ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released

Edited: 7/16/2020- Thank you Charlie for your suggestions!

Here are some resources:

• https://helpx.adobe.com/coldfusion/configuring-administering/deploying-coldfusion-applications.html#...

• ttps://www.cfguide.io/coldfusion-administrator/packaging-deployment-coldfusion-archives/
• https://www.quackit.com/coldfusion/coldfusion_archive_and_deploy.cfm
• https://www.carehart.org/blog/client/index.cfm/2014/11/11/cf11_hidden_gem_CF_archives_in_standard

Thanks,

Saurav

So is it saying if I ever made any CAR files to save all of my settings before this update I should disguard them and create new ones as the old CAR files contain data that either won't work or is at risk?

ACS_LLC, I offered a blog post last night anticipating and addressing your very questions. 🙂 See:

https://www.carehart.org/blog/client/index.cfm/2020/7/14/why_secure_car_files/

It was posted just a few hours before your question here, and Saurav's reply kindly pointing to other resources with more general info on the CAR file mechanism. But I knew that some would see that brief admonition in the update technotes and wonder what it was about. I have a TLDR at the top, but then fuller explanation to follow.

Also, since I know not everyone would see a post on my own blog, I offered that TLDR-level info in a post on the Adobe CF Portal (pointing to my fuller post for more):

https://coldfusion.adobe.com/2020/07/importance-of-securing-car-files/

Hi, Saurav. About that list of resources you kindly offered, I would point out that the 2nd one is merely a pointer to someone's copy of an older version of the CF docs. It's really no more helpful than the first link (the docs). BTW, about that first link (to the current docs), it's unfortunate that there's not more detail on how the CAR mechanism works, including screenshots. Those who read closely will see that it points to the CF Admin help (which most never realize even exists).

FWIW, you would do well to replace that second link with a better resource that really does show more info, including screenshots (and which is recent):

https://www.cfguide.io/coldfusion-administrator/packaging-deployment-coldfusion-archives/

I might even argue it would be better to list that first here. But please do consider removing the asanet.org link. And if while you're at it, you might want to add a link to my post from last night (which more directly addresses ASC's question), again it's:

https://www.carehart.org/blog/client/index.cfm/2020/7/14/why_secure_car_files/

Finally, if you are going to keep the (current first) link to the docs, you could help folks by at least pointing more directly to the section in the docs on the CAR mechanism, which is:

https://helpx.adobe.com/coldfusion/configuring-administering/deploying-coldfusion-applications.html#...

Hope that's helpful.

Thanks for the blog post Charlie, much appreciated.

OK, I get it now, it was not so much related to files created by that particular upgrade, but just about the useage of the CAR file and how they can be easily exploited.

I like to keep a copy should I ever have to reinstall the server, it's good to have all of the settings saved and easily reimported. I have mine in a secure ZIP file, on a bitlockered drive, so I think I'm in good shape. Good point on the transfer though, making sure that SFTP is used to avoid any interception.