7 thoughts

  1. @Julian: No, the latest hotfix jar file is "hfxxx-00004.jar".
    I followed the instructions and deleted "hfxxx-00003.jar" and it seems to work correctly.
    (In my case it was CF 8.0.1, though.)

  2. I just recently applied hotfix 2 and have a file named chf9010002.jar. The instructions say I should delete a file named hf901-00002.jar — should I delete the file I have? I’m guessing so, but want to be sure before applying this hotfix on my client’s production server.

  3. Ben,
    One thing that has never been clear:
    Are all hotfixes cumulative? It seems that security "patches" are much different from "hotfixes". Should security patches only be applied on a case by case basis depending upon your server configuration? Should everyone always install any available security patches?

    Daniel Elmore

  4. Hi Daniel,
    It is "recommended" that a server is always updated with Security patches as and when there is one available. As once the vulnerability is public the server is vulnerable and can be a victim.
    No not all hot-fixes are cumulative. Security patches are different from "hotfixes".
    Security patches are conditional cumulative of previous security patches for the ColdFusion version. Having said that, "Conditional Cumulative" here means that, it might not contain some of previous security patches like "Blaze DS patch". Another example would be, like the December Security patch, is cumulative Security patch, but it "Does not" contain files from "CFIDE/" or "WEB-INF/" as those files were not affected in this patch. (This is done generally to minimize the number of steps required to install a security patch.)
    Hence some one who has already installed previous Security patches, can only take update from December patch. If not one can take the complete Security hot-fix bundle. But the complete bundle will also not have fixes like "Blaze DS" patches etc.
    Hope this helps.
    Security Czar, ColdFusion Server Team

Leave a Reply