Announcing Lucee 5.3.1.102 (final)

Greetings Lucites!

(This is short for Lucee-ites. Kudos to @Hugh_Rainey, the de facto winner of the nicknaming contest!)

Today, we are really happy to announce Lucee 5.3.1.102.

Next to the heavy lift of the original Lucee 5 (following the fork at Railo 4.5), this release represents the biggest development push to date. For the first time ever, we’ve surpassed a triple-digit number of revisions for a Lucee release (the 4th part our versioning scheme). Whew! Is it Friday yet? Felt more like a “month of Sundays,” as the old saying goes (queue the Don Henley song), but We Love Lucee, so it was a labor of love. I’ll do my best to summarize it all here. All credit goes to the incredible development team and developer community. All mistakes are mine. Please chime in here with any and all questions/comments.

image1202×520 128 KB

As I’ve written previously, the 5.3 release cycle has been loaded with activity, from the original alpha release, through to beta, and then continuing with the two Release Candidates we’ve put out. When we shipped the second RC, a lot of things happened all at once. First, the community responded with a considerably more active testing/feedback effort, and this resulted in the discovery of a handful of additional regressions, which we fixed over the past month during RC-2. In addition, right after we posted the RC-2 build, a security vulnerability came to our attention, so we naturally had to drop everything and address that. CFML scion Charlie Arehart has shared some detailed information (as always!) about this with regard to Adobe ColdFusion, which you can read about here. As for Lucee, we had this patched on March 3, 2019 (5.2.9.35-snapshot), and, in addition, the patch actually made it into a 5.3 final build (5.3.1.95), but, we weren’t yet done with the RC-2 period for 5.3.1, which is why we never made an announcement about 5.3.1.95. (It is not a final release for 5.3.1; please read on…)

In summary, the final release of 5.3.1 is build 5.3.1.102, and it’s available on the downloads site now. It includes the security fix, and, in addition to that, here are the tickets addressed during the RC-2 period:

If you’re a glutton for punishment, here’s the full list of tickets addressed from the first alpha of 5.3 all the way through to today’s 5.3.1.102 final release.

Given all the work done in recent months, we’ve got lots of kudos to hand out. First, thanks to @isapir on the Lucee development team for his fast work in patching the file upload vulnerability. Next, special thanks to these community members for helping us with testing during the RC-2 period:

• @Jordanclark
• @Leftbower
• @w.wacker
• @Jon_Clausen
• @lhallCss
• @Zackster

(FYI–if I’ve missed anyone, please let me know, and we’ll make sure everyone is recognized here.)

Grab a copy of 5.3.1.102 today. Or, there are already 66 builds of 5.3.2, so you can grab a snapshot of that. The March sprint will wrap up in the next week or so, and we’ll announce 5.3.2-RC ASAP after that. As always, we’ll respond as quickly as possible to any tickets not covered by today’s 5.3.1.102 final release (believe it or not, there are some, though it covered a seemingly endless list!), or to regressions with 5.3.2-RC. After the 5.3.2 Release Candidate period in April, we’ll make that final at the end of April/beginning of May, and then we’ll immediately move to the next monthly sprint in May.

Thanks for listening!

Best,
Patrick, Lucee Product Manager

Sounds good!

Where can I find the roadmap for future releases of Lucee? I am longing for LDEV-1989 for a couple of clients of mine and see that it has been fixed and deployed to 5.3.2.x - so when is the next stable release coming, including this fix?

Thnx so far!

LDEV-1989: CFZIP: add support for password and encryptionalgorithm attributes

Have you tried out the new support for CFZIP password and encryptionAlgorithm?

Hi Sebastiaan. First, some of the most recent roadmap info came in the form of our keynote at CFCamp last year. Here’s a summary:

https://lucee.daemonite.io/t/announcing-lucee-6-swansea-jack/4813

Next, 5.3.2 goes into Release Candidate status this week, and should be shipped as a final release in about a month, at the beginning of May.

Hi @Zackster, no, alas to say, haven’t had time to upgrade to a non-stable release to do some specific testing. Not my usual area, non-stables etc. Maybe I’ll get to it B4 end of May when the fix is released in the stable release. Otherwise you will hear from me then, 'cause I have customers waiting for this functionality. What other options are there to test this except an install of the non-stable?

Please don’t be scared of trying out a SNAPSHOT, it’s the only option and it’s super easy to upgrade downgrade via the server admin.

If you don’t test it and only find a bug once it’s released, it won’t get fixed until the next stable release, which means your customers might be waiting a lot longer.

OK, I’ll give it a shot, not on the top of my list, but somewhere in the middle

I just tried it and it works

It would be nice if these two other zip enhancements made it into the 5.3.2 RC

[LDEV-930] - Lucee cfzip compression level support
Added 7z format compress/extract by cfmitrah · Pull Request #613 · lucee/Lucee · GitHub cfzip 7z support

I just did some more testing and found a bug, if the zip password is wrong, the file is left locked and can’t be deleted until you restart tomcat

https://luceeserver.atlassian.net/browse/LDEV-1989?focusedCommentId=41330&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-41330

Hey Zac. I see your latest comment on 1989, so we’ll see if that’s a regression, or a new/different problem. Along with that, we’ll take a look at those other two enhancements you mentioned, too. We’re closing out the March sprint today, so none of this will be in the 5.3.2-RC, but the next sprint in May is wide open. @cfmitrah @micstriit @isapir

Do you think this bug warrants a 5.3.1.103?

Clicking debugging templates in the admin throws a syntax error
https://luceeserver.atlassian.net/browse/LDEV-2208

I see the installer hasn’t been released yet…

@Zackster @IamSigmund I didn’t create an issue for it, but could the scoping of the debug styles be reviewed sometime.

Hi Zac. I just confirmed that those fixes will be addressed in the 5.3.2 final release. We won’t be issuing a hotfix for 5.3.1.102. Holler w/ questions/comments.

Hi Josh. Looks like you submitted a pull request, yes? If so, we do track those formally, so that should get pulled in soon. That said, it would be helpful to have a ticket, even if it’s just a suggestion ticket.

.103 is now the latest ‘release’ version.

Are the fixes in this? Is there a changelog for this?

I note the the installer hasn’t been released yet, I’m sure @bdw429s would happily release an update for Commandbox too.

Just exactly how much effort is required to release a hotfix stable release?

Hey @jedihomer. Oops, that was a goof on the downloads page. I think we may have inadvertently run a build. Fixed now. The final release is still 102, not 103.

The effort depends entirely on the fix, of course. In this case, I don’t think it’s so much a case of the effort (although it’s not a 15-minute fix), but more so just needing to keep to our development schedule. If we continually fix regressions as part of hotfixes that get released immediately, our development schedule would fall apart, so we have to make judgement calls.

It’s also quite a few frustrating minutes for each and every stable user, Lucee has a lot of users, some are only allowed to deploy and test stable releases.

I read the backend infrastructure for releases was recently updated to handle both stable and snapshots.

So, how long would it take to commit the patch (it’s already been committed) and release a stable version?