portal entry

select a category, or use search below
(searches all categories and all time range)

ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released

| View in Portal
July 14, 2020 02:10:33 PM GMT
<p>We are pleased to announce that we have released the updates for the following ColdFusion versions: ColdFusion (2018 release) Update 10 ColdFusion (2016 release) Update 16 In this update, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes. For more information, see the tech notes below: ColdFusion (2018 release) Update 10 ColdFusion (2016 release) Update 16 These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB20-43. Please update your ColdFusion […]</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2020/07/coldfusion-2018-release-update-10-and-coldfusion-2016-release-update-16-released/">ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Announcements, Blog, CF2018 Updates, Updates, bug fix update, coldfusion 2016 update 16, coldfusion 2018 update 10, ColdFusion security updates, security update


<p>I’d like to add two points of clarification here:</p><p>First, it’s worth mentioning also that the Adobe CF Docker images for CF2018 and 2016 were updated today as well (<a href="https://bintray.com/eaps/coldfusion/cf%3Acoldfusion" rel="nofollow">https://bintray.com/eaps/coldfusion/cf%3Acoldfusion</a>).</p><p>Second, if you read <a href="https://helpx.adobe.com/coldfusion/kb/coldfusion-2018-update-10.html" rel="nofollow">the technote for the update</a> (not <a href="https://helpx.adobe.com/security/products/coldfusion/apsb20-43.html" rel="nofollow">the security bulletin</a>), you will see a new admonition to delete any "CAR files" once used (this CAR mechanism is a feature to export admin settings from one CF instance to another).  I can offer some clarification on that new admonition.</p><p>And in fact, I started to write it here but it became too lengthy and I will create a blog post instead. That may also help some become aware of the issue who would not see this comment. When I have created it, I will add a link to it here.</p>
Comment by Charlie Arehart
4786 | July 14, 2020 04:17:32 PM GMT
<p>Problem with the 32-bit add-on installer download for CF 2016:</p><p>ColdFusion_2016_Addon_win.exe does not have a digital signature.</p>
Comment by Legorol San
4787 | July 14, 2020 04:23:47 PM GMT
Hi, Let me verify this. -Priyank
4788 | July 14, 2020 05:48:49 PM GMT
I'd be curious to hear, Legorol (and/or Priyank), how one would use such a signature if there was one. Of course, I realize that the CF updates download mechanism in the CF Admin DOES use a signature verification (which is NOT used if one just downloads the update jar files manually). But since the add-on installer files would by their nature be run outside of the CF Admin (meant as they are to add functionality on a server that might not even HAVE CF installed), I am just curious how you would have used such a digital signature if there was one. Is there perhaps some tool to help with that? I see none mention on <a href="https://www.adobe.com/support/coldfusion/downloads.html#cf2016builderdevtools" rel="nofollow">the page where one would download that installer</a>. My question is sincere. No snarkiness intended. :-)
Comment by Charlie Arehart
4789 | July 14, 2020 06:27:28 PM GMT
Charlie, very good question and I'll be happy to elaborate, especially because the answer is not specific to ColdFusion and it's good to be generally aware of it. Please excuse me if anything in this answer is obvious to you, I'm addressing it to a general audience in case someone else reads this. In Windows, an executable (.exe) file can have a digital signature, or more precisely a code signing certificate, embedded as part of the file itself. This allows the operating system and other applications to automatically verify the authenticity and integrity of the file. Users can also manually verify the digital signature using Windows features, without using any additional tools. When a user tries to run an executable that does not have a signature, especially for setup/installer files, they get a warning prompt in Windows. To see if an executable file has a digital signature and to verify it manually, navigate to the executable in File Explorer, and open its Properties (e.g. with right-click > Properties). If it has a digital signature, then a Digital Signatures tab is present with various useful information. Select an entry in the Signature list, and click the Details button. This gives additional information about the specific signature, verifies it and shows a message "This digital signature is OK", if it is the case. This is at least as strong a verification as checking a hash of the file (e.g. SHA-256) against a known value. It is common practice (and indeed very much recommended) that software developers attach a digital signature to executables that are shipped to end-users, especially for setup/installer files. This has many advantages in addition to being able to manually verify a downloaded file. For example, anti-virus software is typically much more strict with executables that don't have a signature. The signature, or more precisely the code signing certificate, uses standard Public Key Infrastructure. The certificate is counter-signed by a certificate authority in the same way as an SSL certificate. The operating system verifies the authenticity of the certificate using a certificate chain up to the trusted root certificates installed on the system, in the same way as it does for an SSL certificate. ColdFusion installers have included a digital signature at least as far back as CF 10 (which is the oldest one I have access to). This applies to all additional downloads as well, e.g. API manager and add-on services installers.
Comment by Legorol San
4790 | July 15, 2020 12:05:37 AM GMT
Thanks for all that. I was clearly not aware. :) I guess since the cf installers have always had them, I'd never come across this. As for other software, I suppose this may explain why I've seen those "don't run" errors in some installers. Since I always trusted where I've gotten them, I didn't press to find that this was perhaps the explanation. Again, Thanks for informing me and for pressing Adobe to resolve this.
Comment by Charlie Arehart
4791 | July 15, 2020 01:26:38 AM GMT
Are there any details on what was changed in the add-on installers? I don't see that in the tech notes — only that the PMT components of the CF server was updated.
Comment by brian.klaas
4802 | July 17, 2020 06:04:44 PM GMT
Brian, The add-ons contain the same security fix that are present in the update jars for both the versions. Thanks.
Comment by SauravGhosh
4803 | July 19, 2020 07:11:56 AM GMT
Just a note that the Java 8.261 JDK files are not linked properly (file not found) on your website <a href="https://www.adobe.com/support/coldfusion/downloads.html?1#additionalThirdPartyInstallers" rel="nofollow">https://www.adobe.com/support/coldfusion/downloads.html?1#additionalThirdPartyInstallers</a> in particular Java 8.261 windows64 exe file and also the others as well <a href="http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u261/jdk-8u261%20-windows-x64.exe" rel="nofollow">http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u261/jdk-8u261%20-windows-x64.exe</a> MRC  
4806 | July 22, 2020 11:20:35 PM GMT
I am working with team to get the links to work. Please stand by.
4807 | July 23, 2020 01:56:49 AM GMT
still not working The requested URL /pub/coldfusion/java/java8/JDK8u261/jdk-8u261-windows-x64.exe was not found on this server.
4809 | July 24, 2020 05:43:40 PM GMT
Michael, I can confirm what you're reporting. All the downloads for the Java 8 update 261 (jdk's and jre's) do fail with "not found" (not just that Windows 64-bit one).  And FWIW, the links for Java 11 update 8 (which was also new last week) DO work. And I have compared the URLs to the 251 update links (which do work) and it seems the URLs for 261 are "right", so it must simply be that the files are not there. (There's a problem with the first two jdk links for 261, and it's true for 251 as well. I will create a new note, so that it stands out from this simply "confirmation" and so that Adobe might attend to it.)
Comment by Charlie Arehart
4810 | July 24, 2020 09:59:15 PM GMT
Adobe folks, there are some additional problems on the Java downloads page (beyond those mentioned by Michael and others in other comments here). Please note that the first two jdk links for updates 261 and 251 mistakenly refer to "241" in their links: http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u261-linux-i586.rpm http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u261-linux-i586.tar.gz and http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u251-linux-i586.rpm http://download.macromedia.com/pub/coldfusion/java/java8/JDK8u241/jdk-8u251-linux-i586.tar.gz
Comment by Charlie Arehart
4811 | July 24, 2020 10:03:55 PM GMT