Sign up to save your podcasts
Or
Share Modernize or Die® - CFML News for December 14th, 2021 - Episode 128
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Modernize or Die® - CFML News for December 14th, 2021 - Episode 128
2021-12-14 Weekly News - Episode 128
Watch the video version on YouTube at https://youtu.be/_GrDec5PVwg
Hosts:
Gavin Pickin - Senior Developer for Ortus Solutions
Dan Card - Software Developer for Ortus Solutions
Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there.
A few ways to say thanks back to Ortus Solutions:
- Like and subscribe to our videos on YouTube.
- Subscribe to our Podcast on your Podcast Apps and leave us a review
- Sign up for a free or paid account on CFCasts, which is releasing new content every week
- Buy Ortus’s new Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
Patreon Support
We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.
News and Events
New Host - Dan Card
Dan introduces himself and gives a quick run down of his CFML experience.
Log4j Vulnerability Reported
There is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications. It is included in both Adobe ColdFusion and Lucee for example.
Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. I'll update this entry as needed.
https://www.petefreitag.com/item/923.cfm
Adobe’s update on the matter (thanks charlie for pointing this out)
Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/
Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html
TLDR for Adobe
There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.
Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.
ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021. VERY FAST FOR ADOBE - THEY DONT MOVE FAST USUALLY
In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.
Lucee is not affected https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331
Charlie’s Blog on the matter
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/
More news links about Log4j
https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/
New CommandBox Feature
Add the equivalent of the mod_cfml tomcat valve into CommandBox as an Undertow handler to auto-create contexts based on the front-end servers's virtual hosts.
Support the same request headers and behavior of mod_cfml
Ideally, this should have drop-in support behind BonCode IIS or Apache's mod_cfml module
Support max contexts setting
Make this new behavior off (opt-in) by default
Support and require shared key for security (Note, the current mod_cfml Tomcat valve does not require the shared key, but we will)
https://ortussolutions.atlassian.net/browse/COMMANDBOX-1411
CBSecurity V2.15.0 released
🚀 Added
Pass custom claims from refreshToken( token, customClaims) method when refreshing tokens
Pass in the current jwt payload in to getJWTCustomClaims( payload )
The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete
🐛 Fixed
Timeout in token storage is now the token timeout
https://www.forgebox.io/view/cbsecurity
TestBox v.4.5.0 released
Added
- Migration to github actions
- TESTBOX-332 toBe{Type} is incomplete
- TESTBOX-329 Full Null support
6 Bug fixes as well
Also updates to VSCode extension
Luis been updating the TestBox VSCode extension
Luis has rewritten it and added tons of new features
You can now run your tests inside of vscode
The full harness, a bundle, or a single spec depending on your cursor in the code
Basically this https://marketplace.visualstudio.com/items?itemName=CoachRichbart.better-jest but for TestBox
Luis has all of it working with CommandBox right now but it’s dog slow
So Luis is building a native http runner from within vscode
https://testbox.ortusbooks.com/intro/release-history/whats-new-with-4.5.0
Vue Mastery - FREE Courses Dec 17-20th
Vue Mastery @VueMastery
We're unlocking ALL of our courses
On Dec. 17-20, you'll be able to watch any and all of our courses on our site for free.
Have you signed up yet? Reserve your spot so you get notified when we unlock our courses
https://twitter.com/vuemastery/status/1470524002829582339?
ICYMI - Advent of Code starts Dec 1st
Advent of Code is an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like. People use them as a speed contest, interview prep, company training, university coursework, practice problems, or to challenge each other.
You don't need a computer science background to participate - just a little programming knowledge and some problem solving skills will get you pretty far. Nor do you need a fancy computer; every problem has a solution that completes in at most 15 seconds on ten-year-old hardware.
https://adventofcode.com/
ICYMI - Ortus Redis Cache Extension V2.0.0
11 new features, 1 improvement and 3 bug fixes.
Major enhancements focus on Pub Sub capabilities, Docker support, and Cluster Protocol support for RedisCluster, Sentinel, AWS and DigitalOcean.
https://www.forgebox.io/view/5C558CC6-1E67-4776-96A60F9726D580F1/version/2.0.0-snapshot
CFCasts Content Updates
https://www.cfcasts.com
Just Released
- Youth Traini...
View all episodes
By Ortus Solutions
5
77 ratings
2021-12-14 Weekly News - Episode 128
Watch the video version on YouTube at https://youtu.be/_GrDec5PVwg
Hosts:
Gavin Pickin - Senior Developer for Ortus Solutions
Dan Card - Software Developer for Ortus Solutions
Thanks to our Sponsor - Ortus Solutions
The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there.
A few ways to say thanks back to Ortus Solutions:
- Like and subscribe to our videos on YouTube.
- Subscribe to our Podcast on your Podcast Apps and leave us a review
- Sign up for a free or paid account on CFCasts, which is releasing new content every week
- Buy Ortus’s new Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)
Patreon Support
We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.
News and Events
New Host - Dan Card
Dan introduces himself and gives a quick run down of his CFML experience.
Log4j Vulnerability Reported
There is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications. It is included in both Adobe ColdFusion and Lucee for example.
Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. I'll update this entry as needed.
https://www.petefreitag.com/item/923.cfm
Adobe’s update on the matter (thanks charlie for pointing this out)
Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/
Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html
TLDR for Adobe
There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.
Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.
ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021. VERY FAST FOR ADOBE - THEY DONT MOVE FAST USUALLY
In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.
Lucee is not affected https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331
Charlie’s Blog on the matter
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/
More news links about Log4j
https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/
New CommandBox Feature
Add the equivalent of the mod_cfml tomcat valve into CommandBox as an Undertow handler to auto-create contexts based on the front-end servers's virtual hosts.
Support the same request headers and behavior of mod_cfml
Ideally, this should have drop-in support behind BonCode IIS or Apache's mod_cfml module
Support max contexts setting
Make this new behavior off (opt-in) by default
Support and require shared key for security (Note, the current mod_cfml Tomcat valve does not require the shared key, but we will)
https://ortussolutions.atlassian.net/browse/COMMANDBOX-1411
CBSecurity V2.15.0 released
🚀 Added
Pass custom claims from refreshToken( token, customClaims) method when refreshing tokens
Pass in the current jwt payload in to getJWTCustomClaims( payload )
The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete
🐛 Fixed
Timeout in token storage is now the token timeout
https://www.forgebox.io/view/cbsecurity
TestBox v.4.5.0 released
Added
- Migration to github actions
- TESTBOX-332 toBe{Type} is incomplete
- TESTBOX-329 Full Null support
6 Bug fixes as well
Also updates to VSCode extension
Luis been updating the TestBox VSCode extension
Luis has rewritten it and added tons of new features
You can now run your tests inside of vscode
The full harness, a bundle, or a single spec depending on your cursor in the code
Basically this https://marketplace.visualstudio.com/items?itemName=CoachRichbart.better-jest but for TestBox
Luis has all of it working with CommandBox right now but it’s dog slow
So Luis is building a native http runner from within vscode
https://testbox.ortusbooks.com/intro/release-history/whats-new-with-4.5.0
Vue Mastery - FREE Courses Dec 17-20th
Vue Mastery @VueMastery
We're unlocking ALL of our courses
On Dec. 17-20, you'll be able to watch any and all of our courses on our site for free.
Have you signed up yet? Reserve your spot so you get notified when we unlock our courses
https://twitter.com/vuemastery/status/1470524002829582339?
ICYMI - Advent of Code starts Dec 1st
Advent of Code is an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like. People use them as a speed contest, interview prep, company training, university coursework, practice problems, or to challenge each other.
You don't need a computer science background to participate - just a little programming knowledge and some problem solving skills will get you pretty far. Nor do you need a fancy computer; every problem has a solution that completes in at most 15 seconds on ten-year-old hardware.
https://adventofcode.com/
ICYMI - Ortus Redis Cache Extension V2.0.0
11 new features, 1 improvement and 3 bug fixes.
Major enhancements focus on Pub Sub capabilities, Docker support, and Cluster Protocol support for RedisCluster, Sentinel, AWS and DigitalOcean.
https://www.forgebox.io/view/5C558CC6-1E67-4776-96A60F9726D580F1/version/2.0.0-snapshot
CFCasts Content Updates
https://www.cfcasts.com
Just Released
- Youth Traini...