While Lucee is not affected by the recent Tomcat CVE ( CVE-2025-24813) we have made a 5.4.7 LTS release with the latest versions of Tomcat (9.0.102) and Java (11.0.26-4), plus an update to the bundled cacerts (root certificates for TLS/SSL etc) just to keep your infosec team happy!
Lucee 6 uses the JVM’s bundled cacerts by default, so it doesn’t need cacerts to be updated.
Huh? if you are seeing some cfhttp calls failing with 5.x, this will solve your problem
As per our Roadmap, 5.4 is in LTS mode and is no longer being maintained, except for security updates like this, it’s time to start planning your upgrade to 6.2
The upgrade is worth it, Lucee 6.2 is way faster than 5.4
Is there a guide or tutorial or collection of forum posts somewhere about how to update from 5.4 to 6? My memory of the occasional forum posts is that there are many gotchas and things that are good to know before updating.
For those of you still on Lucee 5.4, it appears that a change in Tomcat after v9.0.98 may have broken the the regional settings in Lucee.
While we have all our of Lucee configurations set to US/EN, we noticed our production servers were showing timezone as GMT-04:00/GMT-05:00 instead of EST/EDT as expected. In looking into things, we noticed that our production servers were set to en_GB, where as all of our testing environment was set to en_US.
So even though Lucee’s regional settings were set to en_US, it was still picking up the OS locale.
To resolve this issue, we ended up adding the following JVM arguments to force the server to the expected locale:
-Duser.country=US -Duser.language=en
So if you’re seeing weird timezone issues in your applications using a new version of Tomcat, this might be the cause.
