It is nice that Adobe has moved to a regular release cycle of security hotfixes for ColdFusion 8.0.1 and 9.0.1. It is making my job easier to maintain Unofficial Updater 2. There have been quite a few changes besides just updating for the latest security hotfix. Below is a detailed change log since the last release. 

Application of APSB12-15

On June 12th, Adobe released APSB12-15 which is a security hotfix for ColdFusion 9.0.1 and earlier. UU2 now applies the hotfix as specified in Section 2 of the documentation.

Process Termination and Automated Command Line Installs

While using AntInstaller has been a great way to package and distribute UU2 it does have a downside in that it is not actively maintained and still has quite a few bugs. One of them which I never noticed was that on Windows and some Linux installs when running in text mode it never properly termininated the process when it was finished. This has been fixed by patching the AntInstaller code and creating a custom build for UU2.

One of the nice features that AntInstaller has is the ability to allow for automated installs which is now available to use for UU2. The first time you run UU2 you must select Yes to Enable cmdline automation. By selecting Yes, UU2 will allow for an additional run type of text-auto which will tell UU2 to look for ant.installer.properties file to use for the values to run with.

It is recommended to run UU2 once with text to create the ant.installer.properties file that can be used on subsequent text-auto runs.

Logging and File Ownership

So logging of what happened when UU2 ran was never quite straight forward. It relied upon both the Output and Errors tabs in the GUI or output to console in text mode. While both of those are still there, UU2 will now write a log in the current directory where UU2 is run called uu2-{datetime-stamp}.log which will log everything into a single place.

When running on UU2 on Linux/Unix, I never provided any guidance on whether it should be run as root or as the user that ColdFusion runs as. This was intentional since the administrator would be the best one to know. There are trade-offs to both. Running as root requires going back and making sure ownership and permissions of new files are correct. Running as a non-root user, one might encounter a failure due to inadequate permissions.

UU2 now identifies the user it is running as. If it is running as root, it will now change ownership of files to the ColdFusion user. If it is running as a non-root user, it will display a warning that it might encounter problems. In either case you should verify that ownership and permissions of the files are correct.

ColdFusion 8.0.1 Build 196946

So I encountered this at work. We upgraded several ColdFusion 8.0.0 servers to 8.0.1 that were on RedHat and then went to run UU2 on them to patch them which promptly failed. Apparently Adobe created another build number, 196946, that was in the ColdFusion 8 Update 1 for Linux that didn't follow the official published build number 195765. Since UU2 (and I) didn't know about it, UU2 properly failed. UU2 now can identify this build and properly patch it. The fun thing is that when you run cfinfo in this configuration it reports 8,0,1,196946 but 8,0,1,195765 in the ColdFusion Administrator when fully patched. Just an insight into Adobe's code since one would think the version number would be a constant.

Wrap-up

I'd like to thank Steve Dean for suggestion for the automated installs and working through test builds. Also need to thank Scott Stroz for suggestions on logging, Linux/Unix install procedure, and github pull request. This tool is really a combination of everyone that uses it and feedback for how to make it better. I do ask that if you encounter problems with UU2 to please email me or submit an issue on github.

So last Thursday (March 29th) Adobe published an update to APSB12-06 to address a defect introduced that prevented file uploads from working properly on ColdFusion 8.0.1, see the Adobe forum post for details. I have just updated Unofficial Updater 2 to apply the corrected files for ColdFusion 8.0.1.

So, good they fixed the issue, but my problem with Adobe lays with how they comunicate the change. I didn't even know there was an update until I saw a post aggregated on ColdFusionBloggers.org from the Adobe ColdFusion Blog. I am signed up to Adobe's Security Notification Service, but I have never seen a notification come in regarding ColdFusion. And when you go to the updated ColdFusion Security Hotfix APSB12-06 where is the information that it has been updated, at the BOTTOM of the page. But at least it was updated, that counts for something right?

The next fun thing is that Adobe is not consistently publishing the files associated with the technote. The original files and the non-updated files are linked from http://helpx.adobe.com/content/dam/kb/en/930/cpsid_93043/attachments/ where as the updated ones for CF801 are at http://helpx.adobe.com/content/dam/help/attachments/. It is still possible to download the "broken" CF801 files. Seems to me the updated CF801 files should have been put at the original published URL and overwritten the "broken" CF801 files. Minor details.

And everyone is pointing to ColdFusion 10's server update (auto hotfix managment) as the cure to all of this, but I don't think it will be the panacea everyone thinks it will be. Over the last four security hotfixes that Adobe has released, three of them have been updated atleast once to fix bugs that were introduced by it. APSB11-04 once, APSB11-14 - twice, APSB12-06 - once. Just not feeling good about the Adobe QA process these days. 

The only true fix for this mess is for Adobe to produce annual updates that are fully tested and packaged installers. I really doubt it will ever happen for ColdFusion 8.0.1 since it has been over 4 years since the last updater and ColdFusion 8 core support is ending on July 31, 2012.

There have been several updates to Unofficial Updater 2 over the past few days.

• Support for APSB12-06
  • Adobe truely seems to be getting on a quarterly release schedule for ColdFusion security updates since the last one, APSB11-29, was released on December 13, 2011
  • Given that the last few have been cumulative, UU2 now just applies the latest one following the Section 2 instructions
• UU2 only needs to be run once with an Internet connection
  • This was a suggestion from Adrian Moreno and was something I had been thinking about doing for a bit
  • On the first run, UU2 will download all the hotfixes and security bulletins for both ColdFusion 8.0.1 and 9.0.1 from Adobe and then pack them into Unofficial-Updater2-with-downloads.jar which can be run later. This was done since UU2 can not directly package the updates from Adobe
  • UU2 will also create unofficial-updater2.txt in <cfusion-home>/lib/updates which will contain the date that UU2 was run and the date the files were downloaded from Adobe
• Updates for download URLs that Adobe changed
• Wiki updates
  • Using Unofficial Updater 2 has been updated to reflect the changes in the screens
  • Still putting together the instructions on how to Restore ACF from UU2 Backups 

The latest installer is available for download from github.

So originally I was going to post a note that Unofficial Updater 2 was broken since I got several emails saying that it was failing when trying to download files from Adobe. Instead, I'm going to rave about having the project on github.

So Adobe has changed some the URLs to the hot fix downloads (really no URL rewrites/redirects?) and I wasn't sure when I'd get them fixed exactly. It probably would have been by this weekend since I already need to update Unofficial Updater 2 with APSB12-06 that was released this past Tuesday.

But while I was sleeping, Dennis Clark had already updated the cf_hotfixes.properties that contains the URLs and sent a pull request. All I had to do in the morning was accept the pull request and repackage the installer. Luckly, Adobe only changed the URLs for the hot fix downloads and not the actual files (that would have shown up with SHA-512 hash failures). The only problem Dennis had was that he couldn't re-package Unofficial-Updater2.jar. To do that requires having Ant Installer and modifiying create-installer.xml since it is setup with paths for my computer.

It is actually possibly to slip-stream files into the Unofficai-Updater2.jar by using jar so you don't need Ant Installer or wait for me.

jar uf Unofficial-Updater2.jar cf_hotfixes.properties

The fixed Unofficial-Updater2.jar is now available on github. As I said earlier, there will be another update to it to support the latest security hot fix shortly.

Again thanks to Dennis for getting the pull request to me and to github for making it just so damn easy.

I just updated Unofficial Updater 2 to install the latest security bulletin APSB11-29 that Adobe released yesterday. This is pretty much the fastest turn around I have done when Adobe has released a hot fix, due to the fact it was a single file change and hopefully they won't updated it like they have done to the last several. Also I have updated the wiki with instructions on how to run it command line and to force text only mode.

For those that have never heard of Unofficial Updater 2, please read this post for background.