• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

ColdFusion (2018 release) Update 10 and ColdFusion (2016 release) Update 16 released

Adobe Employee ,
Jul 14, 2020 Jul 14, 2020

Copy link to clipboard

Copied

Update 7/15/2020: The Docker images for both these versions are up.

 

We are pleased to announce that we have released the updates for the following ColdFusion versions:

 

In this update, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes.

 

Charlie Arehart has written an excellent blog on the importance of securing the CAR files. Read it here.

 

For more information, see the tech notes below:

 

These updates fix security vulnerabilities that are mentioned in the security bulletin,  APSB20-43.

 

Please update your ColdFusion versions today. Let us know if you face any issues while installing the updates. Your feedback is essential to further enhancing the product.

 

Note: We’ve also updated the add-on installers.

 

We thank you for your continuing support.

TOPICS
Security

Views

975

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jul 15, 2020 Jul 15, 2020

Copy link to clipboard

Copied

I applied this update today, and I see on here https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-16.html that there is a note to delete a CAR file once I have updated, but I'm unclear as to what and where that is. Could you please clarify. Thanks

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jul 15, 2020 Jul 15, 2020

Copy link to clipboard

Copied

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jul 15, 2020 Jul 15, 2020

Copy link to clipboard

Copied

So is it saying if I ever made any CAR files to save all of my settings before this update I should disguard them and create new ones as the old CAR files contain data that either won't work or is at risk?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 15, 2020 Jul 15, 2020

Copy link to clipboard

Copied

ACS_LLC, I offered a blog post last night anticipating and addressing your very questions. 🙂 See:

https://www.carehart.org/blog/client/index.cfm/2020/7/14/why_secure_car_files/

 

It was posted just a few hours before your question here, and Saurav's reply kindly pointing to other resources with more general info on the CAR file mechanism. But I knew that some would see that brief admonition in the update technotes and wonder what it was about. I have a TLDR at the top, but then fuller explanation to follow.

 

Also, since I know not everyone would see a post on my own blog, I offered that TLDR-level info in a post on the Adobe CF Portal (pointing to my fuller post for more):

https://coldfusion.adobe.com/2020/07/importance-of-securing-car-files/


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Jul 15, 2020 Jul 15, 2020

Copy link to clipboard

Copied

Hi, Saurav. About that list of resources you kindly offered, I would point out that the 2nd one is merely a pointer to someone's copy of an older version of the CF docs. It's really no more helpful than the first link (the docs). BTW, about that first link (to the current docs), it's unfortunate that there's not more detail on how the CAR mechanism works, including screenshots. Those who read closely will see that it points to the CF Admin help (which most never realize even exists).

 

FWIW, you would do well to replace that second link with a better resource that really does show more info, including screenshots (and which is recent):

https://www.cfguide.io/coldfusion-administrator/packaging-deployment-coldfusion-archives/

 

I might even argue it would be better to list that first here. But please do consider removing the asanet.org link. And if while you're at it, you might want to add a link to my post from last night (which more directly addresses ASC's question), again it's:

https://www.carehart.org/blog/client/index.cfm/2020/7/14/why_secure_car_files/

 

Finally, if you are going to keep the (current first) link to the docs, you could help folks by at least pointing more directly to the section in the docs on the CAR mechanism, which is:

https://helpx.adobe.com/coldfusion/configuring-administering/deploying-coldfusion-applications.html#...

 

Hope that's helpful.


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Jul 16, 2020 Jul 16, 2020

Copy link to clipboard

Copied

LATEST

Thanks for the blog post Charlie, much appreciated.

 

OK, I get it now, it was not so much related to files created by that particular upgrade, but just about the useage of the CAR file and how they can be easily exploited.

 

I like to keep a copy should I ever have to reinstall the server, it's good to have all of the settings saved and easily reimported. I have mine in a secure ZIP file, on a bitlockered drive, so I think I'm in good shape. Good point on the transfer though, making sure that SFTP is used to avoid any interception.

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation