Raymond Camden's Blog Rss

Cumulative Hot Fix 4 for 8.0.1

12

Posted in ColdFusion | Posted on 12-03-2009 | 2,583 views

A new cumulative hot fix for ColdFusion 8.0.1 has been released. This is number four. Details and download may be found here: http://kb2.adobe.com/cps/529/cpsid_52915.html

You may remember that the last CHF fix did not include security fixes. Oddly, this one includes two fixes. However, I have to ask (and will post back if I hear an answer) what the official word on is this. I was told last time that it was not policy to include security fixes in CHF. So was that policy changed? Are all the security fixes in this one or only some? Is a user "safe" if they install a virgin CF8 and then apply this CHF?

Comments

[Add Comment] [Subscribe to Comments]

Daniel Budde said on 12-03-2009 at 9:32 AM #
I sure hope they are doing one or the other and not some odd mix. Makes keeping the security updates applied correctly that much harder.
Jedt S. said on 12-03-2009 at 11:32 AM #
yeah. agree.
keeping update CF is not clear enough.

if i've CHF 2, should i use 4 without insthall CHF 3? or if I have a clean CF8, should i install CHF from 1-4 or just skip to 4?

not clear from Adobe doc
Rob W said on 12-03-2009 at 2:37 PM #
Would it be safe to assume these fixes are present in CF9?
Raymond Camden said on 12-03-2009 at 3:44 PM #
No. You should double check.
Brad Wood said on 12-03-2009 at 4:26 PM #
Man, I'm still waiting for the day when I log into CF Administrator and it automatically checks and tells me when I am out-of-date. Heck even blogCFC does that nowadays. :)
Marc said on 12-03-2009 at 5:42 PM #
It seems Bug ID 78646 "Fix for the security vulnerability with ColdFusion accepting the CFID/CFTOKEN provided by the user to create a new session." is a new security fix not available as a standalone download (http://www.adobe.com/support/security/#coldfusion)

Also how can you find the correspond KB article (such as http://kb2.adobe.com/cps/403/kb403411.html) for a Bug Id?
Asha said on 12-04-2009 at 3:39 AM #
In order to clear the confusion around ColdFusion 8.0.1 CHF4 -

1)You need to remove all the previous cumulative hotfixes released for ColdFusion8.0.1 and only apply Cumulative hotfix 4.CHF4 includes all the fixes included in previous cumulative hot fixes.
2)There is no new security fix included in CHF4 which has not been released publicly.
3)We will update the technote http://kb2.adobe.com/cps/529/cpsid_52915.html to clear the confusion regarding security fixes soon we are in the process.
4)If any of the fixes are not present in ColdFusion9 we will release cumulative hotfix for ColdFusion9 soon with those fixes.

Please let us know if you have any other queries.


Thanks,
Asha
Adobe ColdFusion Team.
Derek said on 12-04-2009 at 11:20 AM #
So, we applied this fix after we had installed FusionReactor and now the CF stops responding to requests. Any ideas?
Derek said on 12-04-2009 at 11:21 AM #
I should add, not right away, it works for an hour or so, then stops.
Raymond Camden said on 12-04-2009 at 11:31 AM #
Not from me - all my boxes (except one) are CF9 now. You may want to call Adobe Support.
dasfx said on 12-04-2009 at 1:28 PM #
Someday Adobe will get this right. *sigh*

@Asha: Ok, so where is the download for the session fixation vuln? Would that be APSB07-19? And the FCKEditor issue (isn't that missing a 'u'?) would that be APSB09-09? Does Adobe see that there is a problem here? That maybe the CHF docs need to have links to the individual hotfixes/security hotfixes so that people have an idea of what they are installing? Perhaps links to the KB/Technote articles on the bugs being fixed? Added bonus: as I am writing this, the 8.0.1 CHF 4 link is not on the ColdFusion Hot Fixes page (http://kb2.adobe.com/cps/402/kb402604.html).
Swathi Chitteddi said on 12-07-2009 at 1:11 PM #
Hi,
We have added changed to the Cumulative hotfix 4 technote explaining security fixes added to the cumulative hotfix.
http://kb2.adobe.com/cps/529/cpsid_52915.html
Thanks,
Swathi.

[Add Comment] [Subscribe to Comments]