~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IMPORTANT: Several security issues that may affect Macromedia JRun customers have come to our attention recently. To learn about these new issues and what actions you can take to address them, Please visit the Security Zone at the Macromedia/Allaire Web site: http://www.allaire.com/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dear Macromedia customer, This week we posted the following new Macromedia SECURITY BULLETINS: * MBSB01-13: Workaround Addresses IIS 4/5 Web Server Root Directory Browse Access * MPSB01-14: Patch Available for Serving JSP Pages out of the WEB-INF and META-INF Directories. * MBSB01-15: Patch Available for revealing Source Code when Accessing a JSP as myjsp%00 or myjs%2570 via the JWS or IIS * MPSB01-16: Patch Available for Retrieval of File Content with an HTTP GET under Certain Conditions * MPSB01-17: Patch Available for File System Traversal Issue with JRun Web Server on Windows platforms * MPSB01-18: Patch Available for Unnecessary Appending of jsessionid in URL (URL Rewriting) We have also updated the following existing Macromedia SECURITY BULLETINS: * MPSB01-09: JRun 3.1, JRun 3.0 ::$DATA Vulnerability (a.k.a. JSP view source vulnerability) * MPSB01-10: Patch Available for Duplicate Session IDs Issue Please note: One patch applies to all of the above security bulletins. When you download the patch from one bulletin, it will contain fixes for the issues in all of the above listed bulletins. As a Web application platform vendor, one of our highest concerns is the security of the systems our customers deploy. We understand how important security is to our customers, and we're committed to providing the technology and information customers need to build secure Web applications. ~~~~~~~ Thank you for your time and consideration on this issue. Security Response Team, Macromedia, Inc. ~~~~ P.S. As a reminder, Macromedia has set up the following e-mail address that customers can use to report security issues associated with any Macromedia product: [mailto:secure@allaire.com] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY MACROMEDIA IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE, OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.
