That's very curious. The CVE that Adobe references in their release ( CVE-2012-0770 ) doesn't seem to be a valid CVE number, though it comes up in some google searches. But it isn't in the National Vulnerability Database or at cvedetails.com
The vulnerability they are describing seems to be the one described Here: http://www.kb.cert.org/vuls/id/903934 And here: http://www.ocert.org/advisories/ocert-2011-003.html However, that was a known vulnerability in a bunch of languages and was fixed everywhere else last year. In the first link, it says Adobe was notified in November 2011. If the release they put out today is really regarding the issues I linked to (since the credited CVE entry doesn't seem to exist) then that means they are a couple months behind every other vendor. That is worrisome. Cheers, Judah On Tue, Mar 13, 2012 at 9:05 AM, John M Bliss <bliss.j...@gmail.com> wrote: > > FYI: Adobe warns of hash collision in #ColdFusion | ZDNet > http://zd.net/ymjDEy > > -- > John Bliss - http://about.me/jbliss > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350420 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
