Steve, this is a point I just made in one of my replies this week to Ajas, but to reiterate, any security hotfixes created by Adobe are created for 9.0, 9.0.1, and 9.0.2. So no, you are not in any danger, as long as you always apply the latest HFs.
As for not updating to Java 7, yes, technically you are "in danger", in that Oracle has EOLed java 6 and are NOT offering new updates for Java 6. So if there are new vulnerabilities identified, they will only update Java 7, not 6 (just as if Adobe fixes CF now, they only do it for CF 10 and 9, not 8 or earlier). The EOL of java 6 was only in the past couple of months, so at least you can update to a 8relatively recent* JVM update, just not THE latest one. Finally, as for your observation about the wording of the Adobe mention about "supported jdks", I assume you are referring to the first sentence of step 1 in this doc: http://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html "Download and install a supported version of JDK." I suppose that's just a CYA statement. (And if this doc may have existed for CF9 before the update that allowed 1.7, it was referring to them supporting only Java 1.6. Indeed, until about mid-last year, they only supported up to 1.6.0_24.) But I agree with you it would be better if they'd show or point to some table to clarify what JVMs are supported by what versions of CF. (Seems a good blog opportunity!) /charlie From: [email protected] [mailto:[email protected]] On Behalf Of Steven Sent: Friday, April 12, 2013 8:35 AM To: [email protected] Subject: [ACFUG Discuss] 9.01 vs 9.02 All, while we're on the subject of patching & upgrades.. last night I patched our 9.01 box with the latest hotfix4 from http://helpx.adobe.com/coldfusion/kb/hot-fixes-coldfusion-9.html and I followed the steps there. But I'm still fuzzy on a couple things.. I didn't want to go through the hassle of doing a complete uninstall/reinstall to get the box over to the 9.02 series. Am I still in danger of having security holes that aren't addressed by the 9.01 series hotfixes? And, also within this hotfix4 I applied -- an "optional" step is to upgrade the jvm by getting the latest jdk from oracle, modifying the jvm.config to call the new, etc. I elected not to touch the jvm and we are still using native (out of the box ver). Am I again in danger of new security issues? (I have another Adobe rant. They mention in this step to use only the JDKs which are compatible with cf9 -- but don't bother within the instructions to tell you which are compatible!). How did you guys approach your cf9 patching? Happy Friday. Thx, Steve ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
