The Lucee team is proud to release our latest RC, we are moving towards smaller and faster updates.
This release focusses on bug fixes and making Lucee more secure by default, the big change here is that XML XXE mitigations are now on by default.
But what’s a XML XXE you ask?
Docker images are up after solving a python regression with PyYAML
https://hub.docker.com/r/lucee/lucee/tags?page=1&name=5.4.2.14-RC
box server start cfengine=lucee@5.4.2-RC+14
Tickets
LDEV-3451 - Disable XML entities by default against XXE in Lucee 6.0 & 5.4
LDEV-3889 - show changelog on admin update page
LDEV-4087 - debug templates are changing the debug log entries
LDEV-4178 - Support passthru of storage locations for Directory* functions / CFDIRECTORY
LDEV-4348 - add xmlFeatures to getApplicationSettings
LDEV-4597 - NPE in pageSourcePool.clearUnused()
LDEV-4610 - Add requestExclusive param to administrator.updateDatasource()
LDEV-4627 - Native QoQ exception when column case differs
LDEV-4628 - update to zip4j 2.11.5
LDEV-4631 - Admin 5.4 is showing false update banner notifications for extensions
LDEV-4635 - s3 ext setStorage() does nothing for directoryCreate
LDEV-4640 - Lucee server config: errors in logs when server xml missing “update” element
LDEV-4644 - only show admin updates notifications for the same major version
LDEV-4645 - CHAR type in cfprocparam passes empty string as NULL