Re: hash collision
That's very curious. The CVE that Adobe references in their release ( CVE-2012-0770 ) doesn't seem to be a valid CVE number, though it comes up in some google searches. But it isn't in the National Vulnerability Database or at cvedetails.com The vulnerability they are describing seems to be the one described Here: http://www.kb.cert.org/vuls/id/903934 And here: http://www.ocert.org/advisories/ocert-2011-003.html However, that was a known vulnerability in a bunch of languages and was fixed everywhere else last year. In the first link, it says Adobe was notified in November 2011. If the release they put out today is really regarding the issues I linked to (since the credited CVE entry doesn't seem to exist) then that means they are a couple months behind every other vendor. That is worrisome. Cheers, Judah On Tue, Mar 13, 2012 at 9:05 AM, John M Bliss bliss.j...@gmail.com wrote: FYI: Adobe warns of hash collision in #ColdFusion | ZDNet http://zd.net/ymjDEy -- John Bliss - http://about.me/jbliss ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350420 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: hash collision
The vulnerability they are describing seems to be the one described here From the comment below, I think it is the same issue http://forums.adobe.com/message/4264032#4264032 -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350421 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: hash collision
Thanks, Leigh, looks like that verifies that it is the same issue. Now I'm curious why it took Adobe til the middle of March to fix a vulnerability that everyone else fixed by early January at the latest. At least it is fixed. Cheers, Judah On Tue, Mar 13, 2012 at 12:29 PM, Leigh cfsearch...@yahoo.com wrote: The vulnerability they are describing seems to be the one described here From the comment below, I think it is the same issue http://forums.adobe.com/message/4264032#4264032 -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350422 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: hash collision
Judah - I was wondering the same thing. When it was first announced, I could not seem to find any CF specific details. I just assumed it was applicable because java was vulnerable. -Leigh From: Judah McAuley Sent: Tuesday, March 13, 2012 3:36 PM Subject: Re: hash collision Thanks, Leigh, looks like that verifies that it is the same issue. Now I'm curious why it took Adobe til the middle of March to fix a vulnerability that everyone else fixed by early January at the latest. At least it is fixed. Cheers, Juda ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350423 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: hash collision
On Tue, Mar 13, 2012 at 8:36 PM, Judah McAuley wrote: Thanks, Leigh, looks like that verifies that it is the same issue. Now I'm curious why it took Adobe til the middle of March to fix a vulnerability that everyone else fixed by early January at the latest. Just like with their other software Adobe tries to stick to a 3-month release cycle for ColdFusion. The 2011Q4 update was December 13, the 2012Q1 update is March 13. Jochem -- Jochem van Dieten http://jochem.vandieten.net/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350424 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: hash collision
On Tue, Mar 13, 2012 at 1:06 PM, Jochem van Dieten joch...@gmail.com wrote: On Tue, Mar 13, 2012 at 8:36 PM, Judah McAuley wrote: Thanks, Leigh, looks like that verifies that it is the same issue. Now I'm curious why it took Adobe til the middle of March to fix a vulnerability that everyone else fixed by early January at the latest. Just like with their other software Adobe tries to stick to a 3-month release cycle for ColdFusion. The 2011Q4 update was December 13, the 2012Q1 update is March 13. I knew that that was the release cycle for bug fixes but I didn't realize that that applied to security fixes as well. That surprises me. Thanks, Judah ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350425 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm