Skip to main content
T
TheNephalim
Known Participant
February 10, 2025
Question

ColdFusion Updates: Hotfix/Packages Repository versus ColdFusion Update Files

  • February 10, 2025
  • 1 reply
  • 461 views

I’m relatively new to ColdFusion 2023 as we are in the process of migrating from ColdFusion 2018.

 

Before I continue, I understand that we should have already completed the migration and the reasons why it is necessary. Unfortunately, I didn't have any control over the timeline, but I’m doing the best I can, and we are making progress.

 

That said, I’m a bit confused about how updates are supposed to be applied to the server. From what I’ve gathered, the ColdFusion (2023 release) Update XX file updates the core application server, applying immediate fixes, adding new features, and so on. This update is cumulative. However, it appears that this update does not include any updates for ColdFusion packages.

 

On the other hand, the Hotfix and Packages repository seems to contain fixes for specific issues and updates for packages.

 

My question is: Which is the preferred approach? Should I apply the Update File, the Hotfix/Packages repository, or both?

 

From what I understand, I can execute the main update file, unzip the Hotfix/Packages repository into the default bundles folder, and then run update all at the cfpm prompt. Is that the right approach?

 

I’d appreciate any guidance or clarification from those more familiar with the process.

    1 reply

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    February 10, 2025

    A couple of things.

     

    1) While it is true that some cf updates don't incorporate any changes to packages, you don't want to conclude that applying a cf core update does not itself update any packages.

     

    If a cf core update you're applying indicates that it includes package uoeates--or if you're skipping over one or more prior cf core updates that included package updates, that core update WILL attempt to download and implement that/those package updates.

     

    2) As for the info you see in the update technotes (or elsewhere) about manipulating/using the packages repository, that is generally related to MANUAL updating of cf--especially on a server which is offline or where the core update process CANNOT successfully download the update (core and/or package updates.)

     

    The cfpm is also used to help with post update package management, and more (especially for those preferring to script updates-- though the core installer also supports scripted/silent installation, for those interested). 

     

    Hope that helps. 

    /Charlie (troubleshooter, carehart. org)
      T
      TheNephalimAuthor
      Known Participant
      February 10, 2025

      It is germane for me to note that the server does not have internet access for security reasons.

      So, I'm wondering if I want to potentially do both.  Update using the main file, then unzip the package repository to the bundles folder and update those packages we still have installed?

      D
      Community Expert
      Dave WattsCommunity Expert
      Community Expert
      February 14, 2025

      Thanks for the response.  Creating the files and then updating the pointer gives me a little bit of the ick because you're leaving the old files laying around.

       

      One of the reasons is that the STIGs I need to follow specifically mandate that you delete all of the files under the /cfusion/hf-updates folder after the patch is applied.  The rationale being that a bad actor could get onto your server and revert the changes made by the patch. 

       

      Currently, however, there are no updated guidelines to the STIGs for ColdFusion, so I'm following Freitag's Lockdown guides and the ColdFusion 11 STIG.  


      Fortunately, this is something you can test, on a separate test server. Note that you won't be able to effectively use the CF 11 STIG, as CF 11 reached end of life in 2019, and CF 2023 is fundamentally different in how it's managed.

       

      Dave Watts, Eidolon LLC
      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices