Adobe eliminates vulnerabilities in several products
Adobe has released updates to close holes in several of its products. These include a flaw in ColdFusion through which users with restricted privileges could execute code with system rights. Adobe claims the problem is caused by several "input validation errors", most likely causing buffer overflows, in a third-party client for the Verity Library software library that comes included with the software. ColdFusion MX 7, ColdFusion MX 7.0.1 and ColdFusion MX 7.0.2 on Windows, Linux and Solaris are all affected. As an alternative to the patch, Adobe recommends simply deactivating the library.
Another update removes a vulnerability in Breeze 5.0 Licensed Server and Breeze 5.1 Licensed Server through which users could spy on arbitrary files on drives where Breeze is installed. Finally, another patch for the Contribute Publishing Server ensures that the administrator password no longer appears in the logs during installation and hence cannot be spied upon.
- Patch available for ColdFusion MX 7 local privilege escalation Advisory from Adobe
- Patch available for Breeze 5 Licensed Server Information Disclosure Advisory from Adobe
- Workaround available for Contribute Publishing Server local information disclosure Advisory from Adobe