Lucee 5.3.11-3-RC is out

This is a maintenance / security release, as the Lucee team considers XML XXE mitigations are important, so they are now on by default.

But what’s a XML XXE you ask?

The 5.3 branch is only getting important security updates, as per our roadmap

We recommend updating to 5.4 as that has all the underlying java libraries updated, something which we cannot do with 5.3 due to various older extensions

Docker images are up after solving a python regression with PyYAML

https://hub.docker.com/r/lucee/lucee/tags?page=1&name=5.3.11.3-RC

box server start cfengine=lucee@5.3.11-RC+3

But if you can’t upgrade just yet for any reason form 5.3.10 to 5.4.2, here’s a 5.3.11-RC

Tickets Addressed in 5.3.11

(all these changes are in 5.4.2 RC as well)

LDEV-3451 - Disable XML entities by default against XXE in Lucee 6.0 & 5.4
LDEV-4644 - only show admin updates notifications for the same major version
LDEV-4631 - Admin 5.4 is showing false update banner notifications for extensions

Tickets Addressed between 5.3.10.120 and 5.3.10.143

(all these tickets are already in 5.4 as well)

LDEV-3889 - show changelog on admin update page
LDEV-4219 - add charset, failto, replyto details to Mail listener arguments
LDEV-4229 - QueryParam missing exception should include the SQL
LDEV-4237 - Regression - this.blockedextforfileupload doesn’t works for the file upload
LDEV-4306 - SetLocale(“English (UK)") does not set United Kingdom locale.
LDEV-4315 - NPE at lucee.runtime.config.ConfigWebFactory._loadCache(ConfigWebFactory.java:2343)
LDEV-4342 - Lucee 6 Admin Services - update the default cache connection didn’t work
LDEV-4385 - update to log4j 2.20.0
LDEV-4390 - Admin: editing a cache throws exception instead of showing error
LDEV-4394 - avoid parsing queryparams in commented out sql
LDEV-4401 - Cfpop ignores port attribute
LDEV-4405 - Regression? Log42j locks causing long running requests
LDEV-4416 - NPE on CallStackGet() with 5.3
LDEV-4422 - Admin → Services Cache → Edit Memcached cache throws error
LDEV-4443 - felix 6.0.5 causing problem with s3 ext
LDEV-4452 - migrate build to use Maven Artifact Resolver Ant Tasks instead of Maven Ant Tasks
LDEV-4470 - update postgres jdbc to 42.6.0
LDEV-4471 - update mysql to 8.0.33
LDEV-4485 - configImport needs to understand datasource allowedselect etc
LDEV-4492 - After using the admin it can happen, that the language resource is not properly loaded
LDEV-4497 - update bundled cacerts to jdk-11.0.19.7

Code Changes

5.3.11.5 STABLE is out, just waiting on a problem with forgebox, then I’ll post the announcement