Lucee 5.4.0.65 Release Candidate

Zackster · June 2, 2023, 9:21am

The Lucee team is proud to present our next release candidate for the 5.x series.

The 5.4 series bumps the minor version (from 5.3), as we had to update some of the underlying java libraries and extensions as the older versions have CVEs or are no longer maintained.

All of the java libraries which have been updated in 6 have also been updated in 5.4, with the exception of hsqldb which in this RC is still 2.7.0

This includes an important performance logging / log4j fix with logging since 5.3.10.120 (fixed in 5.3.10.125)

Available as usual via

your Lucee Admin,
download.lucee.org
Commandbox cfengine=lucee@5.4.0-RC+65
Docker (including native ARM)
Maven

Java 17 is not fully supported yet

Installers

Java 11.0.19 and Tomcat 9.0.75

Both installers can be used to install any version of Lucee by selecting a different lucee.jar to install

The Windows installer also now supports side by side installs with custom service names

Roadmap

Lucee 6 beta 2 is coming out very soon, if you’d like to help, please test the latest 6 SNAPSHOT

Changelog

Java

LDEV-4280 - update metadata-extractor in image extension to 2.18.0 due to CVE
LDEV-4281 - update httpclient to 4.5.13 due to CVE
LDEV-4299 - switch to jsch fork (mwiede/jsch)
LDEV-4477 - remove xmpcore from lucee core
LDEV-4497 - update bundled cacerts to jdk-11.0.19.7
LDEV-4120 - remove old stax and css2 jars
LDEV-1526 - update HyperSQL 2.7.2 (HSQLDB) for QoQ (CVE)
LDEV-4279 - Many vulnerable libs in Lucee preventing use in Government shops

Extensions

LDEV-4470 - update postgres jdbc to 42.6.0
LDEV-4471 - update mysql to 8.0.33
LDEV-4291 - Bundle hibernate 5.4 with Lucee 5.4
LDEV-4293 - Update image extension to v2 for Lucee 5.4
LDEV-4294 - Update s3 to v2 for Lucee 5.4

Config Import

LDEV-4368 - Improve placeholder handling for config
LDEV-4485 - configImport needs to understand datasource allowedselect etc
LDEV-4307 - ConfigImport extremely slow

Admin

LDEV-4492 - After using the admin it can happen, that the language resource is not properly loaded
LDEV-4422 - Admin → Services Cache → Edit Memcached cache throws error
LDEV-4381 - admin: "column name [otherVersions] already exist;lucee.runtime.exp.DatabaseException: column name [otherVersions] already exist
LDEV-4390 - Admin: editing a cache throws exception instead of showing error
LDEV-4338 - Admin - (Services - Cache) creating cache throws the error
LDEV-2871 - When there aren’t any debugging logs, show debugging status

Enhancements

LDEV-3720 - Log trace of cflocation and allow option to Abort
LDEV-4219 - add charset, failto, replyto details to Mail listener arguments
LDEV-4229 - QueryParam missing exception should include the SQL
LDEV-4502 - add jsonLayout log appender

Bug fixes

LDEV-2900 - adding to cookie scope doesn’t inherit application cfcookie tag defaults
LDEV-3765 - Replace via a struct inserts gibberish when struct keys not found in text
LDEV-4192 - NPE in FTPService with connection timeout when stoponerror is false
LDEV-4237 - Regression - this.blockedextforfileupload doesn’t works for the file upload
LDEV-4297 - NPE lucee.runtime.config.ConfigWebUtil.loadAddionalConfig(ConfigWebUtil.java:783)
LDEV-4306 - SetLocale(“English (UK)") does not set United Kingdom locale.
LDEV-4315 - NPE at lucee.runtime.config.ConfigWebFactory._loadCache(ConfigWebFactory.java:2343)
LDEV-4394 - avoid parsing queryparams in commented out sql
LDEV-4401 - Cfpop ignores port attribute
LDEV-4405 - Regression? Log42j locks causing long running requests
LDEV-4448 - Cannot cast String [352.] to a value of type [numeric]

Build

LDEV-4452 - migrate build to use Maven Artifact Resolver Ant Tasks instead of Maven Ant Tasks
LDEV-4261 - build must always display Caused by: sections of java stacktraces

Code Changes

Extensions Bundled

AXIS and Search are no longer bundled due to CVEs, but can still be manually installed

github.com

lucee/Lucee/blob/5.4/core/src/main/java/META-INF/MANIFEST.MF#L358


      
          org.objectweb.asm.all;bundle-version=4.2,
          org.lucee.xml.resolver;bundle-version=1.2.0,
          slf4j.api;bundle-version=1.7.36,
          org.lucee.commons-email-all;bundle-version=1.6.0,
          tagsoup;bundle-version=1.2.1.0002L,
          w3c.dom;bundle-version=1.1.0,
          org.lucee.jsch;bundle-version=0.1.55,
          org.lucee.jzlib;bundle-version=1.1.3,
          org.lucee.argon2;bundle-version=2.7.0,
          com.sun.jna;bundle-version=5.10.0 
          Require-Extension: 7E673D15-D87C-41A6-8B5F1956528C605F;name=MySQL;label=MySQL;version=8.0.33,
          99A4EF8D-F2FD-40C8-8FB8C2E67A4EEEB6;name=MSSQL;label=MS SQL Server;version=12.2.0.jre8,
          671B01B8-B3B3-42B9-AC055A356BED5281;name=PostgreSQL;label=PostgreSQL;version=42.6.0,
          2BCD080F-4E1E-48F5-BEFE794232A21AF6;name=JDTsSQL;label=jTDS (MSSQL);version=1.3.1,
          CED6227E-0F49-6367-A68D21AACA6B07E8;name=Admin;label=Lucee Administrator;version=1.0.0.5,
          D46D49C3-EB85-8D97-30BEC2F38561E985;name=Doc;label=Lucee Documentation;version=1.0.0.4,
          17AB52DE-B300-A94B-E058BD978511E39E;name=S3;label=S3;version=2.0.1.25,
          87FE44E5-179C-43A3-A87B3D38BEF4652E;name=EHCache;label=EHCache;version=2.10.0.36,
          D46B46A9-A0E3-44E1-D972A04AC3A8DC10;name=Chart;label=CFChart;version=1.0.19.25,
          66E312DD-D083-27C0-64189D16753FD6F0;name=PDF;label=PDF;version=1.2.0.10-SNAPSHOT,
          FAD67145-E3AE-30F8-1C11A6CCF544F0B7;name=Form;label=Form tags;version=1.0.0.10;since=5.1.0.21,

Support the ongoing development of Lucee

If you are building your career and/or business on Lucee, please support the developers working on the project. With your support, we can make Lucee even better and quicker, both in terms of performance and release cycles!

Zackster · June 2, 2023, 11:09am

We have found a few problems with extensions and osgi

mssql [LDEV-4513] - Lucee
memcached [LDEV-4512] - Lucee
redis [LDEV-4516] - Lucee

all the 5.4 regressions are here https://luceeserver.atlassian.net/issues/?jql=labels%20%3D%20"reg54"

5.4.0.66-SNAPSHOT has hsqldb 2.7.2

Zackster · June 3, 2023, 7:02am

Lucee Debug has been updated to work with this release

Zackster · June 6, 2023, 7:43am

5.4.0 regressions are being tracked in this epic

Lucee 5.4.0 RC1 Regressions

Currently the only outstanding regression is mssql can’t connect with the bundled driver

I’ve also updated the build to fail on such errors

Build: fail when a configured service is not available (service / java )

Zackster · June 7, 2023, 5:11pm

ok, all the 5.4-RC 1 regressions found so far have been resolved

please test the 5.4.0.74-SNAPSHOT

When it’s coming, well the more testing the quicker the release cycle

A lot of people say, I can only use stable releases

That is exactly why you need to test during the RC phase

I’ve tested 5.4.0.74-SNAPSHOT without finding problems
I can’t (stuck on older version)
Found some regression(s)
No
Just show me the result

0 voters

Phillyun · June 7, 2023, 8:45pm

Normally when we hit something like this, we revert without investigating further assuming others are also seeing an issue like this. Thank you for the extra nudge for “re-testing” and more info.

What other info would you like provided when we hit these (other than this is on Windows / 5.4.0.74-Snapshot?

This is from the Application.log and failure is from an attempt to use a SQL Server DSN.

Source code:

local.queryObj = new Query(
	datasource="myDsn",
	sql = "SELECT 1"
).execute();

“Error” … “Unable to resolve org.lucee.mssql [46](R 46.0): missing requirement [org.lucee.mssql [46](R 46.0)] osgi.wiring.package; (osgi.wiring.package=org.bouncycastle.jce.provider) Unresolved requirements: [[org.lucee.mssql [46](R 46.0)] osgi.wiring.package; (osgi.wiring.package=org.bouncycastle.jce.provider)] Detail: The specific sequence of files included or processed is /org/lucee/cfml/Query.cfc:227 /org/lucee/cfml/Query.cfc:37 …”

Phillyun · June 7, 2023, 9:08pm

Okay, I setup a new datasource and copied that from the server administrator config.
The solution (in our case) was updating our config file:

"bundleVersion": "12.2.0.jre8"

Zackster · June 9, 2023, 6:56pm

5.4.0.77-RC is out, I’ll post release notes on monday, here are all the bug fixes since the first RC