New Cold Fusion vulnerability

["Jean-Francois Prieur" <jfp51 () ebeing com>]

Hello,

Like others I have seen the security advisory concerning Cold Fusion 
versions 2 to 4.5.1 SP2. What concerns me, and, evidently, others on 
the cold fusion boards, is the lack of details about this vulnerability.

Usually, you would see a serious vulnerability like this being 
discussed on some mailing lists a few hours before a bulletin being 
issued, yet in this case, nothing.

Maybe we are just paranoid, but since Allaire/Macromedia just released 
vesion 5 which is not vulnerable, is this just a ploy to get people to 
upgrade? This and the fact that there is a 3-8% performance degredation 
when you install the patch makes me want to know more about this. Also, 
if you are using NT4 and IIS, the patch breaks your server if you don't 
install MSVCRT 6.0 runtime files beforehand, so be careful.

Anyone have any further info?

Thanks,
JF Prieur