portal entry

select a category, or use search below
(searches all categories and all time range)

ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15 released

| View in Portal
April 14, 2020 03:50:39 PM GMT
1 Comment
<p>We are pleased to announce that we have released the updates for the following ColdFusion versions: ColdFusion (2018 release) Update 9 ColdFusion (2016 release) Update 15 In this update, apart from fixing the security vulnerabilities, we’ve also added SameSite cookie support for cfcookie. For more information, see the tech notes below: ColdFusion (2018 release) Update 9 ColdFusion (2016 release) Update 15 These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB20-18. Please update your ColdFusion versions today. Let […]</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2020/04/coldfusion-2018-release-update-9-coldfusion-2016-release-update-15-released/">ColdFusion (2018 release) Update 9 and ColdFusion (2016 release) Update 15 released</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Blog, CF2018 Updates, coldfusion 2016 update 14, coldfusion 2018 update 9, coldfusion samesite attribute, ColdFusion security updates, samesite attribute support


<p>Great to see the new updates, both addressing security issues and the samesite cookie issue.</p><p>That said, it’s quite unfortunate to see that the Tomcat version (underlying CF server) is STILL not updated. (To be clear, I applied update 9 for CF2016 and can confirm that the CF Admin “settings summary” page still shows the Tomcat version as 9.0.21, which is from June 2019! I’m sure the same is true for CF2016 and its use of Tomcat 8.)</p><p>There have been over a dozen tomcat updates since then (to 8 and 9), including an important security one in Tomcat 9.0.31 (from Feb 11) that Pete Freitag’s awesome “HackMyCF” tool keeps pointing out that we are missing–but we can’t update Tomcat ourselves. We need Adobe to do it.  What’s the holdup? (I am pretty sure there’s an equivalent concern regarding Tomcat 8 on CF2016, but I don’t have ready access to the version number he would highlight.)</p><p>(I will point out that the previous update, in March, DID at least address ONE of the main Tomcat security concerns, in its updating of the Tomcat web server connector. That was great to see, but as I <a href="https://www.carehart.org/blog/client/index.cfm/2020/3/20/how_and_why_sites_may_break_after_Mar_2020_CF_updates/" rel="nofollow">blogged about</a> at the time, it did indeed ONLY address that one issue, without actually implementing an update of Tomcat or the Tomcat version itself.)</p>
Comment by Charlie Arehart
4731 | April 14, 2020 05:07:03 PM GMT