In this case, it's about if you use CF encryption-related functions, the default encryption algorithm is changing--and that means that those who encrypt/decrypt (or hash or randomize) data in their apps MUST take steps before applying this updates. For more, read on.

[....Continue Reading....]

And it seems easily solved: they should just list the installed version on its own line on the page, above the dropdown.

If you agree that this should be addressed, please do add a vote at the tracker ticket I just posted:

https://tracker.adobe.com/#/view/CF-4221716

Sometimes Adobe only implements changes if many ask for it (though sadly, as in this case, some just grumble at an annoyance they may hit only rarely and they move on without ever reporting it. I didn't find anyone else having reported this there, before I created my ticket.)

If you need more info to understand the problem, I'll save you going to look at the ticket by repeating here what I wrote there:

[....Continue Reading....]

TLDR: The new updates are 1.8.0_411 (aka 8u411), 11.0.23, 17.0.11, 21.0.3, and 22.0.1 respectively). Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), offered in Oracle resources I list below. Oracle calls these updates "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. And as is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]

It's very important that people read the technote before "just applying this update". There is a very important (and fundamental) change in how CFML processes variables, with regard to searching for scopes when no scope is indicated on a variable name. It's NOT that you "must scope all your variables", as some are asserting. But it's still almost certainly a BREAKING change in many CF apps, if they use unscoped variables under certain conditions (that I discuss below). The change is for the sake of security, but it's just one aspect of the security fixes in this update.

Anyway, there are 3 things you can consider doing to rectify/work-around this breaking change, as I discuss below (or see the update technote, for this and more). And you may reasonably wonder what the implications would be of using the workarounds. You may also wonder if this scope matter relates to the CVE listed in the APSB (linked to below). That's currently unclear. It does not. As well, note that the Adobe security bulletin (link below) shows the security fix to be only a P3 (priority 3, the lowest severity), not a P1 (priority 1, the highest), though it IS regarded as "critical".¹

But then there are still other aspects of the update beyond this scope matter, and you should be aware of those also.

For more, read on.

[....Continue Reading....]

[....Continue Reading....]

But some people seem to notice when news is shared of a recording being made available, so here you go.:-) These are 4 sessions I've done in Jan 2024 and Dec 2023.

[....Continue Reading....]

So I'll be presenting a talk on this topic, online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be recorded). Folks who are members of the Online ColdFusion Meetup will have already gotten email notification about this, including the meeting URL, but for those who are not members here are the details:

[....Continue Reading....]

So I will be presenting presented a talk on this topic, online this Thursday, at noon US Eastern, on the CFMeetup youtube livestream (which will be was recorded). Folks who are members of the Online ColdFusion Meetup will already have gotten notification about this, but for those who are not, here are the details:

[....Continue Reading....]

And as important, if you may have skipped some Java updates before this one, there are some additional points to consider regarding some potentially important changes in updates you may be skipping.

In this post, I cover several topics in both those areas.

[....Continue Reading....]

TLDR: The new updates are 1.8.0_401 (aka 8u401), 11.0.22, 17.0.10, and 21.0.2 respectively). For more on each of them, including what changed and the security fixes they each contain (including their CVE scores regarding urgency of concerns), see the Oracle resources I list below. Oracle calls them "critical patch updates" (yep, CPU), but they are in fact scheduled quarterly updates, so that "critical" nomenclature may sometimes be a bit overstated. Again, more details below. And as is generally the case with these Java updates, most of them have the same changes and fixes across the four JVM versions, though not always.

For some folks, that's all they need to hear. For others, read on.

[....Continue Reading....]