http://coldfusion.com logo
Join Slack
Powered by
<https://twitter.com/bdw429s/status/16005654269073...
# box-products
b
d
Can you point me to details of what security fixes are included to JBoss Undertow (can’t see a version listed, or within a 30 second google, where Undertow release notes are..) If there are any specific updates to Lucee which you can identify as “security fixes” that would also be helpful, although at least for Lucee I can find the release notes associated with the listed version
. Thanks
b
@danlance This ticket should also help. It has the output of a very comprehensive can one of our government clients ran and all the items in the table marked green were updated in Lucee 5.3.10 |https://luceeserver.atlassian.net/browse/LDEV-4279
I don't know if any of them were actually exploitable in Lucee, but either way they are updated!
Undertow isn't great about release notes. I know redhat has security bullitens for specific vulns, but I'm not sure if they have an overview page of all of them
you'll have to sift through and identify the versions for each of those
Undertow was previously at version 2.2.19.Final and was bumped to 2.2.21.Final in this release
So that should help you narrow down the applicable CVEs
Also, don't forget about this cool site made by our own @foundeo! https://stack.watch/product/redhat/undertow/
Again, I'm not aware of any of the Undertow fixes being exploitable in CommandBox, but we've patched up nontheless
d
Thanks @bdw429s - much appreciated. Another task to add to the list this week
 just as I’d finished testing and applying critical security patches to most our client’s systems
 keeps me busy at any rate 😉
Also @bdw429s should This ticket have a link?
b
which one?
d
first response:
This ticket should also help. It has the output of a very comprehensive can one of our government clients ran and all the items in the table marked green were updated in Lucee 5.3.10
b
ahh yes, lol,. It didn't paste!
d
lol
b
2 Views
Open in Slack
PreviousNext
Powered by