Cumulative Hot Fix 4 for 8.0.1

This post is more than 2 years old.

A new cumulative hot fix for ColdFusion 8.0.1 has been released. This is number four. Details and download may be found here: http://kb2.adobe.com/cps/529/cpsid_52915.html

You may remember that the last CHF fix did not include security fixes. Oddly, this one includes two fixes. However, I have to ask (and will post back if I hear an answer) what the official word on is this. I was told last time that it was not policy to include security fixes in CHF. So was that policy changed? Are all the security fixes in this one or only some? Is a user "safe" if they install a virgin CF8 and then apply this CHF?

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Archived Comments

Comment 1 by Daniel Budde posted on 12/3/2009 at 8:32 PM

I sure hope they are doing one or the other and not some odd mix. Makes keeping the security updates applied correctly that much harder.

Comment 2 by Jedt S. posted on 12/3/2009 at 10:32 PM

yeah. agree.
keeping update CF is not clear enough.

if i've CHF 2, should i use 4 without insthall CHF 3? or if I have a clean CF8, should i install CHF from 1-4 or just skip to 4?

not clear from Adobe doc

Comment 3 by Rob W posted on 12/4/2009 at 1:37 AM

Would it be safe to assume these fixes are present in CF9?

Comment 4 by Raymond Camden posted on 12/4/2009 at 2:44 AM

No. You should double check.

Comment 5 by Brad Wood posted on 12/4/2009 at 3:26 AM

Man, I'm still waiting for the day when I log into CF Administrator and it automatically checks and tells me when I am out-of-date. Heck even blogCFC does that nowadays. :)

Comment 6 by Marc posted on 12/4/2009 at 4:42 AM

It seems Bug ID 78646 "Fix for the security vulnerability with ColdFusion accepting the CFID/CFTOKEN provided by the user to create a new session." is a new security fix not available as a standalone download (http://www.adobe.com/suppor...

Also how can you find the correspond KB article (such as http://kb2.adobe.com/cps/40... for a Bug Id?

Comment 7 by Asha posted on 12/4/2009 at 2:39 PM

In order to clear the confusion around ColdFusion 8.0.1 CHF4 -

1)You need to remove all the previous cumulative hotfixes released for ColdFusion8.0.1 and only apply Cumulative hotfix 4.CHF4 includes all the fixes included in previous cumulative hot fixes.
2)There is no new security fix included in CHF4 which has not been released publicly.
3)We will update the technote http://kb2.adobe.com/cps/52... to clear the confusion regarding security fixes soon we are in the process.
4)If any of the fixes are not present in ColdFusion9 we will release cumulative hotfix for ColdFusion9 soon with those fixes.

Please let us know if you have any other queries.

Thanks,
Asha
Adobe ColdFusion Team.

Comment 8 by Derek posted on 12/4/2009 at 10:20 PM

So, we applied this fix after we had installed FusionReactor and now the CF stops responding to requests. Any ideas?

Comment 9 by Derek posted on 12/4/2009 at 10:21 PM

I should add, not right away, it works for an hour or so, then stops.

Comment 10 by Raymond Camden posted on 12/4/2009 at 10:31 PM

Not from me - all my boxes (except one) are CF9 now. You may want to call Adobe Support.

Comment 11 by dasfx posted on 12/5/2009 at 12:28 AM

Someday Adobe will get this right. *sigh*

@Asha: Ok, so where is the download for the session fixation vuln? Would that be APSB07-19? And the FCKEditor issue (isn't that missing a 'u'?) would that be APSB09-09? Does Adobe see that there is a problem here? That maybe the CHF docs need to have links to the individual hotfixes/security hotfixes so that people have an idea of what they are installing? Perhaps links to the KB/Technote articles on the bugs being fixed? Added bonus: as I am writing this, the 8.0.1 CHF 4 link is not on the ColdFusion Hot Fixes page (http://kb2.adobe.com/cps/40....

Comment 12 by Swathi Chitteddi posted on 12/8/2009 at 12:11 AM

Hi,
We have added changed to the Cumulative hotfix 4 technote explaining security fixes added to the cumulative hotfix.
http://kb2.adobe.com/cps/52...
Thanks,
Swathi.