ColdFusion 9.0.1, ColdFusion 9, ColdFusion 8.0.1, and ColdFusion 8 are affected with the issue mentioned in the security bulletin APSB11-04. This TechNote provides fixes for the security issues along with the installation instructions.
Updated on March 7th 2011 : Adobe has received a few issues with the Security Hotfix released in Feb 2011. A list of issues are as follows:
1.Session is lost for an application accessed within same domain *.
2.Formatting problem for ResponseTime table on debug template.
3.A minor fix for CFIDE/wizards/common/_logintowizard.cfm
* A JVM property was added in case you want to completely switch off the fix for the Session Fixation issue ( Bug 86378) which prior to this security release changed Session behavior in some environments. Add the following JVM property -Dcoldfusion.session.protectfixation=false in the JVM Arguments for the Coldfusion Server.
Latest hotfixes containing the fixes for the above issues are updated in the technote. Instructions to apply the hotfix remain same. All the users should re-apply the hotfixes if they have applied it already.
Note: This hotfix contains security-specific hotfixes only.