Modernize or Die® - CFML News for December 14th, 2021 - Episode 128

2021-12-14 Weekly News - Episode 128

Watch the video version on YouTube at https://youtu.be/_GrDec5PVwg

Hosts:
 
Gavin Pickin - Senior Developer for Ortus Solutions
Dan Card  - Software Developer for Ortus Solutions

Thanks to our Sponsor - Ortus Solutions

The makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. 
A few ways  to say thanks back to Ortus Solutions:

Like and subscribe to our videos on YouTube. Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content every weekBuy Ortus’s new Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)

Patreon Support

We have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.

News and Events

New Host - Dan Card

Dan introduces himself and gives a quick run down of his CFML experience.

Log4j Vulnerability Reported

There is a critical security vulnerability (CVE-2021-44228 aka Log4Shell) in the java library log4j which is a popular logging library for java applications. It is included in both Adobe ColdFusion and Lucee for example.
Putting together some info to help sort this issue out as it pertains to ColdFusion and Lucee users. I'll update this entry as needed.
https://www.petefreitag.com/item/923.cfm

Adobe’s update on the matter (thanks charlie for pointing this out)
Blog - https://coldfusion.adobe.com/2021/12/update-log4j-vulnerability/
Update - https://helpx.adobe.com/coldfusion/kb/log4j-vulnerability-coldfusion.html

TLDR for Adobe
There is a critical security vulnerability (CVE-2021-44228) in the Log4j, which is a popular logging library for Java-based applications. The vulnerability also impacts Adobe ColdFusion.
Adobe is investigating any potential impact and is taking action including updating affected systems to the latest versions of Apache Log4j recommended by the Apache Software Foundation.
ColdFusion plans to release a patch (version(s) 2021, 2018) for this log4j vulnerability to customers on 12/17/2021. VERY FAST FOR ADOBE - THEY DONT MOVE FAST USUALLY
In the meantime, we recommend that ColdFusion users apply the following workarounds/mitigations steps, until this patch is released.

Lucee is not affected https://dev.lucee.org/t/lucee-is-not-affected-by-the-log4j-jndi-exploit-cve-2021-44228/9331

Charlie’s Blog on the matter
https://www.carehart.org/blog/2021/12/14/about_the_log4jshell_pandemic
https://coldfusion.adobe.com/2021/12/dealing-recent-log4j-vulnerability-adobe-releases-update/

More news links about Log4j
https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/

New CommandBox Feature

Add the equivalent of the mod_cfml tomcat valve into CommandBox as an Undertow handler to auto-create contexts based on the front-end servers's virtual hosts.
Support the same request headers and behavior of mod_cfml
Ideally, this should have drop-in support behind BonCode IIS or Apache's mod_cfml module
Support max contexts setting
Make this new behavior off (opt-in) by default
Support and require shared key for security (Note, the current mod_cfml Tomcat valve does not require the shared key, but we will)
https://ortussolutions.atlassian.net/browse/COMMANDBOX-1411

CBSecurity V2.15.0 released

🚀 Added
Pass custom claims from refreshToken( token, customClaims) method when refreshing tokens
Pass in the current jwt payload in to getJWTCustomClaims( payload )
The auto refresh token features now will auto refresh not only on expired tokens, but on invalid and missing tokens as well. Thanks to @elpete
🐛 Fixed
Timeout in token storage is now the token timeout
https://www.forgebox.io/view/cbsecurity

TestBox v.4.5.0 released

Added

Migration to github actionsTESTBOX-332 toBe{Type} is incompleteTESTBOX-329 Full Null support

6 Bug fixes as well

Also updates to VSCode extension

Luis been updating the TestBox VSCode extension
Luis has rewritten it and added tons of new features
You can now run your tests inside of vscode
The full harness, a bundle, or a single spec depending on your cursor in the code
Basically this https://marketplace.visualstudio.com/items?itemName=CoachRichbart.better-jest  but for TestBox
Luis has all of it working with CommandBox right now but it’s dog slow
So Luis is building a native http runner from within vscode
https://testbox.ortusbooks.com/intro/release-history/whats-new-with-4.5.0

Vue Mastery - FREE Courses Dec 17-20th

Vue Mastery @VueMastery
We're unlocking ALL of our courses
On Dec. 17-20, you'll be able to watch any and all of our courses on our site for free.
Have you signed up yet? Reserve your spot so you get notified when we unlock our courses
https://twitter.com/vuemastery/status/1470524002829582339?

ICYMI - Advent of Code starts Dec 1st

Advent of Code is an Advent calendar of small programming puzzles for a variety of skill sets and skill levels that can be solved in any programming language you like. People use them as a speed contest, interview prep, company training, university coursework, practice problems, or to challenge each other.
You don't need a computer science background to participate - just a little programming knowledge and some problem solving skills will get you pretty far. Nor do you need a fancy computer; every problem has a solution that completes in at most 15 seconds on ten-year-old hardware.
https://adventofcode.com/

ICYMI - Ortus Redis Cache Extension V2.0.0

11 new features, 1 improvement and 3 bug fixes.
Major enhancements focus on Pub Sub capabilities, Docker support, and Cluster Protocol support for RedisCluster, Sentinel, AWS and DigitalOcean.
https://www.forgebox.io/view/5C558CC6-1E67-4776-96A60F9726D580F1/version/2.0.0-snapshot

CFCasts Content Updates

https://www.cfcasts.com

Just Released

Youth Traini...