This is a maintenance / security release, as the Lucee team considers XML XXE mitigations are important, so they are now on by default.
There is also an important logging performance regression fixed since 5.3.10.120 which means you should be upgrading
No changes since except a small admin update notification change which doesn’t affect this release
But what’s a XML XXE you ask?
The 5.3 branch is only getting important security updates, as per our roadmap
We recommend updating to 5.4 as that has all the underlying java libraries updated, something which we cannot do with 5.3 due to various older extensions
Distributions
- Via your Lucee Administrator
- https://download.lucee.org/
- Docker images are up, including update based images with no major CVEs https://hub.docker.com/r/lucee/lucee/tags?page=1&name=5.3.11.5
- Commandbox
box server start cfengine=lucee@5.3.11+5
But if you can’t upgrade just yet for any reason form 5.3.10 to 5.4.2, here’s a 5.3.11-RC
No Installers will be published for this older release
Tickets Addressed in 5.3.11
(all these changes are in 5.4.2 RC as well)
LDEV-3451 - Disable XML entities by default against XXE in Lucee 6.0 & 5.4
LDEV-4644 - only show admin updates notifications for the same major version
LDEV-4631 - Admin 5.4 is showing false update banner notifications for extensions
Tickets Addressed between 5.3.10.120 and 5.3.10.143
(all these tickets are already in 5.4 as well)
LDEV-3889 - show changelog on admin update page
LDEV-4219 - add charset, failto, replyto details to Mail listener arguments
LDEV-4229 - QueryParam missing exception should include the SQL
LDEV-4237 - Regression - this.blockedextforfileupload doesn’t works for the file upload
LDEV-4306 - SetLocale(“English (UK)") does not set United Kingdom locale.
LDEV-4315 - NPE at lucee.runtime.config.ConfigWebFactory._loadCache(ConfigWebFactory.java:2343)
LDEV-4342 - Lucee 6 Admin Services - update the default cache connection didn’t work
LDEV-4385 - update to log4j 2.20.0
LDEV-4390 - Admin: editing a cache throws exception instead of showing error
LDEV-4394 - avoid parsing queryparams in commented out sql
LDEV-4401 - Cfpop ignores port attribute
LDEV-4405 - Regression? Log42j locks causing long running requests
LDEV-4416 - NPE on CallStackGet() with 5.3
LDEV-4422 - Admin → Services Cache → Edit Memcached cache throws error
LDEV-4443 - felix 6.0.5 causing problem with s3 ext
LDEV-4452 - migrate build to use Maven Artifact Resolver Ant Tasks instead of Maven Ant Tasks
LDEV-4470 - update postgres jdbc to 42.6.0
LDEV-4471 - update mysql to 8.0.33
LDEV-4485 - configImport needs to understand datasource allowedselect etc
LDEV-4492 - After using the admin it can happen, that the language resource is not properly loaded
LDEV-4497 - update bundled cacerts to jdk-11.0.19.7