Issues
- older lucee versions can't download extensions from refactored update provider due to redirects (i.e. 5.2)LDEV-4949Resolved issue: LDEV-4949
- Replace via a struct inserts gibberish when struct keys not found in textLDEV-3765Resolved issue: LDEV-3765Pothys - MitrahSoft
- sessionRotate() doesn't copy CSRF tokens to new sessionLDEV-3324Resolved issue: LDEV-3324Pothys - MitrahSoft
- older lucee versions can't download extensions due to redirectsLDEV-3237Resolved issue: LDEV-3237Pothys - MitrahSoft
- Failed to download the bundle: [javax.mail.activation:1.6.2.0000L] from ...LDEV-3229
- java.lang.NoClassDefFoundError : org/apache/axis/types/URI in cfinvokeLDEV-3227Resolved issue: LDEV-3227Michael Offner
- CFFTP (secure) resets connections (ssh-dss)LDEV-3166Resolved issue: LDEV-3166Zac Spitzer
7 of 7
older lucee versions can't download extensions from refactored update provider due to redirects (i.e. 5.2)
Won't Fix
Description
Environment
None
relates to
Details
Assignee
UnassignedUnassignedReporter
Zac SpitzerZac SpitzerPriority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Details
Details
Assignee
Unassigned
UnassignedReporter
Zac Spitzer
Zac SpitzerPriority
NewNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Created 26 June 2024 at 08:15
Updated 26 June 2024 at 16:18
Resolved 26 June 2024 at 16:18
Activity
Show:
Zac Spitzer26 June 2024 at 12:37Edited
would require port 80 to be open, then it will default to serving content directly, otherwise allowRedirect=boolean, default is true
PSA: Only supported versions of Lucee are 5.4 and 6+
5.2 has multiple CVEs and uses very old java libraries with their own additional CVEs
https://github.com/lucee/Lucee/blob/6.1/SECURITY.md
they also only download over http, which is another redirect from http to https to the extension cdn
WORKAROUND: copy extensions manually to /deploy folder
Due to security reasons, we will no longer be supporting insecure update providers (i.e https only, no http support)
You can also create a reverse proxy to serve content from https://update.lucee.org/ and https://extension.lucee.org/ via http and then edit your
lucee-server.xmlto use that custom update provider host insteadAnyone running these old versions in production are advised to upgrade immediately, 5.4 is our LTS release, supported until 2026
These are just some of the problematic libraries in core 5.2, not including extensions (or lucee rebundled jars)