Copy link to clipboard
Copied
I can upgrade Tomcat myself, but that approach isn't documented and isn't likely to be supported by Adobe.
Tomcat is bundled as part of ColdFusion 11, so I would hope Adobe would either provide a hotfix or suggest a supported method to upgrade Tomcat.
Tomcat 7.0.59 fixes the following issues:
Hi Joe,
Tomcat is now upgraded to 7.0.64. The update is available in pre-release as of now and would be live soon. Please refer to the following blog articles.
http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-is-available-for-early-access‌
ColdFusion 10 Update 18 is available for early access — Adobe ColdFusion Blog‌
Regards,
Anit Kumar
Copy link to clipboard
Copied
I am looking into this Joe.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Hi Anit. Any updates or thoughts on those security issues?
Copy link to clipboard
Copied
Hi Joe,
We are looking into this and evaluating the upgrade options. This will take some time.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Hi Anit, thanks for the fast replys. Any idea on how long it will take before the team determines if the issue impacts ColdFusion 11 with hotfix 5? I presume it will take a while for the correct patch to be built. If the issues above do impact ColdFusion is this forum an acceptable way to make that request, or should it file the request in Adobe's bug base?
Copy link to clipboard
Copied
I have raised it to the respective team. This will take some time, because we are referring to the change in internal architecture (Tomcat, in this case). This has to be tested and verified as well.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Hi Anit. I don't want to be a pest, but what is a reasonable expectation for how long it will take to determine if ColdFusion is even impacted by this issue? If ColdFusion is impacted by that issue, then how does it take for other similarly complex security issues to be tested and verified? I'm just trying to adjust my expectations for timelines on this issue.
Copy link to clipboard
Copied
Hi Joe,
As of now, I can only update you that, we have decided to update Tomcat. The estimated time frame is not yet sure. It will definitely take time.
We appreciate your cooperation.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Hi Anit! Hopefully, I'm not bothering you too often on this issue. Any thoughts on when the community could expect an Adobe approved updated version of Tomcat?
Copy link to clipboard
Copied
It will be probably be in the next CF update.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Next CF update meaning CF12 or CF11 hotfix 7?
Copy link to clipboard
Copied
For all supported versions of CF. But, it's still not finalized yet.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Any progress on this hotfix? I'm sorry to be such a pest, but our vulnerability scans are still showing this as an issue.
Copy link to clipboard
Copied
I understand Joe. But as mentioned earlier, it will be in the next CF update. It's too early, to specify an exact date as of now.
Regards,
Anit Kumar
Copy link to clipboard
Copied
Hi Joe,
Tomcat is now upgraded to 7.0.64. The update is available in pre-release as of now and would be live soon. Please refer to the following blog articles.
http://blogs.coldfusion.com/post.cfm/coldfusion-11-update-7-is-available-for-early-access‌
ColdFusion 10 Update 18 is available for early access — Adobe ColdFusion Blog‌
Regards,
Anit Kumar