Skip to main content
D
dmalloy
Participating Frequently
July 21, 2011
Question

Understanding Hot Fixes & Security Updates

  • July 21, 2011
  • 2 replies
  • 625 views

can someone help me understand the relationship between Cummulative Hot Fixes and the hot fixes identified by "Security bulletins and advisories"?

I am reviewing the documentation associated with Cumulative Hot Fix 4 | ColdFusion 8.0.1 (http://kb2.adobe.com/cps/529/cpsid_52915.html).

It is noted under the Solution section, that the jars associated with the hot fix do not include all of the security fixes and refers to the Additional Security Fixes section for more information.  The Additional Security Fixes Information section provides instructions for applying hot fixes related to "Security", "CFIDE" and "JRun", which I assume are considered part of the cumulative hot fix but must be applied individually.

It also states: "Please see http://www.adobe.com/support/security/#coldfusion to make sure that you have installed any security updates that were released since this document was last updated."  This "Security bulletins and advisories" page lists a number of bulletins and advisories associated with ColdFusion 8.  These bulletins and advisories link to "Security updates: Hotfix..." that link to additional hot fixes.

Are these "Security update: Hotfixes..." included in the Cumulative Hot Fix 4 or do they need to be installed in addition to the Cumulative Hot Fix 4?

Do all of the "Security update: Hotfixes..." identified by the "Security bulletins and advisories" need to be installed for a particular version of ColdFusion (13 in the case of ColdFusion 8)?

As stated previously, can someone help me understand the relationship between Cummulative Hot Fixes and the hot fixes identified by "Security bulletins and advisories"?

    This topic has been closed for replies.

    2 replies

    C
    carl type3
    Legend
    July 21, 2011

    Greetings,

    Indeed is a vexing area patching and security fixes. I would like to add to the thread and mention an "up to date CF environment" would also need to include the Java that CF runs on. Refer:

    http://kb2.adobe.com/cps/894/cpsid_89440.html

    All the best with that, Carl.

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    July 21, 2011

    Generally they are not connected, and the CHFs may or may not point out related security hotfixes. As it says, you need to keep on top of them yourself.

    Adobe is very well aware of the discontent many of us feel about this confusion, and there is talk that they are working on improvements for releases going forward. Not clear if that will ever fall back to benefit those using older releases.

    I will note that there are tools and services to help you with all this:

    http://www.hackmycf.com/ (a service, and their paid version offers management of CF security hotfixes)

    http://www.merlinmanager.com/ and the related

    http://www.codfusion.com/blog/page.cfm/projects/cfUpdater

    Hope that's helpful.

    /charlie arehart

    charlie@carehart.org

    Providing fast, remote, on-demand troubleshooting services for CF (and CFBuilder)

    More at http://www.carehart.org/consulting

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices