cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
0
Upvote

ColdFusion Updates: Hotfix/Packages Repository versus ColdFusion Update Files

TheNephalim
Explorer ,
Feb 10, 2025 Feb 10, 2025

I’m relatively new to ColdFusion 2023 as we are in the process of migrating from ColdFusion 2018.

 

Before I continue, I understand that we should have already completed the migration and the reasons why it is necessary. Unfortunately, I didn't have any control over the timeline, but I’m doing the best I can, and we are making progress.

 

That said, I’m a bit confused about how updates are supposed to be applied to the server. From what I’ve gathered, the ColdFusion (2023 release) Update XX file updates the core application server, applying immediate fixes, adding new features, and so on. This update is cumulative. However, it appears that this update does not include any updates for ColdFusion packages.

 

On the other hand, the Hotfix and Packages repository seems to contain fixes for specific issues and updates for packages.

 

My question is: Which is the preferred approach? Should I apply the Update File, the Hotfix/Packages repository, or both?

 

From what I understand, I can execute the main update file, unzip the Hotfix/Packages repository into the default bundles folder, and then run update all at the cfpm prompt. Is that the right approach?

 

I’d appreciate any guidance or clarification from those more familiar with the process.

155
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 5 Replies 5
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
Feb 10, 2025 Feb 10, 2025

A couple of things.

 

1) While it is true that some cf updates don't incorporate any changes to packages, you don't want to conclude that applying a cf core update does not itself update any packages.

 

If a cf core update you're applying indicates that it includes package uoeates--or if you're skipping over one or more prior cf core updates that included package updates, that core update WILL attempt to download and implement that/those package updates.

 

2) As for the info you see in the update technotes (or elsewhere) about manipulating/using the packages repository, that is generally related to MANUAL updating of cf--especially on a server which is offline or where the core update process CANNOT successfully download the update (core and/or package updates.)

 

The cfpm is also used to help with post update package management, and more (especially for those preferring to script updates-- though the core installer also supports scripted/silent installation, for those interested). 

 

Hope that helps. 


/Charlie (troubleshooter, carehart. org)
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
TheNephalim
Explorer ,
Feb 10, 2025 Feb 10, 2025
In Response To Charlie Arehart

It is germane for me to note that the server does not have internet access for security reasons.

So, I'm wondering if I want to potentially do both.  Update using the main file, then unzip the package repository to the bundles folder and update those packages we still have installed?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Charlie Arehart Community Expert
Community Expert ,
Feb 10, 2025 Feb 10, 2025
In Response To TheNephalim

Being offline is indeed germane, and so I'm glad I mentioned how the manual steps which are needed in that case are covered in each update's technotes.

 

1) That said, note they do NOT say you should "unzip the package repository to the bundles folder and update those packages we still have installed".

 

Instead, they tell you to extract the zip somewhere and point cf at that, using the cf admin updates page, in its package url field--which accepts a filename.

 

And this path is then used when cf starts up (after an update), which is when the package updates actually take place.

 

As such, you really should need only do the one step of running the update--which the technote shows doing with the Java jar command (or the cfpm command). 

 

2) It's never been clear to me why Adobe make us put the extracted zip in a separate location and have us have to point to that in the admin, versus just extracting that zip into the bundles folder. I can say I've done a comparison and there are what seem important differences among the files.

 

One negative consequence of this approach (they have us do) is that on a next update, if we extract to yet another folder, we have to change the pointer (in the cf admin) to that new folder. 

 

I'd love to see more clarity if not improvement to this manual update process. Thankfully most folks are able to do the normal in-admin update, such that vagaries with the manual process (and debates about the pros/cons of following Adobe's proscribed steps) are infrequent.

 

I welcome hearing from others who may feel they can offer clarity. 


/Charlie (troubleshooter, carehart. org)
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
TheNephalim
Explorer ,
Feb 13, 2025 Feb 13, 2025
In Response To Charlie Arehart

Thanks for the response.  Creating the files and then updating the pointer gives me a little bit of the ick because you're leaving the old files laying around.

 

One of the reasons is that the STIGs I need to follow specifically mandate that you delete all of the files under the /cfusion/hf-updates folder after the patch is applied.  The rationale being that a bad actor could get onto your server and revert the changes made by the patch. 

 

Currently, however, there are no updated guidelines to the STIGs for ColdFusion, so I'm following Freitag's Lockdown guides and the ColdFusion 11 STIG.  

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dave Watts Community Expert
Community Expert ,
Feb 14, 2025 Feb 14, 2025
LATEST
In Response To TheNephalim

Fortunately, this is something you can test, on a separate test server. Note that you won't be able to effectively use the CF 11 STIG, as CF 11 reached end of life in 2019, and CF 2023 is fundamentally different in how it's managed.

 

Dave Watts, Eidolon LLC
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices