http://coldfusion.com logo
Join Slack
Powered by
ANNOUNCEMENT: CF2021 & CF2018 Security Updates...
# adobe
m
a
Good to see cfclient getting a mention in there.
m
CFclienting it up in here
🍻 1
a
pina coladas in one thread, cfclient in this thread. If this doesn't say party, I don't know what does.
👍 1
g
@Mark Takata (Adobe) do you know if its possible to avoid having to apply this update if we simply add -Dcoldfusion.cfclient.enable=false to the jvm config ?
also, is there more information you can provide on what has changed ? what if we’re intentionally reading files within the system ? are there new sandbox limitations ?
m
Gareth, I am unable to comment directly on this (security stuff, etc), but please email cfsup@adobe.com with this question and they will direct you to someone who can hopefully help you with your direct inquiry. Also, while he does not represent Adobe, I would also suggest you note Charlie's comment here: https://coldfusion.adobe.com/2023/03/released-coldfusion-2021-and-2018-march-2023-security-updates/ (scroll to the comments).
@priyank_adobe @sandip_halder is there a more direct email address for folks who have inquires of this type that are security related in this matter?
g
Does the CF2021u6 update work? Has anyone installed it without complications? I'm asking because I haven't yet and the only comment (beyond Charlie's) is that someone was surprised by a new requirement to install the administrator package via the CLI package manager (from 15 minutes ago).
UPDATE: We updated via web portal UI and updates went without incident. (Phew!)
g
@Mark Takata (Adobe) a call from our enterprise account manager might be nice…
p
@Gareth Unfortunately, we cannot share what has changed as it is a security update. You have to apply the update along with jvm flags, we cannot skip that.
d
do the steps/settings in the lockdown guide disallow the related attacks from being successful?
18 Views
Open in Slack
PreviousNext
Powered by