Archived - About the security content of Xsan 2.2
This document describes the security content of Xsan 2.2.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 or later, Mac OS X Server v10.6 or later
Impact: When screen sharing via the Xsan Admin application, another person viewing the display may see the user's name and password
Description: Screensharing via the Xsan Admin application could present an error dialog containing the user's name and password. A person who can view the user's display could see the user's credentials in cleartext. The issue is addressed by not embedding credentials in the connection URL. This issue affects only Xsan Admin, and not Xsan Filesystem. Credit to Ben Greisler of Kadimac Corp Macintosh Integrators for reporting this issue.