Lucee 5.4.0.80 Stable Release

Zackster · June 21, 2023, 9:43am

Just in time for CFCamp 2023, the Lucee team presents the first stable release in the 5.4 series.

The main focus of this release was updating all the underlying java libraries to be CVE free.

The one exception in Hibernate 3.5.5 which hasn’t been (and can’t be upgraded) we’ll have more to announce about this soon.

5.4 also bundles two major updates to extensions

s3 v3, which switches to awslib
image v2, a complete rewrite, which is much more stable and supports WEBP

if you would like to see HEIC image support in Lucee, please donate to the upstream Twelve Monkeys library donating to open source projects is really

Available as usual via

your Lucee Admin,
download.lucee.org
Commandbox cfengine=lucee@5.4.0+80
Docker (including native ARM)
Maven

Java Versions supported

Java 8
Java 11 (Lucee Installer bundles 11.0.19)
Java 17 isn’t supported yet, (Lucee 6 will be supporting it this year)

Release notes 5.4

Changelog since last RC

LDEV-4358 - Resource leak in DatasourceConnectionPool 5.3.10
LDEV-4550 - Upgrading to v5.4.0.65 failed due to Felix installation

Code Changes

Extensions Bundled

AXIS and Search are no longer bundled due to CVEs, but can still be manually installed

github.com

lucee/Lucee/blob/5.4/core/src/main/java/META-INF/MANIFEST.MF#L358


      
          org.objectweb.asm.all;bundle-version=4.2,
          org.lucee.xml.resolver;bundle-version=1.2.0,
          slf4j.api;bundle-version=1.7.36,
          org.lucee.commons-email-all;bundle-version=1.6.0,
          tagsoup;bundle-version=1.2.1.0002L,
          w3c.dom;bundle-version=1.1.0,
          org.lucee.jsch;bundle-version=0.1.55,
          org.lucee.jzlib;bundle-version=1.1.3,
          org.lucee.argon2;bundle-version=2.7.0,
          com.sun.jna;bundle-version=5.10.0 
          Require-Extension: 7E673D15-D87C-41A6-8B5F1956528C605F;name=MySQL;label=MySQL;version=8.0.33,
          99A4EF8D-F2FD-40C8-8FB8C2E67A4EEEB6;name=MSSQL;label=MS SQL Server;version=12.2.0.jre8,
          671B01B8-B3B3-42B9-AC055A356BED5281;name=PostgreSQL;label=PostgreSQL;version=42.6.0,
          2BCD080F-4E1E-48F5-BEFE794232A21AF6;name=JDTsSQL;label=jTDS (MSSQL);version=1.3.1,
          CED6227E-0F49-6367-A68D21AACA6B07E8;name=Admin;label=Lucee Administrator;version=1.0.0.5,
          D46D49C3-EB85-8D97-30BEC2F38561E985;name=Doc;label=Lucee Documentation;version=1.0.0.4,
          17AB52DE-B300-A94B-E058BD978511E39E;name=S3;label=S3;version=2.0.1.25,
          87FE44E5-179C-43A3-A87B3D38BEF4652E;name=EHCache;label=EHCache;version=2.10.0.36,
          D46B46A9-A0E3-44E1-D972A04AC3A8DC10;name=Chart;label=CFChart;version=1.0.19.25,
          66E312DD-D083-27C0-64189D16753FD6F0;name=PDF;label=PDF;version=1.2.0.10-SNAPSHOT,
          FAD67145-E3AE-30F8-1C11A6CCF544F0B7;name=Form;label=Form tags;version=1.0.0.10;since=5.1.0.21,

Lucee needs financial Support

If you are building your career and/or business on Lucee, please support the developers working on the project. With your support, we can make Lucee even better and quicker, both in terms of performance and release cycles!

Release Roadmap

TL;DR due to CVE in java libraries used in 5.3, 5.3 is EOL aside from security fixes

The one caveat is we haven’t upgraded Hibernate from 3.5.5 to 5.4 yet in Lucee 5.4

Charlesr · June 22, 2023, 9:40pm

I don’t understand why 5x is still being developed, if 6x is just around the corner?

andreas · June 23, 2023, 5:03am

Please read this very informative post by @bdw429s

Finally I’ve met him in person here at cfcamp!!!

Michele_Scaletta · June 23, 2023, 7:39am

Yesterday I upgraded the production server with no issues. All applications seem to work fine.
CentOS Linux 7.9.2009 (Core)
Tomcat 9.0.31 and Java 11
Lucee run under Plesk Obsidian 18.0.53 update 1.
Well done to the development team.
Thanks

Zackster · June 29, 2023, 8:50am

There was a regression with QoQ relating to $ in column names, due to the hsqldb 2.7.2 upgrade

https://luceeserver.atlassian.net/browse/LDEV-4593

it has been addressed in the 5.4.1.2 and 6.0.0.487 SNAPSHOTS

The old version of HSQLDB was 1.8.0, from 2009, so there maybe some changes in behaviour we can’t change. HSQLDB is used for any QoQ with multiple tables, native QoQ only works on a single table

Phillyun · June 29, 2023, 11:10pm

Maybe related… ? We have some complex/very old QoQ joins failing in 5.4 (works in 5.3). Feel free to split to a separate thread.

My attempts to create an easy repro case has been unsuccessful.
I have updated details below to include the accurate query and the error.

Short version:
We have two queries via MSSQL.

QoQ does this:

SELECT qry1.stateCode, qry1.description, qry2.exempt
FROM qry1, qry2
WHERE cast(qry1.stateCode as varchar) = qry2.stateCode

Error Message:
length must be specified in type definition: VARCHAR
ErrorCode: 0
NativeErrorCode: -5599
SQLState: 42599
Stack:

lucee.runtime.exp.DatabaseException: length must be specified in type definition: VARCHAR at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) at org.hsqldb.jdbc.JDBCStatement.fetchResult(Unknown Source) at org.hsqldb.jdbc.JDBCStatement.execute(Unknown Source) at lucee.runtime.type.util.QueryUtil.execute(QueryUtil.java:320) at lucee.runtime.type.QueryImpl.execute(QueryImpl.java:287) at lucee.runtime.type.QueryImpl.<init>(QueryImpl.java:235) at lucee.runtime.db.HSQLDBHandler.__execute(HSQLDBHandler.java:345) at lucee.runtime.db.HSQLDBHandler._execute(HSQLDBHandler.java:310) at lucee.runtime.db.HSQLDBHandler.execute(HSQLDBHandler.java:294) at lucee.runtime.tag.Query.executeQoQ(Query.java:1111) at lucee.runtime.tag.Query._doEndTag(Query.java:681) at lucee.runtime.tag.Query.doEndTag(Query.java:566) at ...

Removing the CAST causes this error:
Message: incompatible data types in combination
ErrorCode: 0
NativeErrorCode: -5562
SQLState: 42562
Stack:

lucee.runtime.exp.DatabaseException: incompatible data types in combination at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source) at org.hsqldb.jdbc.JDBCStatement.fetchResult(Unknown Source) at org.hsqldb.jdbc.JDBCStatement.execute(Unknown Source) at lucee.runtime.type.util.QueryUtil.execute(QueryUtil.java:320) at lucee.runtime.type.QueryImpl.execute(QueryImpl.java:287) at lucee.runtime.type.QueryImpl.<init>(QueryImpl.java:235) at lucee.runtime.db.HSQLDBHandler.__execute(HSQLDBHandler.java:345) at lucee.runtime.db.HSQLDBHandler._execute(HSQLDBHandler.java:310) at lucee.runtime.db.HSQLDBHandler.execute(HSQLDBHandler.java:294) at lucee.runtime.tag.Query.executeQoQ(Query.java:1111) at lucee.runtime.tag.Query._doEndTag(Query.java:681) at lucee.runtime.tag.Query.doEndTag(Query.java:566) at ...

Environment:
~~Lucee 5.4.1.2-SNAPSHOT~~
Lucee 5.4.1.4-SNAPSHOT
Windows 64-bit
Tomcat/9.0.64
11.0.7 (AdoptOpenJDK) 64bit

Zackster · June 30, 2023, 8:55am

please always include the top of the stack trace!!!

I’m working on the QoQ regressions, basically the problem is it used to be a lot slacker in terms of what is allowed and HSQLDB has become stricter since 2009

Zackster · July 5, 2023, 7:06pm

The following QoQ regressions are fixed in 5.4.1.4 and 6.0.0.498

[LDEV-4592] - Lucee & [LDEV-4613] - Lucee

thefalken · July 6, 2023, 8:14am

just fixing a S3 ACL issue and they will also be on forge box

What’s the issue for that ? I was just updating our dev Docker images from 5.3 to 5.4 to start testing, and if I’m just gonna have to do it again I may as well hold off a day or two.

Zackster · July 6, 2023, 8:30am

Just with Lucee build / publish infrastructure, nothing to worry about, already resolved

thefalken · July 6, 2023, 8:46am

Ah, cool.

I still need to wait for 5.4.1.4 to hit Docker Hub so it’s not a rush anyway

thefalken · July 7, 2023, 9:07am

I see 5.4.1.4 was just a SNAPSHOT and there’s now a 5.4.1.5 SNAPSHOT too, so are some more regressions being fixed somewhere ?

https://hub.docker.com/r/lucee/lucee/tags?page=1&name=5.4.1

( please don’t direct me to Jira, it’s impossible to use even if I guess where the login button is and moans at me about dark mode every time I open it )

Zackster · July 7, 2023, 9:26am

look, if you are going to be messing around with snapshots, then you need to look at jira, end of story

everyone else seems to manage

here is our sprint plan Log in with Atlassian account

thefalken · July 7, 2023, 10:26am

I don’t want to be messing with snapshot at all

I want the latest released 5.4.1. Above it was stated “QoQ regressions” are fixed in 5.4.1.4 so I thought that that would be a non-snapshot.

It seems like instead I need to watch the 5.4.1 Backlog list at the link you kindly gave (stands at 4 at present, including the QoQ fixes) and when that hits 0 there’ll be a 5.4.1.something RC and then a release ? E.g. 5.4.1.4 will never be a release, only ever snapshot ?

Sorry if this seems like silly questions, I really don’t follow how Lucee releases relate to Jira “fix versions” and then on to Docker tags.

Zackster · July 7, 2023, 11:46am

5.4.1 isn’t released, you know I publish release notes for all stable releases???

kabutotx · July 7, 2023, 5:26pm

Question: Will the update process erase old jars with CVEs? I would assume it will just use the newest if an older is also there? What is the “preferred” method. My Tomcat and JDK are updated to latest already.

Zackster · July 7, 2023, 7:02pm

fresh install they won’t be used, but that’s the only way