I'm fairly certain that's the only thing. John H. should still have the documentation I wrote for locking down instances (although it's geared toward multi-server).
On Fri, Apr 19, 2013 at 1:20 PM, Teddy R Payne <[email protected]>wrote: > If I recall, there is more than one xml file or child node that has > interface set to asterisk. > > Sent from my iPhone > > On Apr 19, 2013, at 9:38 AM, Dawn Hoagland <[email protected]> wrote: > > Assuming a single server, development instance install..... > > *{installLocation}\runtime\servers\coldfusion\SERVER-INF\jrun.xml* > > Update the "interface" attribute in the following service class > > * <service class="jrun.servlet.http.WebService" name="WebService">* > * <attribute name="port">8500</attribute>* > * <attribute name="interface">127.0.0.1</attribute>* > * <attribute name="deactivated">false</attribute>* > * <attribute name="activeHandlerThreads">50</attribute>* > * <attribute name="minHandlerThreads">1</attribute>* > * <attribute name="maxHandlerThreads">1000</attribute>* > * <attribute name="mapCheck">0</attribute>* > * <attribute name="threadWaitTimeout">300</attribute>* > * <attribute name="backlog">500</attribute>* > * <attribute name="timeout">300</attribute>* > * </service>* > > > On Fri, Apr 19, 2013 at 9:16 AM, Wilson, Brooks <[email protected] > > wrote: > >> Greetings:**** >> >> ** ** >> >> I’ve lost my notes on how to secure the IP address when setting up a CF 9 >> server for local development. I had instructions on how to make the CF >> built in server accessible only from the local host. Please post them if >> you have them.**** >> >> ** ** >> >> TIA, Brooks**** >> ------------------------------ >> >> Brooks Wilson | Senior Web Developer Programmer/Analyst >> *Technology Solutions Services | **Application Delivery Services* >> >> Federal Reserve Bank of Atlanta | 1000 Peachtree Street, Atlanta, GA >> 30309-4470**** >> >> Phone: 404.498.8178 | Fax: 404.498.8239 | Mobile: 404.985.9270**** >> >> Email: [email protected]**** >> >> ** ** >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of *Charlie >> Arehart >> *Sent:* Friday, April 12, 2013 6:18 PM >> *To:* [email protected] >> *Subject:* RE: [ACFUG Discuss] 9.01 vs 9.02**** >> >> ** ** >> >> Steve, this is a point I just made in one of my replies this week to >> Ajas, but to reiterate, any security hotfixes created by Adobe are created >> for 9.0, 9.0.1, and 9.0.2. So no, you are not in any danger, as long as you >> always apply the latest HFs. >> >> As for not updating to Java 7, yes, technically you are “in danger”, in >> that Oracle has EOLed java 6 and are NOT offering new updates for Java 6. >> So if there are new vulnerabilities identified, they will only update Java >> 7, not 6 (just as if Adobe fixes CF now, they only do it for CF 10 and 9, >> not 8 or earlier). The EOL of java 6 was only in the past couple of months, >> so at least you can update to a 8relatively recent* JVM update, just not >> THE latest one. >> >> Finally, as for your observation about the wording of the Adobe mention >> about “supported jdks”, I assume you are referring to the first sentence of >> step 1 in this doc: >> http://helpx.adobe.com/coldfusion/kb/change-coldfusion-jvm.html >> >> “Download and install a supported version of JDK.” >> >> I suppose that’s just a CYA statement. (And if this doc may have existed >> for CF9 before the update that allowed 1.7, it was referring to them >> supporting only Java 1.6. Indeed, until about mid-last year, they only >> supported up to 1.6.0_24.) But I agree with you it would be better if >> they’d show or point to some table to clarify what JVMs are supported by >> what versions of CF. (Seems a good blog opportunity!) >> >> /charlie**** >> >> ** ** >> >> *From:* [email protected] [mailto:[email protected] <[email protected]>] *On >> Behalf Of *Steven >> *Sent:* Friday, April 12, 2013 8:35 AM >> *To:* [email protected] >> *Subject:* [ACFUG Discuss] 9.01 vs 9.02**** >> >> ** ** >> >> All,**** >> >> while we're on the subject of patching & upgrades..**** >> >> last night I patched our *9.01* box with the latest hotfix4 from >> http://helpx.adobe.com/coldfusion/kb/hot-fixes-coldfusion-9.html**** >> >> and I followed the steps there.**** >> >> ** ** >> >> But I'm still fuzzy on a couple things..**** >> >> ** ** >> >> I didn't want to go through the hassle of doing a complete >> uninstall/reinstall to get the box over to the 9.02 series. Am I still in >> danger of having security holes that aren't addressed by the 9.01 series >> hotfixes?**** >> >> ** ** >> >> And, also within this hotfix4 I applied -- an "optional" step is to >> upgrade the jvm by getting the latest jdk from oracle, modifying the >> jvm.config to call the new, etc. I elected not to touch the jvm and we are >> still using native (out of the box ver). Am I again in danger of new >> security issues? (I have another Adobe rant. They mention in this step to >> use only the JDKs which are compatible with cf9 -- but don't bother within >> the instructions to tell you which are compatible!).**** >> >> ** ** >> >> How did you guys approach your cf9 patching?**** >> >> Happy Friday.**** >> >> ** ** >> >> Thx,**** >> >> Steve**** >> >> ** ** >> >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by FusionLink <http://www.fusionlink.com> >> ------------------------------------------------------------- **** >> >> ------------------------------------------------------------- >> To unsubscribe from this list, manage your profile @ >> http://www.acfug.org?fa=login.edituserform >> >> For more info, see http://www.acfug.org/mailinglists >> Archive @ http://www.mail-archive.com/discussion%40acfug.org/ >> List hosted by FusionLink <http://www.fusionlink.com> >> ------------------------------------------------------------- > > > > > -- > Dawn > > -- Dawn
