EPISODE · Dec 31, 2024 · 1H 1M
Modernize or Die® - CFML News Podcast for December 31st, 2024 - Episode 226
from Modernize or Die ® Podcast · host Ortus Solutions
2024-12-31 Weekly News — Episode 226Watch the video version on YouTube at https://youtube.com/live/BUIfVQV0bhs?feature=share Hosts: Gavin Pickin - Senior Developer at Ortus SolutionsDaniel Garcia - Senior Developer at Ortus SolutionsBig Thanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there including BoxLang.A few ways to say thanks back to Ortus Solutions:Buy Tickets to Into the Box 2025 in Washington DC https://t.co/cFLDUJZEyMApril 30, 2025 - May 2, 2025 - Washington, DCLike and subscribe to our videos on YouTube. Help ORTUS reach for the Stars - Star and Fork our ReposStar all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content regularlyBOXLife store: https://www.ortussolutions.com/about-us/shopBuy Ortus’s Books102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)Now on Amazon! In hardcover too!!!https://www.amazon.com/dp/B0CJHB712MLearn Modern ColdFusion (CFML) in 100+ Minutes - Free online https://modern-cfml.ortusbooks.com/ or buy an EBook or Paper copy https://www.ortussolutions.com/learn/books/coldfusion-in-100-minutes Patreon Support (holly)We have 61 patreons: https://www.patreon.com/ortussolutions. News and AnnouncementsTomcat VulnerabilityTime-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.https://www.cve.org/CVERecord?id=CVE-2024-56337 How to resolve with Lucee: https://dev.lucee.org/t/cvs-exploit-of-tomcat-9-10-11/14590 End of 2024 - what did it bring itWhat is 2025 bringing? New Releases and UpdatesAdobe Security Updates released December 23rd, 2024 - ColdFusion 2023 Update 12 and 2021 Update 18We have released critical security updates for ColdFusion (2023 release) and ColdFusion (2021 release).Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read.View the security bulletin, APSB24-107, and the tech notes for more information.https://coldfusion.adobe.com/2024/12/released-coldfusion-2023-and-2021-december-23rd-2024-security-updates/An Initial Analysis of Adobe ColdFusion CVE-2024-53961 - from HoyahaxaAdobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval. Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March. https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html Blog from Charlie on the updates: https://www.carehart.org/blog/2024/12/23/ColdFusion_updates_released_Dec_23_2024 Webinars, Meetups and WorkshopsICYMI - Sac Interactive Meetup: All I Want for Christmas is AI with Luke KilpatrickWed, Dec 18 · 6:00 PM PSThttps://www.meetup.com/sacinteractive/events/303708503/?eventOrigin=home_page_upcoming_events$all Sac Interactive Meetup: January with Kai KoenigCFCasts Content Updateshttps://www.cfcasts.comMerry Xmas - All of the Into the Box 2024 videos are now available for paid subscriptionshttps://www.cfcasts.com/series/into-the-box-2024 Conferences and TrainingITB 2025Location: Washington, DCDates: April 30, 2025 - May 2, 2025 - Washington, DCTickets and more info: https://t.co/cFLDUJZEyM50% off blind tickets$249.50 for the Conference$349.50 for the Conference + Workshop!!!Call for Speakers CLOSEDCFCamp 2025May 22, 23rd - 2025Atomis Hotel Munich Airporthttps://www.cfcamp.org/ Call for Speakers open - https://www.papercall.io/cfcamp2025 Closes February 28, 2025 ( 4am PST )More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Posts, and Videos of the Week12/29/24 - Blog - Ben Nadel - My Internal InVision Feature Demo VideosAlthough InVision is shutting its doors, it's been an amazing journey; and, I've done a lot of work that I'm incredibly proud of. In particular, I feel great about the way in which I embraced experimentation with both arms; and, that I tried throwing as many features against the wall to see which would stick. Some of my experiments ended up being a "nothing burger". But, some of them went on to become highly valuable parts of the application and the user experience (UX). The whole process made me somewhat fearless in the face of opposition; and, taught me to love my failures just as much as my successes.
What this episode covers
2024-12-31 Weekly News — Episode 226Watch the video version on YouTube at https://youtube.com/live/BUIfVQV0bhs?feature=share Hosts: Gavin Pickin - Senior Developer at Ortus SolutionsDaniel Garcia - Senior Developer at Ortus SolutionsBig Thanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there including BoxLang.A few ways to say thanks back to Ortus Solutions:Buy Tickets to Into the Box 2025 in Washington DC https://t.co/cFLDUJZEyMApril 30, 2025 - May 2, 2025 - Washington, DCLike and subscribe to our videos on YouTube. Help ORTUS reach for the Stars - Star and Fork our ReposStar all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content regularlyBOXLife store: https://www.ortussolutions.com/about-us/shopBuy Ortus’s Books102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)Now on Amazon! In hardcover too!!!https://www.amazon.com/dp/B0CJHB712MLearn Modern ColdFusion (CFML) in 100+ Minutes - Free online https://modern-cfml.ortusbooks.com/ or buy an EBook or Paper copy https://www.ortussolutions.com/learn/books/coldfusion-in-100-minutes Patreon Support (holly)We have 61 patreons: https://www.patreon.com/ortussolutions. News and AnnouncementsTomcat VulnerabilityTime-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.https://www.cve.org/CVERecord?id=CVE-2024-56337 How to resolve with Lucee: https://dev.lucee.org/t/cvs-exploit-of-tomcat-9-10-11/14590 End of 2024 - what did it bring itWhat is 2025 bringing? New Releases and UpdatesAdobe Security Updates released December 23rd, 2024 - ColdFusion 2023 Update 12 and 2021 Update 18We have released critical security updates for ColdFusion (2023 release) and ColdFusion (2021 release).Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read.View the security bulletin, APSB24-107, and the tech notes for more information.https://coldfusion.adobe.com/2024/12/released-coldfusion-2023-and-2021-december-23rd-2024-security-updates/An Initial Analysis of Adobe ColdFusion CVE-2024-53961 - from HoyahaxaAdobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval. Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March. https://www.hoyahaxa.com/2024/12/an-initial-analysis-of-cve-2024-53961.html Blog from Charlie on the updates: https://www.carehart.org/blog/2024/12/23/ColdFusion_updates_released_Dec_23_2024 Webinars, Meetups and WorkshopsICYMI - Sac Interactive Meetup: All I Want for Christmas is AI with Luke KilpatrickWed, Dec 18 · 6:00 PM PSThttps://www.meetup.com/sacinteractive/events/303708503/?eventOrigin=home_page_upcoming_events$all Sac Interactive Meetup: January with Kai KoenigCFCasts Content Updateshttps://www.cfcasts.comMerry Xmas - All of the Into the Box 2024 videos are now available for paid subscriptionshttps://www.cfcasts.com/series/into-the-box-2024 Conferences and TrainingITB 2025Location: Washington, DCDates: April 30, 2025 - May 2, 2025 - Washington, DCTickets and more info: https://t.co/cFLDUJZEyM50% off blind tickets$249.50 for the Conference$349.50 for the Conference + Workshop!!!Call for Speakers CLOSEDCFCamp 2025May 22, 23rd - 2025Atomis Hotel Munich Airporthttps://www.cfcamp.org/ Call for Speakers open - https://www.papercall.io/cfcamp2025 Closes February 28, 2025 ( 4am PST )More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Posts, and Videos of the Week12/29/24 - Blog - Ben Nadel - My Internal InVision Feature Demo VideosAlthough InVision is shutting its doors, it's been an amazing journey; and, I've done a lot of work that I'm incredibly proud of. In particular, I feel great about the way in which I embraced experimentation with both arms; and, that I tried throwing as many features against the wall to see which would stick. Some of my experiments ended up being a "nothing burger". But, some of them went on to become highly valuable parts of the application and the user experience (UX). The whole process made me somewhat fearless in the face of opposition; and, taught me to love my failures just as much as my successes.
NOW PLAYING
Modernize or Die® - CFML News Podcast for December 31st, 2024 - Episode 226
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Jan 2, 2026 ·47m
Dec 21, 2025 ·46m