Release Candidate 1

RC1 is now available for testing!

This release candidate and bundled extensions uses only Log4j 2.17.1. Lucee was never affected by the Log4J problems, but we have updated to the latest as it’s best practise and required by many orgs.

Due to a lot of plumbing changes/fixes/log4j, the recommended combinations of Extension are as follows

Some of the changes affect the Lucee loader, if you are using CommandBox, they will be automatically available. If you are using Tomcat, you will need to stop Lucee, replace the lucee- (or similair) in C:\lucee\lib with https://cdn.lucee.org/lucee- and then restart Lucee.

Java 17 is still not fully working, but Lucee will start instead of crashing on startup.

Users with M1 Macs should now be able to use a native ARM JVM.



LDEV-1136 - update to Log4j 2.17.1
LDEV-2516 - OSGI logging bundles added from this.javaSettings on every request to application.log
LDEV-3289 - deploy log level INFO for bundle downloading from the update provider
LDEV-3775 - SMTPClient incorrectly putting stack trace into the message of a MailException it raises
LDEV-3853 - the application mail listener logs NPE in remoteClient.log
LDEV-3839 - Mail.log missing the mail server info which is used for sent mails
LDEV-3810 - add trace logging for cfhttp calls

Query of Queries

LDEV-3615 - QoQ mishandles null and boolean column aliases
LDEV-3522 - QoQ cast()/convert() functions not fully implemented
LDEV-3640 - QoQ needs to preserve nulls internally regardless of full null support
LDEV-3734 - QoQ treats nulls differently than real DB’s in arithmetic expressions
LDEV-3735 - QoQ allows divide by zero
LDEV-3736 - QoQ doesn’t convert empty strings to 0 in arithmetic operations
LDEV-3801 - ArrayIndexOutOfBoundsException in QoQ with using ORDER BY
LDEV-3822 - SELECT DISTINCT with ORDER BY in QoQ incompatibility - ACF
LDEV-3830 - QoQ UNION can still return duplicates
LDEV-3823 - QoQ doesn’t support ordinal position syntax for ORDER BY

Numeric Precision

LDEV-3661 - deserializeJSON() converts large decimals to string
LDEV-3662 - Large decimal number strings lose precision when converted to a number format


LDEV-3686 - Axis Extension - Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created (webservice / axis)
LDEV-3695 - admin application - Uninstall the extension ESAPI/Compress Tags doesn’t available in not installed
LDEV-3688 - do not install extension that are already installed


LDEV-3711 - Lucee discards exception cause from JDBC connection errors
LDEV-3712 - ojdbc7 bundle missing
LDEV-3793 - update postgres to 42.2.20

Whitespace / Output

LDEV-3760 - NPE with lucee.runtime.writer.DevNullBodyContent in flush
LDEV-3777 - cfsavecontent ignores whitespace management setting
LDEV-3784 - Lucee request fails when Accept-Encoding is not passed and gzip compression is enabled


LDEV-3752 - duplicate() incompatible with java.util.List (return of List.subList)
LDEV-3804 - ClassUtil.loadInstance() has code path that returns exception instead of throwing it
LDEV-3846 - catch block cannot be serialized
LDEV-3687 - cfmail crashes on email addresses with trailing commas
LDEV-3658 - Cannot duplicate Environment map in Lucee
LDEV-3526 - Update Felix to 6.0.5 to support Java >= 16
LDEV-3536 - update jna library to support Apple M1 architecture

Bug fixes

LDEV-3842 - breadcrumbs missing styling for tags with local docs
LDEV-3851 - build process should use an older loader jar to expose problems
LDEV-3545 - Multipart http response doesn’t handle quoted boundary
LDEV-3621 - Encrypting large data strings times out when using HEX encoding
LDEV-3716 - _internalRequest() losses the form scope with sameFormFieldsAsArray=true

LDEV-3685 - Scheduled Tasks (Daily) NOT running
LDEV-3732 - Incorrect argument count requirements in error message on method call
LDEV-3742 - cfcontent delivers wrong content-type
LDEV-3829 - typo in argon2 code with handling of memory argument
LDEV-2982 - cfexecute terminateontimeout isn’t supported
LDEV-3166 - CFFTP (secure) resets connections (ssh-dss)
LDEV-3222 - cfml2js don’t return the correct type for the values like SerializeJSON does
LDEV-3338 - whitespace in component attribute “implements” cause incorrect return when using getMetaData/getComponentMetaData
LDEV-3465 - Regression: inherited static variables no longer accessible in child components
LDEV-3520 - Slow performance on arguments scope due to casting strings to Double

New features

LDEV-3778 - Web.cfc in webroot
LDEV-3790 - add function ConfigImport
LDEV-2331 - allow specifying a file extension for getTempFile


LDEV-2060 - Lucee Admin → Security Access → File Access must allow adding multiple directories in one request
LDEV-3363 - Admin debugging - Disable template option throws an error in debugging logs page
LDEV-3660 - Without Network admin application page shows error
LDEV-3355 - internal calls to the update provider need (shorter) timeouts


WooHoo! Great work and I’m so glad to see this hitting RC. I have been testing and I will continue to test.

1 Like

Awesome work Lucee Team! A great RC with lots of improvements. Also, the decision to update log4j asap in the latest RC dispite of not being affected by the log4shell is a great sign of commitment! Wonderful work!!!


The bleeding edge builds of CommandBox 5.5.0-alpha are now using the Lucee RC and are 100% FREE of Log4j1!


I’m wrapping up this CommandBox release so it can go gold as soon as Lucee 5.3.9 does. In the mean time, it seems pretty stable in case anyone needs it ASAP for production to get a security team off their back :slight_smile:


Lots of thanks also to you @bdw429s for the long list of contributions, particulary your work regarding QoQ! :clap:


PS: Anyone who offered to sponsor the Log4j migration, thanks, we funded the work out of existing donations, please just make a donation to the whole project

a big thanks everyone who already supports to the project!

As Adam wrote recently


just a FYI, any SNAPSHOTS after RC1 can be more or less considered RCs

So if you find a problem with, please try the latest 5.3.9.xx-SNAPSHOT (currently

Can you remind me (and others maybe) how to see what’s changed between .80 and .88?

@rd444 The easiest way to find this is probably to do a JIRA search based on ticket fix version greater than a certain number. let me know if that doesn’t work and I can see if I can find the right query to use.

This search should do it

Also note, you can add “fix version” as a column in the results to see at a glace which exact snapshot each ticket was fixed in.

  • LDEV-3866 zip action=list filter UDF is a passed a completely invalid entryPath
  • LDEV-2660 CFZIP action=“unzip” overwrite=“true” deletes existing directories.
  • LDEV-3535 update google maps api to v4
  • LDEV-3425 ajax extension is slow to start
  • LDEV-3372 update jquery-1.8.3.js in ajax extension
  • LDEV-3863 queryExecute with “?” in SQL and params set to empty fails
  • LDEV-3812 cfoutput encodefor attribute won’t accept htmlattribute or xmlattribute
  • LDEV-2491 Error isValid(“email”, “error@domain.com ??”) with UTF-8 encoding pages
  • LDEV-3818 Add new argument precise for toBinary() & binaryDecode() to match ACF behaviour
1 Like

or just tweak the github compare link from the first post

mostly testcases (always good to see!), some bug fixes and some extension updates (ESAPI, Compress, AJAX and Image)



is there any planning when Lucee 5.3.9.x will be released as stable?

RC2 is coming out today