Updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10 released

This article announces the release of updates for ColdFusion 2016, ColdFusion Builder 2016, ColdFusion 11 and ColdFusion 10.

These updates address a common vulnerability mentioned in security bulletin APSB16-22.

ColdFusion 2016 Update 2

ColdFusion 2016 Update 2 fixes an important security issue. It also includes some other important fixes related to Language, Security Analyzer, AJAX, document management, SharePoint, CLI, API Manager and a few other areas.

For details, refer this technote.

ColdFusion Builder 2016 Update 2

ColdFusion Builder 2016 Update 2 (standalone) has been upgraded from Kepler to Mars. It includes important updates to Security Analyzer, a few bug fixes related to performance and other bug fixes. PhoneGap has been upgraded to 5.2.

For details, refer this technote.

ColdFusion 11 Update 9

ColdFusion 11 Update 9 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes.

For details, refer this technote.

ColdFusion 10 Update 20

ColdFusion 10 Update 20 fixes an important vulnerability mentioned in the security bulletin APSB16-22. It also includes a few other fixes

For details, refer this technote.

 

ColdFusion 2016 and ColdFusion Builder 2016 Update 2 are available for early access

ColdFusion 2016 and ColdFusion Builder 2016 Update 2 early access builds are now available for your testing and feedback.


Note: The early access builds mentioned here have now been released in final form. So do not use the prerelease files or info below, but rather see the later blog post:

http://blogs.coldfusion.com/updates-for-coldfusion-2016-coldfusion-builder-2016-coldfusion-11-and-coldfusion-10-released


Note that this is a test build and should not be used in a production environment.

ColdFusion 2016 Server

Change the update URL in ColdFusion Administrator -> Server Updates -> Updates -> Settings to the following:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/updates.xml

Refer this document for issues fixed.

Here are the install instructions for Server.

The build number after applying this update for ColdFusion 2016 should be 2016.0.02.299076

ColdFusion Builder 2016

Refer this document for issues fixed.

Here are the install instructions for Builder

Standalone installation:

Change the update URL in ColdFusion Builder -> Help -> Install New Software -> Add -> Enter this URL in the location field:

For Windows/Linux – https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31standalonerepo/

For OS X – https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31standalonerepomac/

Plugin installation:

Change the update URL in Elicpse 4.5.2 or above -> Help -> Install New Software -> Add -> Enter this URL in the location field:

https://cfdownload.adobe.com/pub/adobe/coldfusion/2016/prerelease/cfb31pluginsrepo/

What’s new in this Update

ColdFusion 2016 Update 2 :

  • Struct Serialization and Array Serialization :

For a struct, there isn’t a way to derive the data type info correctly and hence even today we see serialization issue where a "lastname" is being serialized as Boolean Bug #3337394.

We are providing an API on the Struct class to add metadata information to that struct object. This function will take a struct object wherein the key will be the actual key of the struct and value will be the data type of the value corresponding to that key. For example,

mystruct = StructNew() ;

mystruct.setMetadata({"lastname": "String", "age": "number"}) ;

structsetmetadata(simple,{"value":"boolean","firstname":"string", "currency": { "type": "numeric","name": "usd"}});

writedump (#mystruct.getMetadata()#); //returns: {ordered="insertion|unordered", keys={lastname="string", age="number"}}

For Array also we can set the metadata using setmetadata & getmetadata methods. Array metadata should contain the key “items” in the metadata which specifies the type of the array members.

array.setmetadata({"items":"numeric"});

writedump (#myArray.getMetadata()#); //returns: {"type":"synchronized", items="string"}

Application level support

Other than passing the type info at struct level, you can also define the at application level, like

this.serialization.structmetadata = {zipcode="String"};

If defined as above, you don’t need to define the data type for zipcode for all the struct which contains this key. At run-time, if the metadata of the struct is not passed at struct level but is defined at application level then we will resolve the struct value appropriately as per application metadata info. But if defined at struct, then the defined type at struct level will take priority over the application one.

  • Configure SSL– Access API Manager portals over HTTPS for better encryption and security
  • CAR settings migration– After deploying a CAR file, some settings are not migrated. You can view the list in the Archive Summary page (under the section Settings Never Migrated) while creating CAR as well as during deploying the CAR.
  • New member functions – ArrayDeleteNoCase, YesNoFormat, and BooleanFormat
  • CKEditor – FCK Editor has been deprecated. You can now customize and design text areas in a form using CK Editor in the cftextarea tag.
  • NTLM changes – The ntlmDomain attribute is required if a user is part of a domain. When the user is not part of a domain, the ntlmDomain attribute is optional.
  • Other bug fixes – API Manager, PDF, language, etc.

 

ColdFusion Builder 2016 Update 2

• Security Analyzer – You can view partial scan results after canceling a scan. Search for a file using the filename in Unscanned Files.

• PhoneGap – PhoneGap is upgraded to version 5.2.

• Other bug fixes – Performance, editor, Security Analyzer, etc.

We will look forward to your valuable feedback and suggestions.

Deeper insights into ColdFusion logging mechanisms

In ColdFusion, you can use ColdFusion Administrator for changing your logging properties under Debugging & Logging > Logging Settings :

  1. Log location
  2. Maximum file size
  3. Maximum number of archives
  4. Requests taking longer time
  5. CORBA calls
  6. Logging for scheduled tasks