-
1. Re: MPSB05-13 Cumulative Security Updater broken link
Charlie Arehart Dec 18, 2011 5:00 PM (in response to Owain North)Are you sure you need the hotfix for CF? Often when a hotfix exists for JRun, it is referring to the standalone edition of JRun, and not the Multiserver form of deployment (which of course runs atop a deployment of jRun). I don’t know about this particular fix. The fact that the link can’t be found (even via a search on the Adobe site) suggests it may not be needed. I see that it’s from 2005 (on http://www.adobe.com/support/security/.) What’s making you “need” it?
/charlie
-
2. Re: MPSB05-13 Cumulative Security Updater broken link
Owain North Dec 18, 2011 11:52 PM (in response to Charlie Arehart)One of our ColdFusion 8 boxes is required to be PCI compliant, and the company who do our scans have suddenly decided that JRun 4 has a vuln from back in the day, which means the test now fails. Details of the vuln here. What's stupid is it only lists ColdFusion 6 as affected, but as CF8 still uses JRun 4 they've decided it now fails too.
Has never been a problem before, and is a right pain to be honest. But isn't that just PCI scans all over...
-
3. Re: MPSB05-13 Cumulative Security Updater broken link
Adam Cameron. Dec 20, 2011 3:04 AM (in response to Owain North)To be fair to them, that doc was written in 2004, so when it lists 6.0 and 6.1 as affected, they are listing all versions to that date that run on JRun (so like not CF5 or before, because they were discrete apps). I would take from that - all things being equal - that the situation exists in all subsequent versions of CF, unless they are patched. Bear in mind that JRun hasn't seen significant revision since Adam was a boy. And trust me, that was a long time ago.
In better news, according to here: http://www.adobe.com/products/jrun/, the latest / last JRun updater includes all previous patches, so you should be fine if you install that. And that one is still available.
We did all this PCI compliance shenanigans recently, and I'll be having a beer with our techo bloke tonight. I'll ask if our PCI auditors raised anything like this, and what we needed to do. That said, around the same time we finally got around to upgrading from CF8 to CF9 (yay!), and perhaps that was not a coincidence..?
--
Adam
-
4. Re: MPSB05-13 Cumulative Security Updater broken link
Owain North Dec 20, 2011 3:49 AM (in response to Adam Cameron.)Hmm, okay that looks promising - will give that a try. To be honest, the PCI compliance is a complete sack of steaming pointlessness anyway. Insist you update OpenSSL to a version newer than that available via Yum, yet just take your word that you're not storing CV2 digits in plain text and emailing them to l33t h4x0rs.
Cheers for that Ad. Except I now have to actually do something about it.
Maybe.
-
5. Re: MPSB05-13 Cumulative Security Updater broken link
Owain North Dec 20, 2011 3:49 AM (in response to Owain North)Amusingly it seems I can award myself a Helpful Answer, so I have done.
-
6. Re: MPSB05-13 Cumulative Security Updater broken link
Adam Cameron. Dec 20, 2011 4:00 AM (in response to Owain North)To be honest, the PCI compliance is a complete sack of steaming pointlessness anyway.
It certainly is. Just like most other sorts of accreditation. Still: if a person can't make a living doing SEO, they're perhaps able to do PCI auditing instead ;-)
--
Adam
-
7. Re: MPSB05-13 Cumulative Security Updater broken link
Owain North Dec 20, 2011 4:04 AM (in response to Adam Cameron.)Now that is very much true.



