ColdFusion (2021 release) and ColdFusion (2018 release) September updates

Report · Sep 14, 2021

We are pleased to announce that we have released the updates for the following ColdFusion versions:

Note: The ColdFusion (2021 release) installers have also been refreshed with this update. The new server installers bundle Update 2 and JDK 11.0.11. The ColdFusion Add-Ons and other installers are bundled with JDK 11.0.11. The refreshed installers are available at ColdFusion downloads.

In these updates, we’ve fixed a few security bugs and some other bugs, which are mentioned in the tech notes.

These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB21-75.

In addition, Update 2 of ColdFusion 2021 features the following:

For more information, see the tech notes for ColdFusion 2021 Update 2.

The Docker images will be hosted shortly on Amazon ECR and Docker Hub.

Please update your ColdFusion versions and provide us your valuable feedback.

Report · Jun 29, 2022

For those experiencing the qofq bug discussed here, see the hotfix available for it at https://tracker.adobe.com/#/view/CF-4212383. It's needed for cf2021 updates 2-4, and cf2018 updates 12-14.

The bug started with the first of those updates and was fixed within a month of it with the provided hotfix ja , but sadly none of the next two updates included ANY hotfixes. Worse, they REMOVE any you may have put in.

As for applying such special fixes, you may find value in a blog post I've done in the past, "How to implement a special hotfix that Adobe may give you".

/Charlie (troubleshooter, carehart.org)

Report · Aug 19, 2022

A further update on the QOQ problem in ColdFusion even with the patch applied.

In the order by statement, if you use the numeric value of the field, it fails.

If you use the field name, it works.

Ie: if you have order by set to ‘5 DESC,fieldb, fieldc’ - it fails

If you have order by set to ‘fielda DESC, fieldb, fieldc’ - it works

So QoQ appears to be allergic to using field numbers in the ORDER BY clause.

It used to work to use the field numbers before these recent versions.

Report · Sep 17, 2022

Ie: if you have order by set to ‘5 DESC,fieldb, fieldc’ - it fails

If you have order by set to ‘fielda DESC, fieldb, fieldc’ - it works

So QoQ appears to be allergic to using field numbers in the ORDER BY clause.

It used to work to use the field numbers before these recent versions.

By @petera43968492

If so, file a bug report, requesting backward-compatibility.

Report · Sep 17, 2022

I submitted this to the Adobe Bug database as Bug Id: CF-4214807.

Report · Aug 04, 2023

Does anyone remember, which updater eventually fixed the issue in ColdFusion 2018?

Report · Aug 04, 2023

Good question, @Bardnet . I have had a look in Tracker.

There I can see that the issue has become quite complicated. CF-4214807 is a duplicate CF-4212510 which is itself a duplicate of CF-4212383 .

I would suggest that you request the hot-fix JAR file from ColdFusion Support. You can reach them at cfsup[at]adobe.com. When you do, remember to state your ColdFusion version and edition(that is, Standard or Enterprise).

Report · Aug 04, 2023

The tracker # 4212383 has the jars attached for CF20218 and CF2021: https://tracker.adobe.com/#/view/CF-4212383 if it turns out you need them. Best of luck.

Report · Aug 20, 2023

Apparently not anymore. I would not think I would need it on a fully patched and uptodate version of 2021, but I still get this issue. So I guess I need the hotfix, but https://tracker.adobe.com/#/view/CF-4212383 seems to be not found now.

Report · Aug 20, 2023

Doug, two very important points, one temporary and the other long-standing.

1) As for you not finding that tracker ticket, I can confirm that currently NO tracker tickets are appearing. That's a bug that I've never seen but surely it will be sorted out soon.

2) As for your other point, sadly it's no longer true that a fully updated cf2021 (or 2018) should be expected to include all known hotfixes released in the past couple of years.

a) This started becoming an issue with updates in late 2021, specifically cf2021 update 2 (and cf2018 update 12). There were many bugs introduced, some fixed within weeks, that one would at first have to find in tracker, of course.

b) But then the next 2 updates had security fixes only. Sadly, people had to know to carry their hotfixes forward each time.

I and others (and Adobe) started explaining this need and how to do it--including the option to recover the hotfix jars from the backup/lib/updates folder created with each update, within the hf-updates folder for the last update applied.

I could see this was going to be trouble, and I started expressing concern publicly in various venues.

c) Then the updates in late 2022 (cf2021 update 5 and cf2018 update 15) had a mix of sec and bug fixes--yet some old ones like this remained inexplicably left out.

d) And so it has continued for other updates since; indeed, all the updates in 2023 have to this point again been security fixes only. And I understand security fixes are important.

What I don't understand is the failure to incorporate known bug fixes from now 2 years ago. I've made loud public and private complaints at various points and in different places about this matter, for nearly 18 months, but sadly here we are.

Very unfortunate state of affairs. Not clear why someone at Adobe hasn't taken the bull by the horns and resolved this.

While it may affect only a subset of users (those affected specifically by these lingering bugs, long-since fixed), it affects them significantly and is negligent.

While I'll more often be found deflecting unfounded criticism against Adobe or the CF team, this is one of a very few things that I find totally mistifying and unjustifiable.

/Charlie (troubleshooter, carehart.org)

Adobe Community

ColdFusion (2021 release) and ColdFusion (2018 release) September updates