important.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<title>README: Unofficial Updater 2</title>
	<style type="text/css">
/*
Copyright (c) 2010, Yahoo! Inc. All rights reserved.
Code licensed under the BSD License:
http://developer.yahoo.com/yui/license.html
version: 3.3.0
build: 3167
*/
h1{font-size:138.5%;}h2{font-size:123.1%;}h3{font-size:108%;}h1,h2,h3{margin:1em 0;}h1,h2,h3,h4,h5,h6,strong{font-weight:bold;}abbr,acronym{border-bottom:1px dotted #000;cursor:help;}em{font-style:italic;}blockquote,ul,ol,dl{margin:1em;}ol,ul,dl{margin-left:2em;}ol li{list-style:decimal outside;}ul li{list-style:disc outside;}dl dd{margin-left:1em;}th,td{border:1px solid #000;padding:.5em;}th{font-weight:bold;text-align:center;}caption{margin-bottom:.5em;text-align:center;}p,fieldset,table,pre{margin-bottom:1em;}input[type=text],input[type=password],textarea{width:12.25em;*width:11.9em;}		
	</style>
</head>

<body>
<h1>Unofficial Updater 2</h1>

<h2>Introduction</h2>

<p>Unofficial Updater 2 (UU2) is an outgrowth of the frustration that came from 
trying to manually patch Adobe ColdFusion 8.0.1 with the numerous hot fixes 
and security bulletins that have been published. It is a tool to provide 
an easy way of consistently applying applicable hot fixes and security 
bulletins to Adobe ColdFusion 8.0.1 and 9.0.x.</p>

<h3>Disclaimers</h3>

<ol>
<li>Use of Unofficial Updater 2 is <strong>at your own risk</strong>
<ul><li><strong>Do not</strong> run Unofficial Updater 2 for the first time on a production system</li></ul></li>
<li>Unofficial Updater 2 is <strong>not endorsed by or have any ties</strong> to Adobe</li>
<li>Reading Adobe TechNote <a href="http://helpx.adobe.com/coldfusion/kb/important-hotfix-related-notes.html">Important hotfix-related notes for ColdFusion 9 and ColdFusion 10</a> before running Unofficial Updater 2 is <strong>highly recommended</strong></li>
<li>ColdFusion Server/process <strong>should not be running</strong> when you use Unofficial Updater 2</li>
<li>Unofficial Updater 2 can <strong>only be run against</strong> Adobe ColdFusion <strong>8.0.1</strong>, <strong>9.0.0</strong>, <strong>9.0.1</strong>, or <strong>9.0.2</strong>
<ul><li>If you are running <strong>8.0.0</strong> you need to apply Update 1 from Adobe first
<ul><li><a href="http://kb2.adobe.com/cps/403/kb403277.html">Adobe ColdFusion 8 Update 1</a></li></ul></li></ul></li>
<li>Unofficial Updater 2 is <strong>updated</strong> whenever Adobe releases a new (or changes) a hot fix or security bulletin
<ul><li>Matrix of published hot fixes and security bulletins
<ul><li><a href="https://github.com/AboutWebLLC/unofficial-updater2/blob/master/cf801-hotfix-matrix.pdf?raw=true">Hot Fix Matrix: ColdFusion 8.0.1</a></li>
<li><a href="https://github.com/AboutWebLLC/unofficial-updater2/blob/master/cf900-hotfix-matrix.pdf?raw=true">Hot Fix Matrix: ColdFusion 9.0.0</a></li>
<li><a href="https://github.com/AboutWebLLC/unofficial-updater2/blob/master/cf901-hotfix-matrix.pdf?raw=true">Hot Fix Matrix: ColdFusion 9.0.1</a></li>
<li><a href="https://github.com/AboutWebLLC/unofficial-updater2/blob/master/cf902-hotfix-matrix.pdf?raw=true">Hot Fix Matrix: ColdFusion 9.0.2</a></li></ul></li></ul></li>
<li>Unofficial Updater 2 will <strong>need to be downloaded and run again</strong> when it is updated to apply all new (or changed) hot fix or security bulletin from Adobe</li>
<li>Unofficial Updater 2 works <strong>in most</strong> situations/installs, but if you have something non-standard it might not work
<ul><li>Consider contacting a <a href="http://www.cf411.com/cfconsult">CF-oriented Troubleshooting Consultant</a> to ensure you are properly patched</li></ul></li>
</ol>

<h2>What it does</h2>

<p>First time you run Unofficial Updater 2, it will download <strong>ALL</strong> hotfixes and 
security bulletins from Adobe for both ColdFusion 8.0.1 and 9.0.x. UU2 will 
create <strong>Unofficial-Updater2-with-downloads.jar</strong> which contains the 
downloaded hotfixes and security bulletins. This is done since UU2 
can not directly package the updates and will make it easier to patch 
additional servers without the need of an Internet connection.</p>

<p>Once the downloading is complete, UU2 will asks specific questions about how 
Adobe ColdFusion is installed. It will then produce backups of any directories 
it will modify. Finally, it will apply the hotfixes and security bulletins 
according to the published instructions. If you are running Multi-Server JRun 
or J2EE installs you will need to run UU2 against each instance.</p>

<p>UU2 only updates files, it <strong>does not modify</strong> any settings in ColdFusion 
such as <em>neo-</em><em>*.xml</em> or <em>jvm.config</em>. The security hotfixes have introduced 
new jvm flags in <em>jvm.config</em> and changes to <em>neo-</em><em>*.xml</em> which are documented 
in the Adobe TechNote <a href="http://helpx.adobe.com/coldfusion/kb/important-hotfix-related-notes.html">Important hotfix-related notes for ColdFusion 9 and ColdFusion 10</a> 
and may need to be manually applied after running UU2 depending upon specific 
configuration needs.</p>

<p>A list of files that Unofficial Updater 2 updates as compared to a clean 
install of Adobe ColdFusion 8.0.1, 9.0.0, 9.0.1, and 9.0.2 are listed below:</p>

<ul>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf801-standalone-filechanges.txt">File Changes: ColdFusion 8.0.1 Standalone</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf801-jrun-filechanges.txt">File Changes: ColdFusion 8.0.1 Multi-Server JRun4</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf801-j2ee-filechanges.txt">File Changes: ColdFusion 8.0.1 J2EE</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf900-standalone-filechanges.txt">File Changes: ColdFusion 9.0.0 Standalone</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf900-jrun-filechanges.txt">File Changes: ColdFusion 9.0.0 Multi-Server JRun4</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf900-j2ee-filechanges.txt">File Changes: ColdFusion 9.0.0 J2EE</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf901-standalone-filechanges.txt">File Changes: ColdFusion 9.0.1 Standalone</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf901-jrun-filechanges.txt">File Changes: ColdFusion 9.0.1 Multi-Server JRun4</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf901-j2ee-filechanges.txt">File Changes: ColdFusion 9.0.1 J2EE</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf902-standalone-filechanges.txt">File Changes: ColdFusion 9.0.2 Standalone</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf902-jrun-filechanges.txt">File Changes: ColdFusion 9.0.2 Multi-Server JRun4</a></li>
<li><a href="https://raw.github.com/AboutWebLLC/unofficial-updater2/master/uu2-cf902-j2ee-filechanges.txt">File Changes: ColdFusion 9.0.2 J2EE</a></li>
</ul>

<p>If you have modified files in <strong>CFIDE</strong> and/or <strong>WEB-INF</strong> they could be changed due to files contained in the updates from Adobe.</p>

<h2>How to use</h2>

<ol>
<li>Download the packaged JAR installer</li>
<li>Stop the ColdFusion Server/process you are going to update</li>
<li>Depending upon your system you might be able to double-click <strong>Unofficial-Updater2.jar</strong> to run it, otherwise it will need to be run from command line
<ul><li>On Windows might need to <strong>Run as Administrator</strong> for GUI or opening command prompt</li>
<li><strong>Installer</strong> (auto-detect GUI or text)
<ul><li><code>java -jar Unofficial-Updater2.jar</code></li></ul></li>
<li><strong>Force GUI Installer</strong> 
<ul><li><code>java -jar Unofficial-Updater2.jar swing</code></li></ul></li>
<li><strong>Force Text Installer</strong> 
<ul><li><code>java -jar Unofficial-Updater2.jar text</code></li></ul></li>
<li><strong>Text Installer run as cfusion user on Linux/UNIX</strong>
<ul><li><code>su -s /bin/sh "cfusion" -c "java -jar Unofficial-Updater2.jar text"</code></li></ul></li>
<li><strong>Text Installer run as root on Linux/UNIX</strong>
<ul><li><code>sudo java -jar Unofficial-Updater2.jar text</code></li></ul></li>
<li>Once <em>Unofficial-Updater2-with-downloads.jar</em> is created, you can use that instead of <em>Unofficial-Updater2.jar</em></li></ul></li>
<li>Walk through the screens putting the appropriate information
<ul><li><strong>Be sure to fill the directory locations correctly</strong>, Unofficial Updater 2 will try to validate they are correct before letting you proceed to the next step</li></ul></li>
<li>Finish updater by pressing <strong>Apply Updates</strong></li>
<li>On OS X/Linux/UNIX verify (and possibly correct) ownership and permission of the files updated</li>
<li>Repeat process for all instances for Multi-Server JRun or J2EE deployments, starting with step 2</li>
</ol>

<p>Please see the <a href="https://github.com/AboutWebLLC/unofficial-updater2/wiki/Using-Unofficial-Updater-2">Wiki: Using Updater 2</a> for screenshots and walkthrough.</p>

<h2>Details</h2>

<p>At the core, Unofficial Updater 2 is just an <a href="http://ant.apache.org/">Apache Ant</a> script. Ant was chosen 
since it could provide cross platform support. The ant script was 
wrapped with <a href="http://antinstaller.sourceforge.net/">Ant Installer</a> to create a GUI and text based interface which
only require Java 1.5+ to be installed.  </p>

<h3>Backups</h3>

<p>Unofficial Updater 2 creates backups of the directories that are modified, but it is <strong>HIGHLY</strong> recommended that you
create your own backups of your ColdFusion installation to restore from in case of a problem. The backups created by UU2
are stored in the directory specified when running UU2 and are named <strong>{directory-name}-uu2-{datetime-stamp}.zip</strong></p>

<h3>ColdFusion 8.0.1</h3>

<p><strong><em>APSB12-21 was the LAST security hotfix Adobe released for ColdFusion 8.0.1</em></strong></p>

<p>All hot fixes and security bulletins published as of September 11, 2012 for 
ColdFusion 8.0.1 are applied except if they were superseded by a newer 
patch and the following:</p>

<ul>
<li><a href="http://kb2.adobe.com/cps/404/kb404026.html">kb404026 - Patch for Performance Monitor with ColdFusion 8.0.1</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb09-12.html">CVE-2009-1876 - wsconfig.jar update for Apache</a></li>
<li><a href="http://kb2.adobe.com/cps/403/kb403750.html">kb403750 - Using the flexgateway to instantiate multiple instances of CFCs causes objects to be populated as nulls (hf801-71643)</a></li>
</ul>

<p>Both <strong>kb404026</strong> and <strong>CVE-2009-1876</strong> require modifications to be done to the 
system configuration. <strong>kb404026</strong> requires ability to modify the Windows 
registry and <strong>CVE-2009-1876</strong> will modify the connector configuration. 
<strong>kb403750</strong> is not installed since it does not seem to resolve all the issues
and <a href="http://www.mischefamily.com/nathan/index.cfm/2009/10/1/hf80171643-Breaks-Application-Specific-Custom-Tag-Paths">breaks other things</a>.</p>

<h3>ColdFusion 9.0.0</h3>

<p>All hot fixes and security bulletins published as of October 14, 2014 for 
ColdFusion 9.0.0 are applied except if they were superseded by a newer 
patch and the following:</p>

<ul>
<li><a href="http://kb2.adobe.com/cps/807/cpsid_80719.html">cpsid_80719 - ColdFusion 9: Limit access to the Solr collections</a></li>
</ul>

<p><strong>cpsid_80719</strong> requires modifying jetty.xml which is a system configuration change.</p>

<h3>ColdFusion 9.0.1</h3>

<p>All hot fixes and security bulletins published as of October 14, 2014 for 
ColdFusion 9.0.1 are applied except if they were superseded by a newer 
patch.</p>

<h3>ColdFusion 9.0.2</h3>

<p>All hot fixes and security bulletins published as of October 14, 2014 for 
ColdFusion 9.0.2 are applied except if they were superseded by a newer 
patch.</p>

<h3>Additional Notes</h3>

<p>Please refer to the various technotes about changes to configuration options 
since Unofficial Updater 2 only updates files, it <strong>does not modify</strong> any 
settings in ColdFusion such as <em>neo-</em><em>*.xml</em> or <em>jvm.config</em>.</p>

<h4>Cumulative Hotfixes for ColdFusion 9.0.x</h4>

<ul>
<li><a href="http://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-3-coldfusion-900.html">Cumulative Hotfix 3 for ColdFusion 9.0.0</a></li>
<li><a href="http://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-4-coldfusion-901.html">Cumulative Hotfix 4 for ColdFusion 9.0.1</a></li>
<li><a href="http://helpx.adobe.com/coldfusion/kb/cumulative-hotfix-1-coldfusion-902.html">Cumulative Hotfix 1 for ColdFusion 9.0.2</a></li>
</ul>

<h4>Security Bulletins</h4>

<ul>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb11-04.html">APSB11-04 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb11-14.html">APSB11-14 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb11-29.html">APSB11-29 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb12-06.html">APSB12-06 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb12-15.html">APSB12-15 - Security update: Hotfix available for ColdFusion 9.0.1 and earlier</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb12-21.html">APSB12-21 - Security update: Hotfix available for ColdFusion 10 and earlier</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb12-26.html">APSB12-26 - Security update: Hotfix available for ColdFusion 10 and earlier</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb13-03.html">APSB13-03 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb13-10.html">APSB13-10 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb13-13.html">APSB13-13 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb13-19.html">APSB13-19 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://www.adobe.com/support/security/bulletins/apsb13-27.html">APSB13-27 - Security update: Hotfix available for ColdFusion</a></li>
<li><a href="http://helpx.adobe.com/security/products/coldfusion/apsb14-23.html">APSB14-23 - Security update: Hotfix available for ColdFusion</a></li>
<li>Additional Information
<ul><li><a href="http://www.cutterscrossing.com/index.cfm/2012/3/27/ColdFusion-Security-Hotfix-and-Big-Forms">ColdFusion Security Hotfix APSB12-06 and Big Forms</a></li></ul></li>
</ul>

<h4>Java Support</h4>

<p>It is highly recommended to update the underlying JVM that ColdFusion 
uses to the latest available Java 6 (1.6.0) version that is available (Update 45) on ColdFusion 8.0.1 or ColdFusion 9.0.x on Mac OS X.
Java 7 (1.7.0) is supported for ColdFusion 9.0.x on Windows (32 and 64 bit), Linux (32 and 64 bit), and Solaris (64 bit) after the CHFs released in March 2013 are applied. Again updating to the latest Java 7 (Update 71/72) is highly recommended.</p>

<ul>
<li><a href="http://helpx.adobe.com/coldfusion/kb/upgrading-java-coldfusion.html">Upgrade Java for ColdFusion</a></li>
<li><a href="http://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html">How to use ColdFusion with an external JVM</a></li>
<li>Additional Information
<ul><li><a href="http://blogs.coldfusion.com/post.cfm/new-updates-for-coldfusion-9-9-0-1-9-0-2-and-10-java-7-now-supported#comment-869ED317-0670-4D3C-6CADD847164930CE">ColdFusion 9.0.x, Mac OS X, and Java 7</a></li>
<li><a href="http://www.carehart.org/blog/client/index.cfm/2011/10/28/CF911-Have-you-updated-your-ColdFusion-JVM-to-24-yet-Important-security-fix-for-CF-89">CF911: Have you updated your #ColdFusion JVM to _24 yet? Important security fix for CF 8/9</a></li>
<li><a href="http://blog.kdecherf.com/2012/04/12/oracle-i-download-your-jdk-by-eating-magic-cookies/">Oracle, I download your JDK by eating magic cookies</a></li></ul></li>
</ul>

</body>
</html>