ColdFusion 2016 Update 5 and ColdFusion 11 Update 13 released

This post is to announce the release of updates for ColdFusion 2016 and ColdFusion 11. These updates address a common vulnerability mentioned in security bulletin APSB 17-30.

ColdFusion 2016 Update 5

In addition to addressing the vulnerabilities in the security bulletin APSB17-30 this update includes 13 bug fixes in language, database and AJAX some other areas. For the installation instructions and details on the bugs fixed, refer this technote.

ColdFusion 11 Update 13

In addition to addressing the vulnerabilities in the security bulletin APSB17-30 this update includes 8 bug fixes in charting, AJAX and some other areas. For the installation instructions and details on the bugs fixed, refer this technote,

For the security fixes in these updates to be effective, ColdFusion 2016 should be on JDK 8 u121 or a higher version, and ColdFusion 11 should be on JDK 8 u121 or JDK 7 u131 or a higher version of JDK. The use of latest JDK update is recommended.

On a standalone installation of ColdFusion, you can upgrade Java by editing the jvm.config file at <cf_root>/cfusion/bin. For a JEE installation of ColdFusion, refer the documentation for the host application server.

ColdFusion 2016 API Manager Update 1 released

Update 1 for ColdFusion 2016 API Manager was released on 9th June 2017.

It introduces new features such as a JavaScript connector for configuring User Store, a new Token-based authentication support and packages enhancements like additional Swagger import options and logging for API request and response.

It also fixes several bugs in security, publisher portal and server core and workflows related to SOAP proxy, Swagger and SOAP to REST. For further details on the new features, the installation instructions and the manual download link refer this technote. For the list of bugs fixed with this update refer this webpage.

To be able to apply this update, ensure that you are using an API Manager installation from the latest API Manager installer. The installer was refreshed on Dec 13, 2016. An API Manager installation that has been installed with the new installer would be on build no. 301768.

Post update installation, the build for the API Manager should change to ColdFusion API Manager 2016,0,1,302960. You can validate this by using the apimanagerinfo (.sh/.bat) utility in <CFAPIM_root>/bin directory.

Update 4 for ColdFusion Builder 2016 released

ColdFusion Builder 2016 Update 4 is now available for download.

The update adds support for ColdFusion Builder plugin installation on Eclipse Neon and fixes 22 other bugs.  
The bugs fixed are in areas such as Editor (Dictionary, Code Colorization, Code Folding), Security Code Analyzer and  RDS support. 

For instructions on how to download and install the update, refer this technote.
For the list of bugs fixed with this update, refer this technote.

To access the update directly from the ColdFusion Builder GUI, ensure that it it configured with one of the following URLs depending on the CF Builder variant in use :

Stand-alone installation of ColdFusion BuilderClick here!

Plug-in installation of ColdFusion Builder: Click here!

If you need to download the update and apply it manually, you can access the update at:
Stand-alone Update:
Click here! 
Plugin Update:
Click here! 

ColdFusion 2016 : Support for Windows Server 2016

We have updated the Windows 64-bit installer for ColdFusion 2016, to support Microsoft Windows Server 2016. The Add-on services installer and the .NET service installer for ColdFusion 2016 have also been refreshed.
You can access the server installer by clicking on the "free trial" or the "buy now" link in the ColdFusion product page at Adobe.com. You may download the aforementioned additional installers at the ColdFusion support page

The ColdFusion 2016 support matrix would be updated soon to reflect the support for the new platform.

The refreshed installer comes with the Update 3 baked-in. After installing the server, you may bring it up to the current update level, by installing Update 4. You can follow the instructions at this technote to download and install Update 4. If you need any help with installing ColdFusion server you may refer the installation instructions at this technote.

The installers for ColdFusion Builder 2016 and ColdFusion API Manager would soon be refreshed to support Windows Server 2016.

ColdFusion 2016 Update 4, ColdFusion 11 Update 12 and ColdFusion 10 Update 23 released

This post is to announce the release of the following ColdFusion updates:

ColdFusion 2016 Update 4

ColdFusion 2016 Update 4 upgrades Tomcat to version 8.5.11.0 and fixes 115 bugs (including 52 external bugs) in areas such as Security, Language, Charting and Performance. This update also addresses vulnerabilities mentioned in the security bulletin APSB17-14.  For details and instructions on how to apply this update refer this technote.

ColdFusion 11 Update 12

ColdFusion 11 Update 12 upgrades Tomcat to version 7.0.75. It also addresses vulnerabilities mentioned in the security bulletin APSB17-14 and fixes 59 bugs (including 28 external bugs) related to areas such as AJAX, Charting and Language. For details and instructions on how to apply this update refer this technote.

ColdFusion 10 Update 23

ColdFusion 10 Update 23 upgrades Tomcat version to 7.0.75. This update addresses vulnerabilities mentioned in the security bulletin APSB17-14 and includes a total of 17 bug fixes (including 7 external bugs) related to Language, Charting, Scheduler, Document Management and certain other areas. For details and instructions on how to apply this update refer this technote.

The build number after applying thse updates should be:

2106,0,4,302561 for ColdFusion 2016;
11,0,12,302575 for ColdFusion 11.
10,0,23,302580 for ColdFusion 10.

Note:

  • Support for Windows Server 2016 will be introduced with the refreshed full ColdFusion 2016 server installer which will be made available shortly. Update: The new installer is now available, as of Apr 28.
  • The core support for ColdFusion 10 effectively ends on May 16, 2017. It will, therefore, receive no further updates. For detailed support timelines, see this EOL matrix.

 

 

ColdFusion 11 Update 11 and ColdFusion 10 Update 22 released

This post is to announce the release of ColdFusion 11 Update 11 and ColdFusion 10 Update 22.
Update 11 and Update 22 fix approximately 164 and 45 bugs respectively. For the list of bugs fixed in these updates, refer the following documents:
Bugs fixed with Update 11
Bugs fixed with Update 22

Follow the steps below to apply the updates:

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Switch to the "Settings" tab.
  3. Ensure that the update site URL is set to the right value by clicking on the "Restore Default URL" button.
  4. Click on "Submit changes" to save your changes.
  5. Switch to "Available Updates" tab. Click on "Check for Updates".
  6. "ColdFusion 11 Update 11" or "ColdFusion 10 Update 22" should be listed under the "Available updates" tab. 
  7. Click on the "Download and Install" button to install the update.

Refer the following technotes for instructions and other details related to the updates:

ColdFusion 11 Update 11 technote 
ColdFusoin 10 Update 22 technote

To apply these updates manually, download the required update by clicking on one of the applicable links below:

ColdFusion 11 Update 11 jar
ColdFusoin 10 Update 22 jar
 
To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_0xx.jar
You should use the JRE used by ColdFusion for running the update jar (for standalone CF, it should be <cf_root>/jre/bin)
For further details on the manual application of the updater follow this help article.
 
The build number after applying this update should be:
11,0,11,301867 for ColdFusion 11;
10,0,22,301868 for ColdFusion 10.

Security fix for ColdFusion Builder 3 released

An important security fix for ColdFusion Builder 3 is now available for download. For more information on the vulnerability refer APSB16-44.

You can download the patch from here (md5 checksum : b67914e27ca4fb8e0fc5ecd354e9a330). Apply this patch to secure your ColdFusion Server and Builder installation. Follow the installation instructions detailed at this technote

ColdFusion 2016 installer refreshed.

The server and express installers for Adobe ColdFusion (release 2016) have been refreshed. The installers are available for download at the ColdFusion product page at www.adobe.com. The new installer includes the following changes:

  • The API Manager installer is decoupled from the ColdFusion Server installer.
  • The new API Manager installer incorporates certain new features such as multi-tenancy, enhanced security, configurable policies, a dedicated update mechanism and support for Redis cluster and request/response compression. For a detailed description of these new features follow the links embedded in this technote. The API Manager installer would be made available very soon. We will update this post to share the location where the installer would be hosted.
  • The ColdFusion installer incorporates ColdFusion 2016 Update 3 and updates JDK to version 1.8.0_112. For details on the changes that went out with Update 3 refer the Update 3 Release Notes document. The build number for this installation should be 2016,00,03,301771.
  • The features listed below have been retired from the product and no longer ship with ColdFusion. For a detailed overview of the affected areas, refer the "Portlets" and "YUI and Spry" sections of the coldfusion-deprecated-features technote. In case you need to use any of these libraries you can download them from locations mentioned below.
    • Portlets. download (md5 checksum : 93273a7b4ab8c650e5fa9cece518e099);
    • YUI. download (md5 checksum : 827e0f8395d176ac28f46ed5e78004fd);
    • Spry. download (md5 checksum : 750c275c20b291f00c1ba92c855a09d7).

 To integrate the downloaded library, follow the instructions below:

  1. Stop ColdFusion sever.
  2. Download the libraries from the links mentioned above.
  3. Extract the downloaded files to the following locations:
    • Extract portlets.zip file to <cf_root>/cfusion directory. Update the web.xml file at <CF_HOME>/cfusion/wwwroot/WEB-INF to re-introduce the mappings mentioned in the "Portlets" section of this technote.
    • Extract yui.zip and spry.zip to ColdFusion's webroot at <cf_root>/cfusion. If your scripts directory is mapped to a non-default location (setting at CF admin > Settings > Default ScriptSrc Directory), unpack the zipped package manually and place it in the custom location following the structure in the package.
  4. Restart ColdFusion server.

If you are restoring just the YUI or Spry libraries, restarting the ColdFusion server is not required.

Revisions

20 Dec, 2016 –  added the web.xml mappings step in restoring portlets instruction. added reference to coldfusion-deprecated-features article.

 

 

ColdFusion 11 Update 11 and ColdFusion 10 Update 22 PreRelease build available for download

NOTE: THIS POST has been made obsolete with the final release of these updates in Dec 2016. Please see the post announcing that.

The information below, this post and its comments, is left for history sake.

ColdFusion 11 Update 11 and ColdFusion Update 22 early access builds are now available for your testing and feedback. Please note that these are test builds and should not be used in a production environment.

For the list of bugs fixed with these updates, refer the following documents:

Follow the steps below to apply the update.

  1. Navigate to ColdFusion Administrator -> Server Updates -> Updates.
  2. Under Settings tab, check "Automatically Check for Updates" check box
  3. Change the Site URL to https://cfdownload.adobe.com/pub/adobe/coldfusion/PR/updates.xml. 
  4. Click Submit to save your changes.
  5. Under the "Available Updates" tab, click on the “Check for Updates” button.
  6. "ColdFusion 11 Update 11" or "ColdFusion 10 Update 22" should be listed under the "Available updates" tab. 
  7. Click on the "Download and Install" button to install the update.
To apply this update manually, download the required update by clicking on one of the applicable links below:
 
To run the downloaded jar, execute the following command:
java -jar <jar-file-dir>/hotfix_0xx.jar
You should use the JRE used by CF for running the update jar (for standalone CF, it should be <cf_root>/jre/bin)
For further details on the manual application of the updater follow this help article.
 
The build number after applying this update should be
11,0,11,300779 (Pre-Release) for ColdFusion 11;
10,0,22,300783 (Pre-Release) for ColdFusion 10.
 

In case, you have configured local site for receiving the update notifications, then please take back up of the URL before changing it to the prerelease URL.

We will look forward to your valuable feedback and suggestions.

Prerelease build of Nginx connector for ColdFusion 2016 now available

Nginx is a high-performance and open-source web server that is widely used in the web communityIt can now be configured with ColdFusion 2016. With this post we are making available the prerelease build of the web-server connector for testing purposes. 

The prerelese build is in the form of an Linux 64-bit installer that packages the following 2 components:

– The Nginx web server installer. This installer is a variant of the standard Nginx installer that packages the AJP modules that enbable the communication between the webserver and ColdFusion.

– WSconfig.jar. This is a modified version of the library present in ColdFusion's <cf_root>/cfusion/lib directory, that is required by the WSConfig tool when configuring a web server connector. 

For detailed instructions on installing the webserver and configuring the connector, refer this document.  

We will look forward to your suggestions and feedback.

Click on this link to download the source for the Ngnix Connector.

Revision (09 Jan 2017): The download link for Ngnix Connector source added.