TLDR; If you've configured either CF2021's java home to use Java 11.0.20 or later, or CF2023's java home to use 17.0.8 or later, you may find that applying CF updates ia the Admin will fail. You can apply the update via the command line, adding a needed new jvm arg:
-Djdk.util.zip.disableZip64ExtraFieldValidation=true
(to be placed BEFORE the -jar arg) in the java -jar ... command, as I discuss more in the 5th bullet point below. (If I've lost you with that simple suggestion, read the rest here. And all may benefit reading what precedes that suggestion, for context. I also offer other suggestions and info.)

[....Continue Reading....]

It's been on my site as my "CFUpdate" page (linked to from my old-school top-level nav bar), and I've kept the page updated. [Hey, updating my meta resource on updates. That's SO meta!]

But I suspect a lot of people may never find it for one reason or another, so I wanted to offer a link to it here.

Check it out, and I welcome comments or feedback here.

You will find that you can no longer INSTALL CF updates via the CF admin, if CF is using this new Java version. And even if the CF update is run from the command line, if using this newer Java version that also will fail. In either case, there is a new JVM argument that solved the problem, as I discuss below.

This is happening in CF2023, 2021, and 2018. (And this may continue to happen with future JVM updates, until Adobe otherwise addresses the problem.)

As an update, this issue was finally fixed with the Oct 2023 CF update, CF2021 u11 and CF2023 u5--as long as it was applied before applying any later ones, it seems. Still, some may want to read on for context, or read a subsequent post I did on this matter in October 2023, and another in my discussion of the Nov 2023 cf update.

As an another update, when I first created this post originally on July 21st, another problem was that you would find that you could no longer use the CF Administrator to download CF updates, if CF was running this new Java version. You would get an error reporting, "Failed Signature verification"--or in some cases you may see only "error failed". But within a couple of weeks, I found that the CF Admin COULD now download updates (including the August 2023 CF update) but the CF update STILL fails to install correctly, as discussed in this post, unless the workaround offered is used.

FWIW, Adobe has also updated the technotes for CF2021 update 10 and CF2023 update 4 with a text box at the top that acknowledges this issue and points to this post for more detail.

In this post, I explain a) what this is all about, then b) how you can fix the problem of INSTALLING the update using the CF Admin, I'll explain how it seems we HAVE to workaround that problem (for now). I also offer a link to a bug report I've filed. I even offer a thought on how this new JVM update may prove over time to affect MORE than just this, and even MORE than just CF (and Lucee) but many java apps. Read on for more.

[....Continue Reading....]

TLDR: The new updates are 1.8.0_381 (aka 8u381), 11.0.20, 17.0.8, and 20.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the 4 JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

TLDR: The new updates are 1.8.0_371 (aka 8u371), 11.0.19, 17.0.7, and 20.0.1 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the versions as each other, though not always.

Note: If you use the JDK installer and may be coming to this update of Java 11 or 17 having skipped the last update, 11.0.18 or 17.0.6 respectively, please note there is an important change to the installer (for all OSs) which you should consider before proceeding. For more, see my discussion below.

For some folks, that's all they need to hear. For others, read on for topics like:

• Finding more info on these Apr 2023 Java updates
• What about other JVM distributions besides Oracle?
• News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
• Should you apply the update? how soon?
• Beware a change in the January 2023 JVM update regarding the JDK installer
• Beware a change in the October 2022 JVM update regarding Java no longer trusting jars signed with SHA-1
• Beware a change in the April 2021 JVM update, if you may be skipping over it
• Wrapping up, getting more help

[....Continue Reading....]

As for my session, it will be "Transitioning to Java 17 from 11 or 8 for Admins":

[....Continue Reading....]

[....Continue Reading....]

TLDR: The new updates are 1.8.0_361 (aka 8u361), 11.0.18, 17.0.6, and 19.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes as each other, though not always.

Update: After posting this, I learned of some rather surprising implications of a new feature of the new JDK installer, as 11.0.18 or 17.0.6 and later. For more, see another post I created.

For some folks, that's all they need to hear. For others, read on for topics like:

• Finding more info on these Jan 2023 Java updates
• What about other JVM distributions besides Oracle?
• News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
• Should you apply the update? how soon?
• Beware a change in the Oct 22 JVM update regarding Java no longer trusting jars signed with SHA-1
• Beware a change in the April 2021 JVM update, if you may be skipping over it
• Wrapping up, getting more help

[....Continue Reading....]

TLDR: The new updates are 1.8.0_351, (aka 8u351), 11.0.17, 17.0.5, and 19.0.1 respectively). And as is generally the case with these Java updates, most of them have the same changes and fixes as each other (though not always).

Update: After posting this, I learned of some rather surprising implications of a new feature of the new JDK installer. For more, see a new section on this below.

Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so take that "critical" nomenclature for what it is. For more on each of them, including what changed and the several security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. And if you may be skipping to this from a JVM update from before Apr 2021, I share also a bit more info as well as for users of Adobe ColdFusion (including where to find the updated Java versions from Adobe, what JVM versions Adobe CF supports, and more).

For some folks, that's all they need to hear. For others, read on for topics like:

• Finding more info on these Oct 2022 Java updates
• News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17 with CF, etc)
• Should you apply the update? how soon?
• Beware a change in the Oct 22 JVM update regarding Java no longer trusting jars signed with SHA-1
• Beware a change in the April 2021 JVM update, if you may be skipping over it
• Wrapping up, getting more help

[....Continue Reading....]

TLDR: The new updates are 1.8.0_341, (aka 8u341), 11.0.16, 17.0.4, and 18.0.1 respectively). And as is generally the case with these Java updates, most of them have the same changes and fixes as each other (though not always).

Oracle calls them "critical patch updates" (yep, CPU), but they are scheduled quarterly updates, so take that "critical" nomenclature for what it is. For more on each of them, including what changed and the several security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. I also a bit more if you may be skipping to this from a JVM update from before Apr 2021, as well as info for Adobe ColdFusion users on where to find the updated Java versions, what JVM versions Adobe CF supports, and more.

For some folks, that's all they need to hear. For others, read on for topics like:

• Finding more info on these Jul 2022 Java updates
• News for my CF audience (getting the Java updates from Adobe or Oracle, how to update, why you should NOT for now use Java 17, etc)
• Should you apply the update? how soon?
• Beware a change in the April 2021 JVM update, if you may be skipping over it
• Wrapping up, getting more help

[....Continue Reading....]