Lucee 5.2.7.63

Hi, May we see the changelog between 5.2.7.62 vs 5.2.7.63? Is there anything important got fixed?

(there’s a changelog between 5.2.6.59 and 5.2.6.60 before)

Thank you very much!

Allen

As i can see from: Download Lucee
One of these got fixed:
LDEV-1592 Possible DeserializeJSON problem
LDEV-1119 GetHttpRequestData().content sometimes empty when body content posted

is that true that is the changelog between 5.2.7.62/63 and 5.2.8.0? (since LDEV-1119 and 1592 are fixed in 5.2.8.0)

Thanks

Allen

Hi Lucee devs, is this a safe issue to upgrade to? As there are no releasenotes or change log, neither here nor in Lucee admin… Love to hear!

This is a security hotfix addressing a issue with zip files. More info to come.

1 Like

Any update on getting the official changelog out here please?

Was there a reason behind it not getting published?

Any plans to back port the security fix to 4.5 ?

I expect you are updating the ZIP library, because it could expand files with … (stupid Discourse web site keep rewriting my double stops to triple. No idea why) or / in them - this was discovered recently to still be an issue?

Given that Lucee 4.5 is EOL, is there any reason you haven’t upgraded to the latest stable release?

if you are worried about being vulnerable, all you have to do is just need to is list the files
in the zip and check for any directories containing “…” before unzipping

4.5 is EOL ?

This is news! !
Why is it on the download page still then ?

Last I heard was “we’ll tell you later about EOL plans” : https://lucee.daemonite.io/t/is-lucee-4-5-5-006-the-last-one-for-version-4/3122/3?u=thefalken

you left out the next bit “by around mid year” which is pretty much now…

any reason (i.e blockers) why you haven’t upgraded?

Many.

But that’s not the question here. Clearly if Lucee are going to stop porting security updates to 4.5 then it’s EOL in practice, if not definition.

Maybe someone from @Lucee would like to make a definitive statement.

Still no news on the releasenotes-front! Neither on the website nor in Lucee Admin. Wazzup?

I guess some information can be found @ https://lucee.daemonite.io/t/announcing-lucee-5-2-8-50-rc/4052

Hi guys, @IamSigmund is going to get some more information out on this release but he’s on vacation ATM so it will probably be a week or so. The long and short of it is that the 63 build only has a single fix in it for the Zipslip exploit that has affected a lot of java apps around the open source world as Tom linked. The ticket for it was an internal private ticket which is standard for security fixes so that’s why it isn’t getting pulled into the release notes. (Something that is an automatic process from JIRA)

Regarding Lucee 4.x, you guys are correct that it has not officially been EOL’d even though it hasn’t seen an update in quite a while. We’ve been discussing whether this fix deserves to be backported internally. My personal take is that we should backport this security fix and then officially EOL 4.5 at this point. I don’t know when we’ll make a final decision on that. In the meantime, if anyone is using 4.5 and wants this fix very badly, I’m sure Rasia would be open to doing a priority patch as a paid project. cc/ @Gert LAS is not wanting to put much effort at all into the 4.x line at this point, so if it happens, it may not be right away.

1 Like

Perhaps a quick table that says Hey folks, here is the end of life dates for version numbers.

2 Likes

an update for 4.5 will follow asap