Modernize or Die® - CFML News for December 14th, 2021 - Episode 128

2021-12-14 Weekly News - Episode 128Watch the video version on YouTube at https://youtu.be/_GrDec5PVwg Hosts: Gavin Pickin - Senior Developer for Ortus SolutionsDan Card  - Software Developer for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions:Like and subscribe to our videos on YouTube. Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content every weekBuy Ortus’s new Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)Patreon SupportWe have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions. News and EventsNew Host - Dan CardDan introduces himself and gives a quick run down of his CFML experience.Log4j Vulnerability ReportedThere is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications. It is included in both Adobe ColdFusion and Lucee for example.Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. I'll update this entry as needed.https://www.petefreitag.com/item/923.cfm Adobe’s update on the matter (thanks charlie for pointing this out)Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/ Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html TLDR for AdobeThere is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021. VERY FAST FOR ADOBE - THEY DONT MOVE FAST USUALLYIn the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.Lucee is not affected https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331 Charlie’s Blog on the matter https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/ More news links about Log4j https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/New CommandBox FeatureAdd the equivalent of the mod_cfml tomcat valve into CommandBox as an Undertow handler to auto-create contexts based on the front-end servers's virtual hosts.Support the same request headers and behavior of mod_cfmlIdeally, this should have drop-in support behind BonCode IIS or Apache's mod_cfml moduleSupport max contexts settingMake this new behavior off (opt-in) by default Support and require shared key for security (Note, the current mod_cfml Tomcat valve does not require the shared key, but we will)https://ortussolutions.atlassian.net/browse/COMMANDBOX-1411 CBSecurity V2.15.0 released🚀 AddedPass custom claims from refreshToken( token, customClaims) method when refreshing tokensPass in the current jwt payload in to getJWTCustomClaims( payload )The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete🐛 FixedTimeout in token storage is now the token timeouthttps://www.forgebox.io/view/cbsecurity TestBox v.4.5.0 releasedAddedMigration to github actionsTESTBOX-332 toBe{Type} is incompleteTESTBOX-329 Full Null support6 Bug fixes as wellAlso updates to VSCode extensionLuis been updating the TestBox VSCode extensionLuis has rewritten it and added tons of new featuresYou can now run your tests inside of vscodeThe full harness, a bundle, or a single spec depending on your cursor in the codeBasically this https://marketplace.visualstudio.com/items?itemName=CoachRichbart.better-jest  but for TestBoxLuis has all of it working with CommandBox right now but it’s dog slowSo Luis is building a native http runner from within vscodehttps://testbox.ortusbooks.com/intro/release-history/whats-new-with-4.5.0 Vue Mastery - FREE Courses Dec 17-20thVue Mastery @VueMasteryWe're unlocking ALL of our courses On Dec. 17-20, you'll be able to watch any and all of our courses on our site for free.Have you signed up yet? Reserve your spot so you get notified when we unlock our courseshttps://twitter.com/vuemastery/status/1470524002829582339?ICYMI - Advent of Code starts Dec 1stAdvent of Code is an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like. People use them as a speed contest, interview prep, company training, university coursework, practice problems, or to challenge each other.You don't need a computer science background to participate - just a little programming knowledge and some problem solving skills will get you pretty far. Nor do you need a fancy computer; every problem has a solution that completes in at most 15 seconds on ten-year-old hardware.https://adventofcode.com/ ICYMI - Ortus Redis Cache Extension V2.0.011 new features, 1 improvement and 3 bug fixes.Major enhancements focus on Pub Sub capabilities, Docker support, and Cluster Protocol support for RedisCluster, Sentinel, AWS and DigitalOcean.https://www.forgebox.io/view/5C558CC6-1E67-4776-96A60F9726D580F1/version/2.0.0-snapshot CFCasts Content Updateshttps://www.cfcasts.com Just ReleasedYouth Traini...