Lucee Stable Release - Security update included

[Andrew Dixon]

Hi All,

There is a new stable release of Lucee available today via the update provider which includes a security update. More details here:

http://lucee.org/blog/lucee-stable-release-security-update-included.html

Kind regards,

Andrew

about.me - mso - Lucee Association Member

[Tom Chiverton]

On Friday, July 3, 2015 at 2:52:19 PM UTC+1, Andrew Dixon wrote:

Hi All,

There is a new stable release of Lucee available today via the update provider which includes a security update. More details here:

http://lucee.org/blog/lucee-stable-release-security-update-included.html

This update breaks Taffy v3.0.2 :
/taffy/core/resource.cfc: line 50 :
local.Columns = arguments.q.getMetaData().getColumnLabels();

The error is "method is not implemented".

I'm trying to see what changed, but I wouldn't update if you need Taffy...

Tom

[Tom Chiverton]

structKeyExists(server, "railo") changes with the patch. False after.

Is this intentional ? In which case a lot of frameworks, not just Taffy, could need to be updated ?

Tom

[Tom Chiverton]

OK, so the release notes (would be an idea to link them from the blog btw) mention
https://bitbucket.org/lucee/lucee/issue/147
which seems related, but this link is dead.

I assume frameworks just need to update.

Tom

[Adam Cameron]

Hang on... does this update include more than just the security fix?

-- 

Adam 

[Tom Chiverton]

On 3 July 2015 at 15:29, Adam Cameron <camero...@gmail.com> wrote:

Hang on... does this update include more than just the security fix?

Much more.

Check the list in the Lucee admin.

--

Tom

[Adam Cameron]

I can't access the Lucee download server from here, so cannot get the update until tomorrow. Is there a stand-alone "release notes" doc I can see?

If there's more than just the critical security fix, this is "a bit" of a cock-up.

I recommend LAS redo the release in two parts:

* security fix only

* all the rest

-- 

Adam

 

[Tom Chiverton]

Here's the release notes: http://pastebin.com/pcdp8viW

So glad I have a testing box, but to be fair they do say "update including important zero-day super secure OMG patch now or else" so there's no suggestion it's not a bunch of stuff ?

Would be nice to have them separated though in future.

Tom

[Adam Cameron]

On Friday, 3 July 2015 15:38:29 UTC+1, Tom Chiverton wrote:

Here's the release notes: http://pastebin.com/pcdp8viW

So glad I have a testing box, but to be fair they do say "update including important zero-day super secure OMG patch now or else" so there's no suggestion it's not a bunch of stuff ?

Yeh, that's fine, I wasn't suggesting that there being lots of stuff in there wouldn't come as a surprise to ppl, if it's documented.

But you can't really release a critical security patch along with another 50-odd fixes. The security patch has to *just fix the security issue*, and impact as few moving parts as possible so it's safe to deploy with a minimum of testing (and, as has been demonstrated by you... the minimum chance of it accidentally breaking stuff, thus preventing the patch from being applied).

-- 

Adam

[Mark Drew]

Is there a full version number? I have scripts that update our version by updating the correct .lco files.

Regards

Mark Drew

Andrew Dixon

3 July 2015 14:52

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Tom Chiverton]

On Friday, July 3, 2015 at 3:52:21 PM UTC+1, Mark Drew wrote:

Is there a full version number? I have scripts that update our version by updating the correct .lco files.

4.5.1.022

Why all this isn't on their site I have no idea,
Tom

[Mark Drew]

Oh cool. Already on that. Cheers!

MD

Tom Chiverton wrote:

--
You received this message because you are subscribed to the Google
Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to lucee+un...@googlegroups.com

<mailto:lucee+un...@googlegroups.com>.

To post to this group, send email to lu...@googlegroups.com

<mailto:lu...@googlegroups.com>.

To view this discussion on the web visit

https://groups.google.com/d/msgid/lucee/94cec16e-c792-45ec-9a8b-34680df2176c%40googlegroups.com
<https://groups.google.com/d/msgid/lucee/94cec16e-c792-45ec-9a8b-34680df2176c%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Tom Chiverton]

The change to structKeyExists() also effects JSONUtil though it's not as critical, looking at it, and I can't trigger an error with the way our apps use it.

ColdSpring appears clear.

Off to grep some of our other web roots now,
Tom

[Igal @ Lucee.org]

But you can't really release a critical security patch along with another 50-odd fixes. The security patch has to *just fix the security issue*

that's probably a good idea in a closed-source software, but not so much in an opened source one.  I'm sure that you understand the reasoning behind that.

Igal Sapir
Lucee Core Developer
Lucee.org

--
You received this message because you are subscribed to the Google Groups "Lucee" group.

To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/88d49147-7d85-431b-8259-8dc946a3085c%40googlegroups.com.

[Ryan Guill]

I don't understand the reasoning.  Are you suggesting that this way is more secure because you are mixing it in with other changes and obscuring which change is related to the security fix?

[Michael Offner]

Every stable release we do was at least one week on the preview update channel without any report of an issue reported specific to that release before we consider to move it to stable. Most of the fixes in this release are available for weeks for testing, some for months.

I can understand that people prefer to stay on an old version and only add the security updates, but we are simply not able to maintain multiple versions of the same major versions.

If someone is interested in this, our professional service providers are more than willing to help out with building specual releases like this:

http://lucee.org/support.html

 

Micha

--

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

[Chris Blackwell]

... and it's still not on the maven repo.

I know it's not managed by LAS, but maybe you need to fix that, it's just daft that builds don't get published, especially stable ones that include security patches.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG%2BEEBz6E6uxeAP0qBgSDMuOV5B1ZLRCq_GHWkWsjGh8BfjnYA%40mail.gmail.com.

[Michael Offner]

Fyi, with Lucee 5 we move the build process to maven and it gets automatically published to the central maven repo as well. The first snapshot of this kind should follow this week.

Micha

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAB%3DtfTqtcGamZgKugCs_EPfq-_FfUN03hBEvp7B6ZyyjvwpmdQ%40mail.gmail.com.

[Jamie Jackson]

How far behind the update provider does the downloads page lag? (All of the 4.5 links are still for 4.5.1.000.)

I have a Vagrant environment in which I'd prefer to install Lucee fresh (instead of working out patch provisioning).

Thanks,

Jamie

--

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAG1WijWH5pk_Of434S4jt-H5D8zfJ5zNfmoz7PD4m1k4q8cmzQ%40mail.gmail.com.

[Andrew Dixon]

Hi Jamie,

Express, JARs and WAR are now done. Micha is trying to sort out the installer at the moment, but it might be a couple of days (or possibly more).

Kind regards,

Andrew

about.me - mso - Lucee Association Member

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CA%2BonWPfAJ5yUoZcUc_bHd7a-GK4oVcgE%2BHVO_ji7jKBtHhnAjg%40mail.gmail.com.

[Tom Chiverton]

On 6 July 2015 at 17:20, Michael Offner <mic...@lucee.org> wrote:

Every stable release we do was at least one week on the preview update channel without any report of an issue reported specific to that release before we consider to move it to stable. Most of the fixes in this release are available for weeks for testing, some for months.

Oh, I totally get that it's "our" fault Taffy and JSONUtil broke. Our dev. environment was set to automatic stable, where as live is manual stable, so at least we caught it :-)

We're looking at moving dev to the preview channel, but it probably won't happen because the less experienced devs could deploy code that works on dev Railo to the live Railo and break something. I'm thinking of the new for..in support for lists, for instance.

 

--

Tom

[Michael Offner]

sorry if this was already answered, did you raise a ticket about the issue you have with that release?

we will address it with high priority.

Micha

--

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAKS-b5vOxzzpU%3DjpS1KFErDN3LcjEu82s19C-Wwg9u1ZDbZfNA%40mail.gmail.com.

[Tom Chiverton]

You mean about structKeyExists(server,'railo') ?
I commented on the original ticket :
https://luceeserver.atlassian.net/browse/LDEV-146?focusedCommentId=11504&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-11504

Tom