The Lucee team is proud to release our latest Stable Release. This release focusses on bug fixes and making Lucee more secure by default, the big change here is that XML XXE mitigations are now on by default. This release also solves a native QoQ bug.
Note: I mistyped the version number in the original post title, it’s not 5.2.4.17, it 5.4.2.17
We have also backported this XXE change to some older releases, 5.3.7, 5.3.8 and 5.3.9, see the above post for details Anyone running older releases should be upgrading to 5.4.2, the 5.4 series includes updates for lots of underlying java libraries with CVEs
Unchanged, 11 is recommended, 8 still works, 17 is not supported
Tickets since RC
LDEV-2692 - scheduled tasks list in admin doesn’t show the start time for daily, weekly or monthly tasks
Tickets
LDEV-3451 - Disable XML entities by default against XXE in Lucee 6.0 & 5.4 LDEV-3889 - show changelog on admin update page LDEV-4087 - debug templates are changing the debug log entries LDEV-4178 - Support passthru of storage locations for Directory* functions / CFDIRECTORY LDEV-4348 - add xmlFeatures to getApplicationSettings LDEV-4597 - NPE in pageSourcePool.clearUnused() LDEV-4610 - Add requestExclusive param to administrator.updateDatasource() LDEV-4627 - Native QoQ exception when column case differs LDEV-4628 - update to zip4j 2.11.5 LDEV-4631 - Admin 5.4 is showing false update banner notifications for extensions LDEV-4635 - s3 ext setStorage() does nothing for directoryCreate LDEV-4640 - Lucee server config: errors in logs when server xml missing “update” element LDEV-4644 - only show admin updates notifications for the same major version LDEV-4645 - CHAR type in cfprocparam passes empty string as NULL
Regression
There’s a silly regression that you’ll see an update notification for the current version, already fixed in the latest snapshots, it only showed up after we published, it’s just cosmetic
Any chance we can get these updated for maven/gradle users? We deploy lucee as a dependency of a jetty project, so we can currently only get up to 5.4.1.8
Regression
There’s a silly regression that you’ll see an update notification for the current version , already fixed in the latest snapshots, it only showed up after we published, it’s just cosmetic
Weren’t there any regression tests? If there were, how did they fail to catch this?
I think that such an error, even if cosmetic, should disqualify 5.4.2.17 from being a Stable release. As things stand, the Stable release (“ready for production”) has the error. Yet the Snapshot (“NOT recommended for production environments”) is free of the error. Awkward.
You wouldn’t want that to happen often in Lucee. As that would convey a negative image of quality…
Updated my Lucee Installation to 5.4.2.17: Now I get a Fatal Error when consuming a webservice width cfinvoke:
lucee.runtime.exp.NativeException: Fatal Error: URI=http://dev.moby.ch/webservices/mailenable/v1-4-1/mailenable.cfc?wsdl Line=2: Markup im Dokument nach dem Root-Element muss ordnungsgemäß formatiert sein. at org.apache.axis.utils.XMLUtils$ParserErrorHandler.fatalError(XMLUtils.java:723)
Depending on how your Lucee is deployed, the results of something like wget http://dev.moby.ch/webservices/mailenable/v1-4-1/mailenable.cfc?wsdl from the same machine/Docker image would be helpful, and also rule out any networking issues.
