That is somewhat alarming to read and puts the breaks on a CF9-->CF10 project we have. Being a payment gateway we are very sensitive to reported vulnerabilities and getting them patched or plugged ASAP -- for both PCI and the fact that we have a lot on the line. If Adobe's JRUN patching timeframes are any indication of Adobe's Tomcat patching timeframes, this will be a non-starter for us with CF10 and above. With CF9 it was (is) easy to upgrade the JAVA runtime to the latest that Oracle has to offer. Ugh!
↧