New Macromedia Security Zone Bulletins Posted

From: Macromedia Security Alert (newsflash@macromedia.com)
Date: 12/06/01


Date: Thu, 6 Dec 2001 14:50:20 -0800 (PST)
From: newsflash@macromedia.com (Macromedia Security Alert)
To: aleph1@underground.org


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMPORTANT:

Several security issues that may affect Macromedia JRun
customers have come to our attention recently.

To learn about these new issues and what actions you can
take to address them, Please visit the Security Zone at the
Macromedia/Allaire Web site:

http://www.allaire.com/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dear Macromedia customer,

This week we posted the following new Macromedia
SECURITY BULLETINS:

   * MBSB01-13: Workaround Addresses IIS 4/5 Web Server Root
        Directory Browse Access

   * MPSB01-14: Patch Available for Serving JSP
        Pages out of the WEB-INF and META-INF Directories.

   * MBSB01-15: Patch Available for revealing Source
        Code when Accessing a JSP as myjsp%00 or myjs%2570
        via the JWS or IIS

   * MPSB01-16: Patch Available for Retrieval of File
        Content with an HTTP GET under Certain Conditions

   * MPSB01-17: Patch Available for File System Traversal
        Issue with JRun Web Server on Windows platforms

   * MPSB01-18: Patch Available for Unnecessary Appending
        of jsessionid in URL (URL Rewriting)

We have also updated the following existing Macromedia
SECURITY BULLETINS:

   * MPSB01-09: JRun 3.1, JRun 3.0 ::$DATA Vulnerability
        (a.k.a. JSP view source vulnerability)

   * MPSB01-10: Patch Available for Duplicate Session IDs Issue

Please note: One patch applies to all of the above security
bulletins. When you download the patch from one bulletin, it
will contain fixes for the issues in all of the above listed
bulletins.

As a Web application platform vendor, one of our highest
concerns is the security of the systems our customers
deploy. We understand how important security is to our
customers, and we're committed to providing the technology
and information customers need to build secure Web
applications.

~~~~~~~
Thank you for your time and consideration on this issue.

Security Response Team,
Macromedia, Inc.

~~~~
P.S. As a reminder, Macromedia has set up the following
e-mail address that customers can use to report security
issues associated with any Macromedia product:

[mailto:secure@allaire.com]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES
PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO
WARRANTY OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT.
(USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF
IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY
TO YOU. IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT
LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS
INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES,
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF
CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE),
PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC.
OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES
DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION
OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE
OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.



Relevant Pages