Does ColdFusion : Security Bulletin APSB10-11 apply to MX 7.0.2

Similar Messages

• Subscribe to only coldfusion security bulletins

  How can I subscribe to *ONLY* coldfusion security bulletins.  Preferably CF9 only.
  thanks,
  jbee

  Is Microsoft is still releasing security bulletins for pre-SP1 Windows Server 2008 R2?  My guess is no.  The "service pack support end date" is listed as 4/9/2013.
  Which is exactly what that date means. No more updates for the previous SP level(s) of the product; no more
  support for systems running the previous SP level(s) of the product.
  But the admin thinks pre-SP1 is still eligible for security bulletins until the end of its Extended Support
  The 'admin' is incorrect, and this behavior is no different than it has been since the updates for Windows Server 2003 Service Pack 1 were cut off in April 2007. Following the cutoff date, updates are explicitly coded to ignore older SP level(s) of the product.
  This should be very easy to prove to your 'admin'. Show your 'admin' a WS2008R2 *RTM* machine in the WSUS console with one of those current updates released after April 2013 and observe very closely the
  Not Applicable status that is reported, and have the 'admin' contemplate why that is. Or, if no WSUS, just scan WU and try to find anything released after April 2013 in the list of available updates (assuming there are actually
  any available updates at all).
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Security Hotfix APSB10-18 for MX7 ?

  I just read about the the APSB10-18 Vulnerability (http://www.adobe.com/support/security/bulletins/apsb10-18.html).
  Since it says it is "... identified in ColdFusion 9.0.1 and earlier versions for Windows..." does that mean version 7 has this vulerability as well?
  If so, is there a patch for MX7 or do I need to upgrade?
  If I need to upgrade, which would be the better choice - 8 or 9?
  Many thanks in advance,
  Richard

  Welll, to answer my own question, after some testing, this is all that is needed to re-enable the validation functionality.
  C:\Inetpub\wwwroot\CFIDE\scripts
  My concern however is whether deleting all other CFIDE subfolders will take care of this problem, or does the exploit sonehow access other core functionality of Coldfusion.
  I'm scared.

• Does coldfusion 8 support the implementation of WS-Security ?

  Does coldfusion support the implementation of WS-Security? We are  running Coldfusion 8 Enterprise Edition .We are trying to consume a web  service that is written in java on an IBM web sphere server. Can  coldfusion 8 consume this web service and pass in the required  WS-Security elements?
  Requirement : To consume a Webservice developed in java from coldfusion using WS-Secuirty mode .
  Environment used : Windows 2003, IIS 6, Coldfusion 8, SQl server  2005
  While trying to consume a public webservice through coldfusion , We received unable to read WSDL file and Unknown host exception error.
  Hence,  we are using <cfhttp to consume webservices.
  Can  you please advise how we can consume webservice using WS-Secuirty  (SHA-1)?

  swoodrich wrote:
  > Does coldfusion support the implementation of
  WS-Security? I am running
  > Coldfusion 8 Enterprise Edition as a stand alone server.
  I am trying to
  > consume a web service that is written in java on an IBM
  web sphere server. Can
  > coldfusion consume this web service and pass in the
  required WS-Security
  > elements?
  >
  > Also, is the reverse achievable... Can I create a web
  service that implements
  > WS-Security on a coldfusion server?
  As far as I know CF cannot consume or produce WS-Security.
  I've consumed
  a .net security enabled web service using raw XML. I think
  it's much
  harder to produce ws-security in CF (you're still going to do
  it raw
  just that it's harder).
  Mack

• HT6041 does anyone have information re: motion 5.1 ? the latest security bulletin describes the need for it but neither  " software update: or the "app store"  seems to have it.

  I have read and re read this security bulletin and I have checked software update and the " app store" and there is no mention of "motion" or "motion 5.1"

  FWIW, here is the Apple troubleshooting note for Motion updates that aren't being offered, and the Apple best practices for Motion and related.   Here are the Mac App Store troubleshooting tips.

• Security Bulletin for SharePoint 2013??

  Microsoft released the SharePoint 2013 version 5 Security bulletins.....in our enviorment do we need to apply all old bulletin or patching latest one will affect it.
  MS14-001  (Latest One) - 1/14/2014
  MS13-100 
  MS13-084
  MS13-067
  MS13-030  (4/9/2013)
   

  The bulletins will notate if they've superseded any patches. If not, you'll want to apply each one.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Web service error: WS Security can only be applied on a SOAP document

  Hello,
  I am facing the problem that when calling a web service I got this error message:
  005056B855B2002A0000013B000032C70005105EF7348C38 : WS Security can only be applied on a SOAP document.
  Some information about the webservice:
  Transport Binding: HTTP SOAP with Attachments
  Authentication: Basic
  Netweaver version: 7.01.06
  The webservice is based on EJB. Basically I want to add two operations in the webservice: one to accept attachment as input. the other one returns a file as attachment.
  Does anyone knows why this happens and how to resolve it? Thanks in advance!
  Regards,
  Grant

  Grant,
  Please refer this SNote, it may help you...
  1319507 - Overview: Analysis of ABAP Web Service
  Configuration
  Warm Regards,
  Agustuss

• Does Crypto call admission control only apply to dynamic SAs?

  Hi,
  In my DMVPN phase 2 implementation, I have implemented crypto call admission control for IKE SAs on my spokes. This limit is set to 20 which is enough for my network.
  I have three hubs per region and site-to-site connectivity is only enabled on one of these routers.(hub 3). hub 1 & 2 only provide connectivity to other resources outside the DMVPN.
  If the IKE SA limit is reached on a spoke and there are other IKE requests which are being rejected - and let's say my hub1 goes down or the spoke just loses the tunnel.
  Before the tunnels to the hub1 is recovered, the spoke accepts the IKE requests which it was previously rejecting and again the IKE SA limit is reached. Now the hub1 are back on line – it will not be able to establish a tunnel ,right?
  If over a period of time the same thing happens with my hub2 then my spoke gets a bit isolated, right?
  The hubs have static IKE policy (unique PSKs) while the site-to-site tunnels are dynamic.
  In other words, does the crypto call admission limit apply only to dynamic crypto sessions or to all crypto sessions?
  I think the former. In that case, can a priority be configured for the static IKE SAs over the dynamic ones?
  Kind regards
  Nasir

  Nasir,
  There should not be a differentiator for CAC between static and dynamic. It counts overall IKE and IKE in-negotiations SAs. IKE doesn't necessarily need to know whether session is static or dynamic...
  http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c3.html#GUID-84CA3908-A3C5-43E5-B8B5-0DED44EAEEC4
  You're right this is midleading, I'm going to get in touch with documentation team to make this a bit more explicit.
  M.

• Parsing Microsoft Security Bulletin Web Pages

  I have been tasked with determining which bulletings are pertintent starting in 2013 to the present.  I am placing a link to the bulletin and other information on a spreadsheet.  I have a reference to the Internet Controls in my project.
  I need to determine which operating systems for each bulletin.
  I have been able to parse the security bulletins page by year (https://technet.microsoft.com/en-us/library/security/dn631924.aspx) to get the next level of the bulletin
  (https://technet.microsoft.com/library/security/ms13-106).
  My problem has come in parsing the affected software table.  Not all the bulletins have the same formatting from year to year or even within the same year. 
  I have been useing the DOM explorer in IE to help me find all the parts, but I have found many of the tags (table name) are empty so I am having to check each and every line and element to find the information I am looking for.
  My code is ending up with a number of if/elseif type of checks and is getting very complicated.  Does anyone have a solution for this already or am I missing something?
  Thanks in advance.

  Hi Shu Hu,
  I am able to parse the table and find all the tr tags.
  The problem I am having is the different layouts used on the web pages.
  The pages for the security bulletin's for 2013 (https://technet.microsoft.com/en-us/library/security/ms13-106.aspx)
  are a different format from the bulletin's for 2014 (https://technet.microsoft.com/library/security/ms14-085).
  Initally I thought I could find just tables but the table I am looking to parse is not the same index from page to page.  I thought I could use the table name attribute but that was not populated.  I started looking at each elelement on the HTML
  page until I found the text "Affected Software." Once I found the tag in the innerText field I looked for the next table to process the rows.
  I was hoping that the formatting would be the same from year to year but it is not so I was looking to see if there was a solution already but it does not look that way.
  I will take a closer look at the article you provided to see if that will help.

• Microsoft Security Bulletin Advance Notificati​on for April 2011

  Wow! Microsoft's April Patch is planning 17 Bulletins to Fix 64 Bugs. As always it includes some security updates.
  https://www.microsoft.com/technet/security/bulleti​n/ms11-apr.mspx
  ThinkPad: T530 / X1 Gen 2 / Helix - Yoga: Tablet 2 Pro (Win) / Yoga 3 Pro
  If you find a post helpful and it answers your question, please click the "Accept As Solution" button.
  Lenovo Advocate ~ I am not employed by Lenovo or Microsoft. I am a volunteer.
  Microsoft MVP - Consumer Security
  SpywareHammer

  Hi Shu Hu,
  I am able to parse the table and find all the tr tags.
  The problem I am having is the different layouts used on the web pages.
  The pages for the security bulletin's for 2013 (https://technet.microsoft.com/en-us/library/security/ms13-106.aspx)
  are a different format from the bulletin's for 2014 (https://technet.microsoft.com/library/security/ms14-085).
  Initally I thought I could find just tables but the table I am looking to parse is not the same index from page to page.  I thought I could use the table name attribute but that was not populated.  I started looking at each elelement on the HTML
  page until I found the text "Affected Software." Once I found the tag in the innerText field I looked for the next table to process the rows.
  I was hoping that the formatting would be the same from year to year but it is not so I was looking to see if there was a solution already but it does not look that way.
  I will take a closer look at the article you provided to see if that will help.

• Security Bulletins for a computer not having internet access

  Where do I download Adobe Security Bulletins from to install on a computer not having internet access?

  You cannot download anything on a computer that does not have Internet Access.
  You can view security bulletins on another computer with Internet Access: http://helpx.adobe.com/security.html
  If you need to download offline installers: http://get.adobe.com/reader/enterprise/

• Enabling ORM causes coldfusion.security.SecurityManager$UnauthenticatedCredentialsException

  I'm working on a Windows 2008 Enterprise server with ColdFusion 9 Standard datasourcing MySQL 5.1. When I enable ORM in my application.cfc I receive the following error:
  coldfusion.security.SecurityManager$UnauthenticatedCredentialsException
       at coldfusion.security.SecurityManager.authenticateAdmin(SecurityManager.java:1826)
       at coldfusion.featurerouter.handler.standard.StandardSecurityManager.authenticateAdmin(StandardSecurityManager.java:47)
       at coldfusion.sql.Executive.getDatasource(Executive.java:439)
       at coldfusion.orm.hibernate.HibernateConfiguration.initHibernateConfiguration(HibernateConfiguration.java:160)
       at coldfusion.orm.hibernate.HibernateConfiguration.<init>(HibernateConfiguration.java:141)
       at coldfusion.orm.hibernate.ConfigurationManager.initConfiguration(ConfigurationManager.java:69)
       at coldfusion.orm.hibernate.HibernateProvider.InitializeORMForApplication(HibernateProvider.java:182)
       at coldfusion.orm.hibernate.HibernateProvider.beforeApplicationStart(HibernateProvider.java:85)
       at coldfusion.filter.ApplicationFilter.fireBeforeAppStartEvent(ApplicationFilter.java:475)
       at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:221)
       at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
       at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
       at coldfusion.filter.PathFilter.invoke(PathFilter.java:87)
       at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
       at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
       at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
       at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
       at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
       at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
       at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:53)
       at coldfusion.CfmServlet.service(CfmServlet.java:200)
       at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
       at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
       at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
       at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
       at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
       at jrun.servlet.FilterChain.service(FilterChain.java:101)
       at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
       at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
       at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
       at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
       at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
       at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
       at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
       at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
       at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
  I have confirmed the following:
  CF 9 ORM does work on my development environment for this same application.
  This error only occurs when I enable ORM for the CF application on this server.
  I previously thought that the MySQL user for ColdFusion may not have valid permissions. However, giving that user all permissions still did not fix the error.
  ORM was working for this same application in the past. One conclusion may be an issue with the latest CF hotfix provided by Adobe (which I did install about a month ago). However, I can confirm that the application did work AFTER that install.
  Any suggestions on how to get ORM working would be much appreciated!

  The only way I could resolve this error was to reinstall ColdFusion. I've even updated CF9 with the latest hotfix and it's running fine. I'll wait and see how it goes.

• Adobe AIR 13 Runtime Security Bulletin for Windows or Mac

  According to 5/13/2014 - Release - AIR 13 Runtime and SDK, the update for Adobe AIR 13 on 5/13/2014 includes fixes and security updates "Security update details can be found here: Security Bulletin (APSB14-14)", we have two questions:
  1. Why the Adobe Air 13 runtime for Windows and Mac is not listed in the security bulletin APSB14-14, like APSB14-02?
  2. Was the version released before Adobe AIR 13.0.0.111 for Windows Adobe AIR 4.0.0.1390 or Adobe AIR 13.0.0.83?
  Thanks!
  -TeamOCD

  MacWorld did a comparative evaluation of the October 2008 MBA with 1.86 GHz processor and the Mid-2009 MBA with 2.13 GHz chip. Their conclusion was that that 1.86 CPU was actually FASTER than the 2.13 in most applications.
  http://www.macworld.com/article/141296/2009/06/macbookairmid09.html
  They speculated that the 2.13 chip was being throttled by Apple to control heat issues and that's why it tested SLOWER than the (supposedly) slower 1.86 part.
  Have to wait for testing of these new MBA units to know if the same thing occurs. But, for the Rev. B and C MBAs, the 1.86 part was actually faster in real world use!

• When you create your Game Center ID, it does a Security Question, for what reason? It never asks you it!

  When you create your Game Center ID, it does a security question, for what reason? It never asks you it!

  App store frequently asked questions
  http://support.apple.com/kb/HT2001
  http://support.apple.com/kb/HE37

• [Flex 4.5.1] How does Button's fontSize property gets applied to labelDisplay?

  How does Button's fontSize property gets applied to labelDisplay when lableDisplay's fontSize is not explicitly set. I just tested it it works but I don't know how. I looked through the ButtonBase class but I don't see any code applying the fontSize to the labelDisplay nor I see code in the Label to get parent's fontSize property if not set. Could someone explain to me how this works? I would be very grateful! Thanks !

  Ok I found it, thanks for the heads up. I pretty much get the idea of how things work now
  Could you please take a look at one more probably very simple to you question. I had to customize a button to be able to have 2 lables in it with different fontSize and topPadding in this case. I kinda copied some of the code from ButtonBase + added the styles and some code I needed to make it work.
  Here it is:
  package
      import flash.events.Event;
      import spark.components.Button;
      import spark.components.Label;
      [Style(name="numberFontSize", type="Number", format="Length", inherit="yes", minValue="1.0", maxValue="720.0")]
      [Style(name="numberPaddingTop", type="Number", format="Length", inherit="no", minValue="0.0", maxValue="1000.0")]
      public class DialPadButton extends Button
          public function DialPadButton()
              super();
          private var _numberContent:*;
          [SkinPart(required="false")]
          public var numberLabelDisplay:Label;
          [Bindable("numberContentChange")]
          public function get numberContent():Object
              return _numberContent;
          public function set numberContent(value:Object):void
              _numberContent = value;
              if (numberLabelDisplay)
                  numberLabelDisplay.text = label;
              dispatchEvent(new Event("numberContentChange"));
          public function set numberLabel(value:String):void
              numberContent = value;
          public function get numberLabel():String         
              return (numberContent != null) ? numberContent.toString() : "";
          override protected function partAdded(partName:String, instance:Object):void
              super.partAdded(partName, instance);
              if (instance == numberLabelDisplay)
                  if (_numberContent !== undefined)
                      numberLabelDisplay.text = numberLabel;
                  if(getStyle("numberFontSize"))
                      numberLabelDisplay.setStyle("fontSize", getStyle("numberFontSize"));
                  if(getStyle("numberPaddingTop") || getStyle("numberPaddingTop") == 0)
                      numberLabelDisplay.setStyle("paddingTop", getStyle("numberPaddingTop"));
          override public function styleChanged(styleProp:String):void
              if (!styleProp ||
                  styleProp == "styleName" ||
                  styleProp == "numberFontSize" ||
                  styleProp == "numberPaddingTop")
                  if (numberLabelDisplay){
                      if(getStyle("numberFontSize"))
                          numberLabelDisplay.setStyle("fontSize", getStyle("numberFontSize"));
                      if(getStyle("numberPaddingTop"))
                          numberLabelDisplay.setStyle("paddingTop", getStyle("numberPaddingTop"));
              super.styleChanged(styleProp);
  So here are the questions:
  1) If I am not going to use the styles in css then maybe I should better declare them as variables ?
  2) I don't really understand how does the button gets updated and redrawn when I set Styles or properties like that cause there is nowhere a call to invalidate the display list (at least I couldn't find in the Button and ButtonBase classes) as I read in the Flex docs: Overriding the styleChanged() method
  UPDATE: I forgot that setStyle calls invalidateDisplayList... and I just figured out that when the lable sets the text on the TextBase it calls the invalidates. I answered this one myself
  3) I don't understand why do I have this code (copied from the buttonBase):
  if (!styleProp ||
      styleProp == "styleName" ||
      styleProp == "numberFontSize" ||
      styleProp == "numberPaddingTop")
  instead of just the code below:
  if (styleProp == "numberFontSize" ||
     styleProp == "numberPaddingTop")
  5) I am also not sure why I had to use content and label (again copied from the ButtonBase) when they are basicly the same thing
  Currently with this Custom Component I've made, I am able to put 2 lables in the skin. One is the default. And the other one takes the default values I put on the label itself + uses the two styles numberFontSize and numberTopPadding to change that default values in case they need to be altered.
  Although this works, I am not sure if I did it the best way or why does it work as you can say from my 5 questions
  I hope you or someone who understands this have the time to answer them for me and anyone who reads this Thanks
  Message was edited by: FM_Flame