Lucee Release Candidate

The Lucee team is proud to present our next release candidate for the 5.x series.

The 5.4 series bumps the minor version (from 5.3), as we had to update some of the underlying java libraries and extensions as the older versions have CVEs or are no longer maintained.

All of the java libraries which have been updated in 6 have also been updated in 5.4, with the exception of hsqldb which in this RC is still 2.7.0

This includes an important performance logging / log4j fix with logging since (fixed in

Available as usual via

Java 17 is not fully supported yet


Java 11.0.19 and Tomcat 9.0.75

Both installers can be used to install any version of Lucee by selecting a different lucee.jar to install

The Windows installer also now supports side by side installs with custom service names


Lucee 6 beta 2 is coming out very soon, if you’d like to help, please test the latest 6 SNAPSHOT



LDEV-4280 - update metadata-extractor in image extension to 2.18.0 due to CVE
LDEV-4281 - update httpclient to 4.5.13 due to CVE
LDEV-4299 - switch to jsch fork (mwiede/jsch)
LDEV-4477 - remove xmpcore from lucee core
LDEV-4497 - update bundled cacerts to jdk-
LDEV-4120 - remove old stax and css2 jars
LDEV-1526 - update HyperSQL 2.7.2 (HSQLDB) for QoQ (CVE)
LDEV-4279 - Many vulnerable libs in Lucee preventing use in Government shops


LDEV-4470 - update postgres jdbc to 42.6.0
LDEV-4471 - update mysql to 8.0.33
LDEV-4291 - Bundle hibernate 5.4 with Lucee 5.4
LDEV-4293 - Update image extension to v2 for Lucee 5.4
LDEV-4294 - Update s3 to v2 for Lucee 5.4

Config Import

LDEV-4368 - Improve placeholder handling for config
LDEV-4485 - configImport needs to understand datasource allowedselect etc
LDEV-4307 - ConfigImport extremely slow


LDEV-4492 - After using the admin it can happen, that the language resource is not properly loaded
LDEV-4422 - Admin → Services Cache → Edit Memcached cache throws error
LDEV-4381 - admin: "column name [otherVersions] already exist;lucee.runtime.exp.DatabaseException: column name [otherVersions] already exist
LDEV-4390 - Admin: editing a cache throws exception instead of showing error
LDEV-4338 - Admin - (Services - Cache) creating cache throws the error
LDEV-2871 - When there aren’t any debugging logs, show debugging status


LDEV-3720 - Log trace of cflocation and allow option to Abort
LDEV-4219 - add charset, failto, replyto details to Mail listener arguments
LDEV-4229 - QueryParam missing exception should include the SQL
LDEV-4502 - add jsonLayout log appender

Bug fixes

LDEV-2900 - adding to cookie scope doesn’t inherit application cfcookie tag defaults
LDEV-3765 - Replace via a struct inserts gibberish when struct keys not found in text
LDEV-4192 - NPE in FTPService with connection timeout when stoponerror is false
LDEV-4237 - Regression - this.blockedextforfileupload doesn’t works for the file upload
LDEV-4297 - NPE lucee.runtime.config.ConfigWebUtil.loadAddionalConfig(
LDEV-4306 - SetLocale(“English (UK)") does not set United Kingdom locale.
LDEV-4315 - NPE at lucee.runtime.config.ConfigWebFactory._loadCache(
LDEV-4394 - avoid parsing queryparams in commented out sql
LDEV-4401 - Cfpop ignores port attribute
LDEV-4405 - Regression? Log42j locks causing long running requests
LDEV-4448 - Cannot cast String [352.] to a value of type [numeric]


LDEV-4452 - migrate build to use Maven Artifact Resolver Ant Tasks instead of Maven Ant Tasks
LDEV-4261 - build must always display Caused by: sections of java stacktraces

Code Changes

Extensions Bundled

AXIS and Search are no longer bundled due to CVEs, but can still be manually installed

Support the ongoing development of Lucee

If you are building your career and/or business on Lucee, please support the developers working on the project. With your support, we can make Lucee even better and quicker, both in terms of performance and release cycles!


We have found a few problems with extensions and osgi :frowning:

mssql [LDEV-4513] - Lucee
memcached [LDEV-4512] - Lucee
redis [LDEV-4516] - Lucee

all the 5.4 regressions are here"reg54" has hsqldb 2.7.2

Lucee Debug has been updated to work with this release

1 Like

5.4.0 regressions are being tracked in this epic

Lucee 5.4.0 RC1 Regressions

Currently the only outstanding regression is mssql can’t connect with the bundled driver

I’ve also updated the build to fail on such errors

Build: fail when a configured service is not available (service / java )

ok, all the 5.4-RC 1 regressions found so far have been resolved

please test the

When it’s coming, well the more testing the quicker the release cycle

A lot of people say, I can only use stable releases

That is exactly why you need to test during the RC phase

  • I’ve tested without finding problems
  • I can’t (stuck on older version)
  • Found some regression(s)
  • No
  • Just show me the result

0 voters

Normally when we hit something like this, we revert without investigating further assuming others are also seeing an issue like this. Thank you for the extra nudge for “re-testing” and more info.

What other info would you like provided when we hit these (other than this is on Windows /

This is from the Application.log and failure is from an attempt to use a SQL Server DSN.

Source code:

local.queryObj = new Query(
	sql = "SELECT 1"

“Error” … “Unable to resolve org.lucee.mssql [46](R 46.0): missing requirement [org.lucee.mssql [46](R 46.0)] osgi.wiring.package; (osgi.wiring.package=org.bouncycastle.jce.provider) Unresolved requirements: [[org.lucee.mssql [46](R 46.0)] osgi.wiring.package; (osgi.wiring.package=org.bouncycastle.jce.provider)] Detail: The specific sequence of files included or processed is /org/lucee/cfml/Query.cfc:227 /org/lucee/cfml/Query.cfc:37 …”

Okay, I setup a new datasource and copied that from the server administrator config.
The solution (in our case) was updating our config file:

"bundleVersion": "12.2.0.jre8" is out, I’ll post release notes on monday, here are all the bug fixes since the first RC