com/security/products/coldfusion/apsb15-29.html
https://helpx.adobe.com/security/severity-ratings.html
This needs to be resolved so we can install this update by Dec 17-18 , 2015.
Thanks,
Boris.
Portal Comment Comment on Oracle’s Java policy change by Peter Freitag
Peter Freitag Gary - Oracle is probably selling extended support for Java 8, so they will probably continue to provide security updates to Java 8 customers that purchase Oracle Java Extended Support. They have done that for Java 7 and 6 when they ended core support.
to the tech notes for each update: ColdFusion (2018 release) Update 8 ColdFusion (2016 release) Update 14 These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB20-16. The Docker images for these updates are also available. Please update your ColdFusion versions today
Portal Topic ColdFusion (2018 release) Update 7 released
SauravGhosh ColdFusion (2018 release) Update 7 released We are pleased to announce that we have released Update 7 of the 2018 release of ColdFusion. ColdFusion (2018 release) Update 7 addresses vulnerabilities that are mentioned in the security bulletin, APSB19-58. The update includes a fix
Charlie Arehart
Good news, Christopher (and all): Adobe has now added at least update 8u212 to the downloads page, though curiously still not 11.0.3. Also curious, they offer only u212 and not u211, for those only wanting the latest security updates and not bug fixes/changes.
Once I see
Tracker Comment Comment on Scheduler ERROR by External U.
2609447 CF-3846716 External U. The error occure when update Coldfusion 11 patch 2,
and this update make coldfusion internal error.
I fixed by uninstall coldfusion 11 and reinstall without update security patch 2.
Tracker Comment Comment on CFPOP doesn't create the query given by name="" with updater 7 installed by External U.
their codebase because of a cock-up you've introduced in an updater. You need to own it, and you need to *fix it*. And given this was a security update, you need to fix it *ASAP*.
Tracker Comment Comment on Nest CFOUTPUT error in hotfix 5 (hf-2018-00005-315699) by Vamseekrishna N.
.5 and 2016.12 were not pulled back, there were a couple of reasons - a) It was a security update with important fixes and b) A patch with fixes was made available within a couple of days of the release to unblock users.
Tracker Comment Comment on Nested CFLAYOUT/CFLAYOUTAREA tags with source attributes throw javascript error by Michael C.
5847488 CF-4204514 Michael C. Hi Mukesh/anyone at Adobe,
Please could you let me know if there is anything else you need from me to proceed with this issue? We would desperately like to move forward from CF2016 Update 7 ASAP, to apply both current security updates, and to move onto Java 11, which
Tracker Comment Comment on Automatic updates improvements by External U.
2612134 CF-3554978 External U. If Adobe wants to help ensure systems around the world running their software really are secure then the update process needs to be as simple and fool proof as possible.
Tracker Issue [ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3
[ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3
Portal Comment Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
Comment on More info on the CF Security Update included in the March 1 CF updates for CF11, 2016, and 2018 by jeffh65754959
Tracker Issue Server Update > Updates > Settings - Submit Changes doesn't return to the settings tab
the RDS section of Security.
Steps to Reproduce: Make a change to Server Updates > Updates > Settings, submit your changes.
Actual Result: You get redirected to the Security > RDS.
Expected Result: You should be redirected to the Server Updates > Updates > Settings
Any Workarounds:
on this here or in the technote for its update 19. Of course, it's appreciated, especially given the security update included (and some bug fixes).
But can anyone from Adobe clarify things, about this update 19 and going forward about CF11?
Tracker Comment Comment on Coldfusion 11 update 8 breaks left and right sql sever functions by External U.
Comment on Coldfusion 11 update 8 breaks left and right sql sever functions by External U.
Comment on coldfusion 10 update 14. failed to load pdf document by External U.
Tracker Comment Comment on Issue with the XMLParse() function after update to Java 8.241 (possibly introduced in 8.231) by Miguel F.
Comment on Issue with the XMLParse() function after update to Java 8.241 (possibly introduced in 8.231) by Miguel F.
notes for each […]
The post ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released appeared first on ColdFusion. Adobe ColdFusion 2016,Adobe ColdFusion 2018,Blog,coldfusiom language updates,coldfusion 2016 update 12,coldfusion 2018 update 5,ColdFusion security updates
Portal Comment Comment on ColdFusion (2018 release) Update 6 and ColdFusion (2016 release) Update 13 released by Charlie Arehart
Charlie Arehart Can you clarify this "confirmation" you refer to? And by "this update", do you mean the one mentioned in this post? It is not offering any security issues. It only fixes problems in the previous update (from September).
But maybe you are referring to a situation where you had
Tracker Comment Comment on SpreadSheetSetColumnWidth stops working after updating to ColdFusion 10 Update 11 by External U.
2611496 CF-3616845 External U. Client demands narrow columns in apps xls feature. Forced to downgrade to update 10. Concerned about security risks of this.
Tracker Comment Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Arpit G.
Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Arpit G.
2609493 CF-3842815 Piyush K. wittsiepe,
The cfgrid binding related bugs are not fixed in Update 2. They are are due in the next update, to be made available very soon.
Update 2 fixed security related issues only (for details on update 2 please ref. http://helpx.adobe.com/coldfusion/kb/coldfusion-11
Portal Comment Comment on ColdFusion (2018 release) Update 6 and ColdFusion (2016 release) Update 13 released by Charlie Arehart
Charlie Arehart Thanks for that, Saurav.
Readers should note that the reason you are encouraged to get THIS update in place is so that (by applying it) you get the earlier September update which this one "fixes". That update had important security protections, but these bugs (now corrected) had
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by TigheLory
TigheLory Will Update 12 update the JDK to resolve the security issues or do I need to download it from Oracle and install separately to patch the vulnerability?
6308989 CF-4205374 Administrator : Administrator Console Unable to update Maximum size of post data and other settings Problem Description:
In CF 2018 Standard Edition, Update 4, Production+Secure Profile, I'm unable to change the value for "Maximum size of post data" in the console. I had
Portal Comment Comment on ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released by SauravGhosh
SauravGhosh Brian,
The add-ons contain the same security fix that are present in the update jars for both the versions.
Thanks.
frequent CFSchedule crashes - failing to update neo-cron.xml
,ColdFusion security updates
Charlie Arehart Miguel, I realize you as asking Adobe, but since it's been a day, I'll say that the answer seems "yes and no".
First, the tool does offer to update CF to the latest available update, so from that perspective, yes the tool is "updated to include" the new security features
Tracker Comment Comment on [ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3 by S P.
Comment on [ANeff] Bug for: [Regression] Enabling Secure Profile during install breaks Allowed SQL after Update 3 by S P.
Tracker Issue Application will not start - CF tries to copy JAR file to location of locked file - CF11 update 7
than update 4, making the server potentially at risk to the undisclosed security vulnerabilities that these updates address. (And because they're undisclosed, there's no way for us to take other precautions to address the issues!)
----------------------------- Additional Watson Details
Portal Topic ColdFusion (2018 release) Update 4, ColdFusion (2016 release) Update 11, and ColdFusion 11 Update 19 released
Fusion 11 Update 19 The following are links to the tech notes for each update: ColdFusion (2018 release) Update 4 ColdFusion (2016 release) Update 11 ColdFusion 11 Update 19 The releases address security vulnerabilities, which are documented in the bulletin APSB19-27. We have made the following updates
Tracker Comment Comment on CF902 on Java JDK 7 update 17 - cfhttp tag fails to return status codes when posting data to a web service by Akhila K.
2596875 CF-3520423 Akhila K. This requires certificate to be imported to jdk.
So try to import the certificate to jdk keystore and make corresponding system property change in jvm.config file.
System property to be updated:
-Djavax.net.ssl.trustStore=C:\\Java\\jdk1.6.0_21\\jre\\lib\\security
Portal Topic ColdFusion (2018 release) Update 3, ColdFusion (2016 release) Update 10, and ColdFusion 11 Update 18 released
Fusion 11 Update 18 The following are links to the tech notes for each update: ColdFusion (2018 release) Update 3 ColdFusion (2016 release) Update 10 ColdFusion 11 Update 18 The releases address security vulnerabilities, which are documented in the bulletin APSB19-14. In these updates, we have also
Portal Topic Modernization of Adobe ColdFusion Helped Improving Security, Deployment and Other Important Aspects
Modernization of Adobe ColdFusion Helped Improving Security, Deployment and Other Important Aspects appeared first on ColdFusion. CF2018 Updates,ColdFusion 2018,Question,2018,cf2018 updates,coldfusion 2018,question
Tracker Comment Comment on Sporadic StackOverflowError involving coldfusion.security.BasicPolicy since CF2016HF12 by Ken W.
6439313 CF-4205821 Ken W. We've been seeing this issue Since Update 5/Update12. The jar file fix did not resolve it nor did Update 6. Turning off Sandbox Security was our only recourse which is unacceptable. Emails to Adobe support were met with total silence.
3498609 CF-4199667 Security : General Timothy Niswander Update 4 and 5 break Update 3 fix for CFCOOKIE Null values Problem Description: Latest Updates breaks prior updates built into 2016 Installer Refresh Update 3
Steps to Reproduce: Install latest CF 2016 Enterprise installer, then install
Portal Comment Comment on ColdFusion (2018 release) Update 5 and ColdFusion (2016 release) Update 12 released by Michael Charbonneau
Michael Charbonneau please place the updated DLL file on actual adobe servers. it's a security problem to have the hotfix sitting on a 3rd party site like dropbox!
Tracker Comment Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Adobe D.
Comment on (Update 2) charts are not displayed in Security Analyzer Report (Japanese Ver.) by Adobe D.
Tracker Issue Security Analyzer - case sensitivity for <cfqueryparam>
2673451 CF-4126536 Security Analyzer David Epler Security Analyzer - case sensitivity for Testing sample source code that had the following:
update comments set
subscribe = 0,
followup = 0
where commentid =
The security analyzer flagged it SQLi, Error, High. There is not SQLi
Comment on Fix available for CF11 update 18 query caching bug by R.Stewart
Tracker Issue cflogin authentication issue
5153136 CF-4203664 Security : Authentication cflogin authentication issue Problem Description:
I have recently installed CF2018 (all available updates installed) on windows 2016 server. Users behind the login page on the app are getting authentication failed error messages.
Steps to Reproduce
3712128 CF-4200155 S P. Hi Charles,
We do see the issue happening on update 3, but do not see the exception on the latest update, that being 14.
Also, we strongly recommend you to update your server to the latest hotfix, considering all the important security fixes that have gone in them
Tracker Comment Comment on Issue with the XMLParse() function after update to Java 8.241 (possibly introduced in 8.231) by Justin H.
Comment on Issue with the XMLParse() function after update to Java 8.241 (possibly introduced in 8.231) by Justin H.
Portal Comment Comment on Oracle’s Java policy change by Gary Fenton
Gary Fenton Does this only apply to Java 11 though? So Java 8, as used by CF2016, can continue to be downloaded for free in commercial use to support future updates of CF 2016, particularly security patches in Java?
Portal Topic ColdFusion (2018 release) Update 2, ColdFusion (2016 release) Update 8, and ColdFusion 11 Update 16 released
,Performance Monitoring Toolset,ColdFusion (2016 release) Update 8,ColdFusion (2018 release) Update 2,ColdFusion 11 Update 16,ColdFusion 11 updates,ColdFusion 2016 updates,ColdFusion 2018 updates,coldfusion builder updates,ColdFusion security updates,ColdFusion updates,Performance Monitoring Toolset updates,Server Auto
Tracker Issue CF11 services won't Start
on the server - no windows updates, no java updates, no antivirus/security updates, no cold fusion updates - nothing. See this thread for entire troubleshooting steps thus far: https://forums.adobe.com/thread/1484729?start=0&tstart=0 Log files have been sent to Anit Kumar Panda
Steps to Reproduce:
Actual
Very slow startup time CF2018 update 6 and above - compiler issue?
Miguel Fernandez SauravGhosh – when you guys add security features like this in an update are you also updating the Server Auto-Lockdown installer to include them? (I realize this only applies to ColdFusion 2018)
Portal Comment Comment on coldfusion 10 on Mountain Lion by Charlie Arehart
="nofollow">https://www.carehart.org/blog/client/index.cfm/2014/10/30/finding_coldfusion_installers_and_updates
As for "should you", well, beware that CF10 stopped being updated in 2017. There have been several updates since then (to CF11, CF2016, and CF2018), some of which are very important security updates. Those have NOT been backported to CF10. (And