TLDR; Now through Sep 30, 2024 those running CF9, 10, 11, 2016 or 2018 can upgrade to CF2023 for 25% off its full price. (Those running CF2021 can already/always could upgrade at 50% off the full price.)
For more, read on.
In this case, it's about if you use CF encryption-related functions, the default encryption algorithm is changing--and that means that those who encrypt/decrypt (or hash or randomize) data in their apps MUST take steps before applying this updates. For more, read on.
Some folks, using it with CF2021 or 2023 found CF was somehow heavily impacting their Redis instance. The good news is that I've found an easy fix/workaround (until Adobe fixes it formally).
For more (including why you may or may NOT be impacted by the issue), read on.
And it seems easily solved: they should just list the installed version on its own line on the page, above the dropdown.
If you agree that this should be addressed, please do add a vote at the tracker ticket I just posted:
https://tracker.adobe.com/#/view/CF-4221716
Sometimes Adobe only implements changes if many ask for it (though sadly, as in this case, some just grumble at an annoyance they may hit only rarely and they move on without ever reporting it. I didn't find anyone else having reported this there, before I created my ticket.)
If you need more info to understand the problem, I'll save you going to look at the ticket by repeating here what I wrote there:
TLDR: The new updates are 1.8.0_411 (aka 8u411), 11.0.23, 17.0.11, 21.0.3, and 22.0.1 respectively). Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), offered in Oracle resources I list below. Oracle calls these updates "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.
For some folks, that's all they need to hear. For others, read on.
And the recordings are all available online, and here's how to find them.
As one of the premier conferences for both Adobe ColdFusion and Lucee, I highly recommend you attend the event if you can. Plus, if you don't live in Europe it's a great excuse to vacation on the continent and be tax-deductible at the same time! :-)
My talk this year (my 8th straight appearance at the event) will be a new one for me. Here are the details:
It's very important that people read the technote before "just applying this update". There is a very important (and fundamental) change in how CFML processes variables, with regard to searching for scopes when no scope is indicated on a variable name. It's NOT that you "must scope all your variables", as some are asserting. But it's still almost certainly a BREAKING change in many CF apps, if they use unscoped variables under certain conditions (that I discuss below). The change is for the sake of security, but it's just one aspect of the security fixes in this update.
Anyway, there are 3 things you can consider doing to rectify/work-around this breaking change, as I discuss below (or see the update technote, for this and more). And you may reasonably wonder what the implications would be of using the workarounds. You may also wonder if this scope matter relates to the CVE listed in the APSB (linked to below). That's currently unclear. It does not. As well, note that the Adobe security bulletin (link below) shows the security fix to be only a P3 (priority 3, the lowest severity), not a P1 (priority 1, the highest), though it IS regarded as "critical".1
But then there are still other aspects of the update beyond this scope matter, and you should be aware of those also.
For more, read on.
But some people seem to notice when news is shared of a recording being made available, so here you go.:-) These are 4 sessions I've done in Jan 2024 and Dec 2023.
So I'll be presenting a talk on this topic, online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be recorded). Folks who are members of the Online ColdFusion Meetup will have already gotten email notification about this, including the meeting URL, but for those who are not members here are the details:
Managed Hosting Services provided by
