cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

MPSB05-13 Cumulative Security Updater broken link

Owainnorth
Guide ,
Dec 16, 2011 Dec 16, 2011

I need to find the following hotfix for JRun in CF8:

MPSB05-13 Cumulative Security Updater for JRun 4.0 server

but the link doesn't work any more. Does anyone have an updated link?


http://www.adobe.com/devnet/security/security_zone/mpsb05-13.html

1.4K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 7 Replies 7
latest latest Jump to latest reply
Charlie Arehart Community Expert
Community Expert ,
Dec 18, 2011 Dec 18, 2011

Are you sure you need the hotfix for CF? Often when a hotfix exists for JRun, it is referring to the standalone edition of JRun, and not the Multiserver form of deployment (which of course runs atop a deployment of jRun). I don’t know about this particular fix. The fact that the link can’t be found (even via a search on the Adobe site) suggests it may not be needed. I see that it’s from 2005 (on http://www.adobe.com/support/security/.) What’s making you “need” it?

/charlie


/Charlie (troubleshooter, carehart. org)
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Owainnorth
Guide ,
Dec 18, 2011 Dec 18, 2011
In Response To Charlie Arehart

One of our ColdFusion 8 boxes is required to be PCI compliant, and the company who do our scans have suddenly decided that JRun 4 has a vuln from back in the day, which means the test now fails. Details of the vuln here. What's stupid is it only lists ColdFusion 6 as affected, but as CF8 still uses JRun 4 they've decided it now fails too.

Has never been a problem before, and is a right pain to be honest. But isn't that just PCI scans all over...

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adam Cameron.
LEGEND ,
Dec 20, 2011 Dec 20, 2011
In Response To Owainnorth

To be fair to them, that doc was written in 2004, so when it lists 6.0 and 6.1 as affected, they are listing all versions to that date that run on JRun (so like not CF5 or before, because they were discrete apps).  I would take from that - all things being equal - that the situation exists in all subsequent versions of CF, unless they are patched.  Bear in mind that JRun hasn't seen significant revision since Adam was a boy.  And trust me, that was a long time ago.

In better news, according to here: http://www.adobe.com/products/jrun/, the latest / last JRun updater includes all previous patches, so you should be fine if you install that.  And that one is still available.

We did all this PCI compliance shenanigans recently, and I'll be having a beer with our techo bloke tonight.  I'll ask if our PCI auditors raised anything like this, and what we needed to do.  That said, around the same time we finally got around to upgrading from CF8 to CF9 (yay!), and perhaps that was not a coincidence..?

--

Adam

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Owainnorth
Guide ,
Dec 20, 2011 Dec 20, 2011
In Response To Adam Cameron.

Hmm, okay that looks promising - will give that a try. To be honest, the PCI compliance is  a complete sack of steaming pointlessness anyway. Insist you update OpenSSL to a version newer than that available via Yum, yet just take your word that you're not storing CV2 digits in plain text and emailing them to l33t h4x0rs.

Cheers for that Ad. Except I now have to actually do something about it.

Maybe.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Owainnorth
Guide ,
Dec 20, 2011 Dec 20, 2011
In Response To Owainnorth

Amusingly it seems I can award myself a Helpful Answer, so I have done.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adam Cameron.
LEGEND ,
Dec 20, 2011 Dec 20, 2011
In Response To Owainnorth

To be honest, the PCI compliance is  a complete sack of steaming pointlessness anyway.

It certainly is.  Just like most other sorts of accreditation.  Still: if a person can't make a living doing SEO, they're perhaps able to do PCI auditing instead 😉

--

Adam

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Owainnorth
Guide ,
Dec 20, 2011 Dec 20, 2011
LATEST
In Response To Adam Cameron.

Now that is very much true.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices