A new cumulative hot fix for ColdFusion 8.0.1 has been released. This is number four. Details and download may be found here: http://kb2.adobe.com/cps/529/cpsid_52915.html
You may remember that the last CHF fix did not include security fixes. Oddly, this one includes two fixes. However, I have to ask (and will post back if I hear an answer) what the official word on is this. I was told last time that it was not policy to include security fixes in CHF. So was that policy changed? Are all the security fixes in this one or only some? Is a user "safe" if they install a virgin CF8 and then apply this CHF?
Archived Comments
I sure hope they are doing one or the other and not some odd mix. Makes keeping the security updates applied correctly that much harder.
yeah. agree.
keeping update CF is not clear enough.
if i've CHF 2, should i use 4 without insthall CHF 3? or if I have a clean CF8, should i install CHF from 1-4 or just skip to 4?
not clear from Adobe doc
Would it be safe to assume these fixes are present in CF9?
No. You should double check.
Man, I'm still waiting for the day when I log into CF Administrator and it automatically checks and tells me when I am out-of-date. Heck even blogCFC does that nowadays. :)
It seems Bug ID 78646 "Fix for the security vulnerability with ColdFusion accepting the CFID/CFTOKEN provided by the user to create a new session." is a new security fix not available as a standalone download (http://www.adobe.com/suppor...
Also how can you find the correspond KB article (such as http://kb2.adobe.com/cps/40... for a Bug Id?
In order to clear the confusion around ColdFusion 8.0.1 CHF4 -
1)You need to remove all the previous cumulative hotfixes released for ColdFusion8.0.1 and only apply Cumulative hotfix 4.CHF4 includes all the fixes included in previous cumulative hot fixes.
2)There is no new security fix included in CHF4 which has not been released publicly.
3)We will update the technote http://kb2.adobe.com/cps/52... to clear the confusion regarding security fixes soon we are in the process.
4)If any of the fixes are not present in ColdFusion9 we will release cumulative hotfix for ColdFusion9 soon with those fixes.
Please let us know if you have any other queries.
Thanks,
Asha
Adobe ColdFusion Team.
So, we applied this fix after we had installed FusionReactor and now the CF stops responding to requests. Any ideas?
I should add, not right away, it works for an hour or so, then stops.
Not from me - all my boxes (except one) are CF9 now. You may want to call Adobe Support.
Someday Adobe will get this right. *sigh*
@Asha: Ok, so where is the download for the session fixation vuln? Would that be APSB07-19? And the FCKEditor issue (isn't that missing a 'u'?) would that be APSB09-09? Does Adobe see that there is a problem here? That maybe the CHF docs need to have links to the individual hotfixes/security hotfixes so that people have an idea of what they are installing? Perhaps links to the KB/Technote articles on the bugs being fixed? Added bonus: as I am writing this, the 8.0.1 CHF 4 link is not on the ColdFusion Hot Fixes page (http://kb2.adobe.com/cps/40....
Hi,
We have added changed to the Cumulative hotfix 4 technote explaining security fixes added to the cumulative hotfix.
http://kb2.adobe.com/cps/52...
Thanks,
Swathi.