You should subscribe to the security bulletin email... -----Original Message----- From: Kola Oyedeji [mailto:[EMAIL PROTECTED]] Sent: 13 January 2003 09:25 To: [EMAIL PROTECTED] Subject: RE: [ cf-dev ] Fw: New Macromedia Security Zone Bulletins Posted
Lucas Thanks for the link. I wasn't aware so many patches had been released for CFMX. Are these included in any of the updaters or do these need to be applied along with the updaters? Thanks Kola >> -----Original Message----- >> From: Lucas Sherwood [mailto:[EMAIL PROTECTED]] >> Sent: 11 January 2003 09:52 >> To: [EMAIL PROTECTED] >> Subject: [ cf-dev ] Fw: New Macromedia Security Zone Bulletins Posted >> >> I don't know how many of you subscribe to the security zone mailing list >> >> if you are an ISP this one is of interest... >> >> L. >> ----- Original Message ----- >> From: "Macromedia Security Zone" <[EMAIL PROTECTED]> >> To: <[EMAIL PROTECTED]> >> Sent: Friday, January 10, 2003 4:56 PM >> Subject: New Macromedia Security Zone Bulletins Posted >> >> >> > >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > IMPORTANT: >> > >> > Several security issues that may affect Macromedia JRun >> > and ColdFusion customers have come to our attention >> > recently. >> > >> > To learn about these new issues and what actions you can >> > take to address them, please visit the Security Zone at >> > the Macromedia website: >> > >> > http://www.macromedia.com/security >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > >> > MSPB03-01 - Patch available for ColdFusion MX Enterprise >> > Edition sandbox security issue that allows templates to >> > include arbitrary files. >> > >> > Originally Posted: January 9, 2003 >> > ~~~~~~~ >> > SUMMARY >> > >> > The <cfinclude> tag and the <cfmodule> tag will accept >> > filenames with relative paths as arguments. CFMX does >> > not check the Sandbox Security Files/Dirs permissions >> > before including files with these tags. This could >> > allow a template to access unauthorized data using >> > these tags. >> > >> > This does not affect any prior versions of ColdFusion. >> > >> > ~~~~~~~ >> > WHAT CUSTOMERS SHOULD DO: >> > >> > >> > We strongly encourage customers to download and install >> > this patch immediately. >> > >> > >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > Reporting Security Issues >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > >> > Macromedia is committed to addressing security issues and >> > providing customers with the information on how they can >> > protect themselves. If you identify what you believe may >> > be a security issue with a Macromedia product, please >> > send an e-mail to [EMAIL PROTECTED] We will work to >> > appropriately address and communicate the issue. >> > >> > ~~~~~~~ >> > Receiving Security Bulletins: >> > >> > When Macromedia becomes aware of a security issue that we >> > believe significantly affects our products or customers, >> > we will notify customers when appropriate. Typically, this >> > notification will be in the form of a security bulletin >> > explaining the issue and the response. Macromedia customers >> > who would like to receive notification of new security >> > bulletins when they are released can sign up for our >> > security notification service. >> > >> > For additional information on security issues at Macromedia, >> > please visit the Security Zone at: >> > >> > http://www.macromedia.com/security >> > >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> > THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN >> > IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. >> > MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, >> > WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE >> > WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A >> > PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF >> > NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) >> > SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED >> > WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. >> > >> > IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE >> > LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT >> > LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, >> > SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS >> > INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, >> > BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF >> > CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), >> > PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. >> > OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN >> > ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) >> > SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF >> > LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE >> > ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND >> > YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE >> > TO STATE. >> > >> > Macromedia reserves the right to update the information in >> > this document with current information. >> > >> >> >> -- >> ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
