CFForm controls signature expires in 2 days on 5-20-2010

Report · May 17, 2010

I have submitted this issue multiple times to Adobe via report a security problem and wishlist for the past 6 months and nothing has been done yet. On 5-20-2010 the CFForm controls certificate expires 2010-05-20 per article b9c2d61c

Steps to reproduce bug:

1. Open a ColdFusion webpage that contains a cfform control using a browser and JVM that does not have a local copy of cfapplets.jar

2. Computer date is set to or after May 20, 2010

3. User is warned that certificate is expired or invalid and should/must decline installation.

Results: Users will be warned and potentially blocked from using any cfform applets without accepting expired certificate, users will not trust website.

Expected results: Adobe should provide updated jar file per http://go.adobe.com/kb/ts_b9c2d61c_en-us with certificate expiration well after end of extended support (2012-02-07). I recommend a certificate expiration date of 2016-12-31, the end of extended support for ColdFusion 9.x.

PS Adobe should fix the bug http://cfbugs.adobe.com/cfbugreport/flexbugui/cfbugtracker/main.html#bugId=79876 that exists in the CFGrid control too affecting versions 7.0.2 - 9!

Report · May 19, 2010

We've just published a tech note with an updated cfapplets.jar at the following location:

http://kb2.adobe.com/cps/845/cpsid_84585.html

Report · May 19, 2010

Thank you for getting this issue fixed before the deadline, and signing the new jar without an expiration date. I hope Adobe will perform a code review to find other similiar issues and issue fixes more than 24 hours before they expire.

CFForm controls signature expires in 2 days on 5-20-2010

1 Correct answer