[23449] in bugtraq
New Macromedia Security Zone Bulletins Posted
daemon@ATHENA.MIT.EDU (Macromedia Security Alert)
Mon Dec 10 16:43:00 2001
Date: Thu, 6 Dec 2001 14:50:20 -0800 (PST)
Message-Id: <200112062250.fB6MoK726131@rsigate.macromedia.com>
Reply-To: <response.secure@allaire.com>
From: newsflash@macromedia.com (Macromedia Security Alert)
To: aleph1@underground.org
MIME-Version: 1.0
Content-Type: text/plain; Charset=us-ascii
Content-Transfer-Encoding: 7bit
Resent-From: aleph1@underground.org
Resent-To: bugtraq@securityfocus.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMPORTANT:
Several security issues that may affect Macromedia JRun
customers have come to our attention recently.
To learn about these new issues and what actions you can
take to address them, Please visit the Security Zone at the
Macromedia/Allaire Web site:
http://www.allaire.com/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dear Macromedia customer,
This week we posted the following new Macromedia
SECURITY BULLETINS:
* MBSB01-13: Workaround Addresses IIS 4/5 Web Server Root
Directory Browse Access
* MPSB01-14: Patch Available for Serving JSP
Pages out of the WEB-INF and META-INF Directories.
* MBSB01-15: Patch Available for revealing Source
Code when Accessing a JSP as myjsp%00 or myjs%2570
via the JWS or IIS
* MPSB01-16: Patch Available for Retrieval of File
Content with an HTTP GET under Certain Conditions
* MPSB01-17: Patch Available for File System Traversal
Issue with JRun Web Server on Windows platforms
* MPSB01-18: Patch Available for Unnecessary Appending
of jsessionid in URL (URL Rewriting)
We have also updated the following existing Macromedia
SECURITY BULLETINS:
* MPSB01-09: JRun 3.1, JRun 3.0 ::$DATA Vulnerability
(a.k.a. JSP view source vulnerability)
* MPSB01-10: Patch Available for Duplicate Session IDs Issue
Please note: One patch applies to all of the above security
bulletins. When you download the patch from one bulletin, it
will contain fixes for the issues in all of the above listed
bulletins.
As a Web application platform vendor, one of our highest
concerns is the security of the systems our customers
deploy. We understand how important security is to our
customers, and we're committed to providing the technology
and information customers need to build secure Web
applications.
~~~~~~~
Thank you for your time and consideration on this issue.
Security Response Team,
Macromedia, Inc.
~~~~
P.S. As a reminder, Macromedia has set up the following
e-mail address that customers can use to report security
issues associated with any Macromedia product:
[mailto:secure@allaire.com]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES
PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO
WARRANTY OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT.
(USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF
IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY
TO YOU. IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT
LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS
INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES,
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF
CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE),
PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC.
OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES
DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION
OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE
OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.
