There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.
This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.
Can you not give us even the general area it might effect ? E.g. if you are
not accepting a particular sort of request then you are safe.
What about impact - is this remote unauthenticated command execution as
root ? I’m guessing not, so how much less bad is it ?
Without this how is anyone meant to make an informed choice about weather
and when to apply the update ?
TomOn Thursday, August 6, 2015 at 1:45:35 PM UTC+1, Information Lucee wrote:
There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.
This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.
@Phil
4.5.1.023 is now on the bitbucket download page, for some reason the
previous attempt to upload it failed.
we have also published 4.5.1.023 on the preview channel now.
@Adam
Yes this also affects Railo.
@Tom
This time we did a special release (4.5.1.023) that only is addressing the
security issue for the current stable release (4.5.1.022). So you don’t
have to install anything else to get this fix.
The fix is addressing a XSS issue in the Lucee admin. The issue gives you
no access to the system.
MichaOn Thu, Aug 6, 2015 at 3:36 PM, Tom Chiverton <@Tom_Chiverton> wrote:
Can you not give us even the general area it might effect ? E.g. if you
are not accepting a particular sort of request then you are safe.
What about impact - is this remote unauthenticated command execution as
root ? I’m guessing not, so how much less bad is it ?
Without this how is anyone meant to make an informed choice about weather
and when to apply the update ?
Tom
On Thursday, August 6, 2015 at 1:45:35 PM UTC+1, Information Lucee wrote:
There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.
This security fix is available for our current stable release
(4.5.1.023) on the stable release channel and for our BER release
(4.5.2.005) on the develop release channel.
Sure we can improve our communication on this, luckily with have not that
many security fixes
I’m happy that we had this time a security fix for the stable release, so
you don’t have to update to the latest BER release to get the fix.
Yeah, got that change of numbering scheme in just in time
As long as things get better with time I’ll not moan too much !
TomOn 6 August 2015 at 15:10, Michael Offner <@Michael_Offner> wrote:
Build 4.5.1.023 is not available at the bitbucket downloads page
The preview channel currently doesn’t have 4.5.1.023 either (but the
stable channel does)
Thanks.On Thursday, August 6, 2015 at 10:45:35 PM UTC+10, Information Lucee wrote:
There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.
This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.
We completely have forgotten to thank Pete Freitag from Foundeo ( https://foundeo.comhttp://foundeo.com/) to bring this security issue to
our attention.
Thanks a lot!
The Lucee TeamOn Thu, Aug 6, 2015 at 2:45 PM, Information Lucee <@Information_Lucee> wrote:
There is a new security fix available for Lucee 4.5 on the stable and dev
update provider you can install now, as is normal in this type of
situation, we will not disclose the issue being addressed so as to protect
our current user base, but it is recommended to update as soon as possible.
This security fix is available for our current stable release (4.5.1.023)
on the stable release channel and for our BER release (4.5.2.005) on the
develop release channel.
Cheers.
This means for most people there is no rush to patch. Certainly Pete’s
HackMyCf service will moan if you haven’t restricted it’s access
Yes it certainly will, and as of a few minutes ago it will also look for
the absence of this patch as well.On Thu, Aug 6, 2015 at 10:03 AM, Tom Chiverton <@Tom_Chiverton> wrote:
On 6 August 2015 at 15:01, Michael Offner <@Michael_Offner> wrote:
Sure we can improve our communication on this, luckily with have not that
many security fixes
I’m happy that we had this time a security fix for the stable release, so
you don’t have to update to the latest BER release to get the fix.
MichaOn Thu, Aug 6, 2015 at 4:03 PM, Tom Chiverton <@Tom_Chiverton> wrote:
On 6 August 2015 at 15:01, Michael Offner <@Michael_Offner> wrote:
if you have locked down “/lucee/” you are fine.
Cheers.
This means for most people there is no rush to patch. Certainly Pete’s
HackMyCf service will moan if you haven’t restricted it’s access
If Lucee had some sort of standard security announcement email template,
I’m sure one of the sections would be ‘mitigations’ and that nugget would
have been in it.
–
Tom
–
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your
ticket NOW - http://www.cfcamp.org/
The fix is addressing a XSS issue in the Lucee admin. The issue gives you
no access to the system.
How is the XSS injected ? Probably a log file entry ?
If so, for instance, having /lucee/ and /lucee-server/ access locked down
by IP is no help ?On 6 August 2015 at 14:51, Michael Offner <@Michael_Offner> wrote:
@Phil
4.5.1.023 is now on the bitbucket download page, for some reason the
previous attempt to upload it failed.
we have also published 4.5.1.023 on the preview channel now.