Lucee Stable Release - Security update included

Hi All,

There is a new stable release of Lucee available today via the update
provider which includes a security update. More details here:

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org

structKeyExists(server, “railo”) changes with the patch. False after.

Is this intentional ? In which case a lot of frameworks, not just Taffy,
could need to be updated ?

Tom

OK, so the release notes (would be an idea to link them from the blog btw)
mention
https://bitbucket.org/lucee/lucee/issue/147
which seems related, but this link is dead.

I assume frameworks just need to update.

Hang on… does this update include more than just the security fix?On Friday, 3 July 2015 15:24:19 UTC+1, Tom Chiverton wrote:


Adam

This update breaks Taffy v3.0.2 :
/taffy/core/resource.cfc: line 50 :

  • local.Columns = arguments.q.getMetaData().getColumnLabels();*

The error is “method is not implemented”.

I’m trying to see what changed, but I wouldn’t update if you need Taffy…

TomOn Friday, July 3, 2015 at 2:52:19 PM UTC+1, Andrew Dixon wrote:

Hi All,

There is a new stable release of Lucee available today via the update
provider which includes a security update. More details here:

http://lucee.org/blog/lucee-stable-release-security-update-included.html

The change to structKeyExists() also effects JSONUtil though it’s not as
critical, looking at it, and I can’t trigger an error with the way our apps
use it.

ColdSpring appears clear.

Off to grep some of our other web roots now,
Tom

Is there a full version number? I have scripts that update our version
by updating the correct .lco files.

Regards

Mark Drew> Andrew Dixon mailto:Andrew_Dixon

3 July 2015 14:52
Hi All,

There is a new stable release of Lucee available today via the update
provider which includes a security update. More details here:

http://lucee.org/blog/lucee-stable-release-security-update-included.html

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net -
Lucee Association Member http://lucee.org

You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+unsubscribe@googlegroups.com
mailto:lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com
mailto:lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com?utm_medium=email&utm_source=footer.
For more options, visit https://groups.google.com/d/optout.

OK, so the release notes (would be an idea to link them from the blog btw)
mention
https://bitbucket.org/lucee/lucee/issue/147
which seems related, but this link is dead.

I assume frameworks just need to update.

Tom

How far behind the update provider does the downloads page
http://lucee.org/downloads.html lag? (All of the 4.5 links are still for
4.5.1.000.)

I have a Vagrant environment in which I’d prefer to install Lucee fresh
(instead of working out patch provisioning).

Thanks,
JamieOn Fri, Jul 3, 2015 at 9:52 AM, Andrew Dixon <@Andrew_Dixon> wrote:

Hi All,

There is a new stable release of Lucee available today via the update
provider which includes a security update. More details here:

http://lucee.org/blog/lucee-stable-release-security-update-included.html

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Fyi, with Lucee 5 we move the build process to maven and it gets
automatically published to the central maven repo as well. The first
snapshot of this kind should follow this week.

MichaAm Montag, 6. Juli 2015 schrieb Chris Blackwell :

… and it’s still not on the maven repo.

I know it’s not managed by LAS, but maybe you need to fix that, it’s just
daft that builds don’t get published, especially stable ones that include
security patches.

On Mon, 6 Jul 2015 17:20 Michael Offner <@Michael_Offner <javascript:_e(%7B%7D,‘cvml’,’@Michael_Offner’);>> wrote:

Every stable release we do was at least one week on the preview update
channel without any report of an issue reported specific to that release
before we consider to move it to stable. Most of the fixes in this release
are available for weeks for testing, some for months.
I can understand that people prefer to stay on an old version and only
add the security updates, but we are simply not able to maintain multiple
versions of the same major versions.
If someone is interested in this, our professional service providers are
more than willing to help out with building specual releases like this:
http://lucee.org/support.html

Micha

On Fri, Jul 3, 2015 at 4:49 PM, Adam Cameron <@Adam_Cameron <javascript:_e(%7B%7D,‘cvml’,’@Adam_Cameron’);>> wrote:

On Friday, 3 July 2015 15:38:29 UTC+1, Tom Chiverton wrote:

Here’s the release notes: http://pastebin.com/pcdp8viW

So glad I have a testing box, but to be fair they do say “update
including important zero-day super secure OMG patch now or else” so there’s
no suggestion it’s not a bunch of stuff ?

Yeh, that’s fine, I wasn’t suggesting that there being lots of stuff in
there wouldn’t come as a surprise to ppl, if it’s documented.

But you can’t really release a critical security patch along with
another 50-odd fixes. The security patch has to just fix the security
issue
, and impact as few moving parts as possible so it’s safe to deploy
with a minimum of testing (and, as has been demonstrated by you… the
minimum chance of it accidentally breaking stuff, thus preventing the patch
from being applied).


Adam


You received this message because you are subscribed to the Google
Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/88d49147-7d85-431b-8259-8dc946a3085c%40googlegroups.com
https://groups.google.com/d/msgid/lucee/88d49147-7d85-431b-8259-8dc946a3085c%40googlegroups.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG%2BEEBz6E6uxeAP0qBgSDMuOV5B1ZLRCq_GHWkWsjGh8BfjnYA%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG%2BEEBz6E6uxeAP0qBgSDMuOV5B1ZLRCq_GHWkWsjGh8BfjnYA%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee%2Bunsubscribe@googlegroups.com’);>.
To post to this group, send email to lucee@googlegroups.com
<javascript:_e(%7B%7D,‘cvml’,‘lucee@googlegroups.com’);>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAB%3DtfTqtcGamZgKugCs_EPfq-_FfUN03hBEvp7B6ZyyjvwpmdQ%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAB%3DtfTqtcGamZgKugCs_EPfq-_FfUN03hBEvp7B6ZyyjvwpmdQ%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hi Jamie,

Express, JARs and WAR are now done. Micha is trying to sort out the
installer at the moment, but it might be a couple of days (or possibly
more).

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.orgOn 6 July 2015 at 20:31, Jamie Jackson <@Jamie_Jackson> wrote:

How far behind the update provider does the downloads page
http://lucee.org/downloads.html lag? (All of the 4.5 links are still
for 4.5.1.000.)

I have a Vagrant environment in which I’d prefer to install Lucee fresh
(instead of working out patch provisioning).

Thanks,
Jamie

On Fri, Jul 3, 2015 at 9:52 AM, Andrew Dixon <@Andrew_Dixon> wrote:

Hi All,

There is a new stable release of Lucee available today via the update
provider which includes a security update. More details here:

http://lucee.org/blog/lucee-stable-release-security-update-included.html

Kind regards,

Andrew
about.me http://about.me/andrew_dixon - mso http://www.mso.net - Lucee
Association Member http://lucee.org


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/CA%2BonWPfAJ5yUoZcUc_bHd7a-GK4oVcgE%2BHVO_ji7jKBtHhnAjg%40mail.gmail.com
https://groups.google.com/d/msgid/lucee/CA%2BonWPfAJ5yUoZcUc_bHd7a-GK4oVcgE%2BHVO_ji7jKBtHhnAjg%40mail.gmail.com?utm_medium=email&utm_source=footer
.

For more options, visit https://groups.google.com/d/optout.