Hello,
I see that Lucee 5.2.9.31 is the final version for 5.2. Will security vulnerabilities be back ported from later versions of Lucee? Also, does being the “final version” mean that it is officially end of life?
Thank you,
Kellen Reason
Realistically, probably not. If there is something found that is very very serious, then I’m sure the dev team would consider it. But generally speaking, there have been 5 stable releases since 5.2 (5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4) and there are already two future releases cooking as we speak (5.3.5, 5.3.6) so 5.2 is pretty long in the tooth now.
Is there a particular fix you’re interested in?
No, not a particular fix. Our current environment runs on RHEL 7. We were having issues with Lucee closing its socket connections inexplicably on version 5.3.2. As a result, we went back to 5.2 and now we are evaluating the associated risk of remaining on 5.2 for some time.
We’ve decided to try a later stable version of 5.3. We will see if we experience the same issue as before.
Thank you,
Kellen Reason
@reasonke Assuming you’re referring to the incoming HTTP listener, Lucee does not make those connections. Tomcat does. I would suspect the change in behavior is likely due to the default version of Tomcat that happened to be bundled in the installer that ships with Lucee 5.3. I would pinpoint the issue and possibly deploy Lucee on another version of Tomcat if you need.
1 Like