Hello Lovers of Lucee! Time for another of our regularly scheduled sprint retrospectives. The May sprint produced the latest Release Candidate: 5.2.8.50-RC, which went live on June 8.
I was especially pleased with this release, because it tested our ability to have the dev team stick to a strict schedule (the monthly sprints), while also being flexible enough to adjust our development focus as needed. The first test was responding to a potential security vulnerability related to ZIP archives, and the second was the need to put in some time working on closures functionality in 5.3. Both problems arose near the end of the May sprint, and while a few tickets did get pushed to the July sprint, this was mostly not due to the time constraints imposed by reacting to these two unplanned outside-the-sprint development efforts.
Regarding the security vulnerability, it’s been discussed ever so briefly here:
In addition, we had extensive discussion in the private security forum, and of course internally on the dev team and amongst the LAS members. It’s not an especially severe vulnerability, but we nonetheless patched it immediately, as per our security protocol. We will have a formal public post about the patch in the next couple of weeks. If anyone has any questions/concerns in the meantime, please don’t hesitate to let us know.
Here’s the final list of fixes for 5.2.8.50-RC:
| Issue key | Summary |
|---|---|
| LDEV-1876 | Server.Coldfusion.SupportedLocales not supporting Welsh locale |
| LDEV-1854 | javascript error in admin with heap/non heap graphs |
| LDEV-1838 | cannot serialise CGI Scope |
| LDEV-1837 | cannot serialze server.os.macAddress |
| LDEV-1834 | ERR_TOO_MANY_REDIRECTS |
| LDEV-1830 | cannot ObjectLoad a closure |
| LDEV-1810 | ListFirst count invalid |
| LDEV-1803 | toBase64 behaves differently with strings and numbers |
| LDEV-1797 | Cannot run thread tags in member functions |
| LDEV-1787 | trim long string in argument validation errors |
| LDEV-1715 | abstract functions missing from component meta data |
| LDEV-1682 | REFind - scope is missing |
| LDEV-1592 | Possible DeserializeJSON problem |
| LDEV-1578 | NPE at lucee.runtime.spooler.SpoolerEngineImpl.getFile() |
| LDEV-1565 | Search in the Lucee Admin does not work anymore |
| LDEV-1497 | Session variable not set after sessionrotate() within same request |
| LDEV-1494 | cfajaxproxy throw error while try to access the component |
| LDEV-1467 | Regression? REMatch() bug LDEV-90 fixed in 4.5, still present in 5.2.3.31-RC |
| LDEV-1293 | query.map mishandles the “template” query |
| LDEV-1281 | cfinput validate=“email” client-side JS should be case insensitive |
| LDEV-1207 | this.sessioncluster=true breaks sessions |
| LDEV-1143 | Confusing Error Message with Partial Null Support and Debug Enabled |
| LDEV-1119 | GetHttpRequestData().content sometimes empty when body content posted |
| LDEV-1092 | STARTTLS command not executed for SMTP mail. |
| LDEV-1021 | cfmail subject doesn’t sanitise new lines |
| LDEV-974 | Support Adobe’s settings for JSON serialization |
| LDEV-630 | CF setting, this.smtpServerSettings, is missing from Lucee |
| LDEV-398 | SerializeJSON difference between ACF and Lucee |
| LDEV-215 | Creating a datasource storage table does not create an index |
| LDEV-98 | Saving an edit to a mapping does not return the user to the mappings list page |
| LDEV-95 | CFHTTP doesn’t send username and password attributes as Basic Authentication header over SSL |
(@thefalken - This text-based ticket list is for you! 
)
Please head over to the download site and give 5.2.8.50-RC a spin. It will be finalized in early July, as per the regular schedule. We’re now working on finalizing 5.2.8, and prepping the final ticket list for the July sprint, which will produce Lucee 5.2.9-RC. As always, please let us know which tickets you’d really like to see done in July.
Thanks for listening!