About the security content of Xsan 2.2

This document describes the security content of Xsan 2.2.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To find out more about other Security Updates, see "Apple Security Updates".

Xsan 2.2

• Xsan

  CVE-ID: CVE-2009-2201

  Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 or later, Mac OS X Server v10.6 or later

  Impact: When screen sharing via the Xsan Admin application, another person viewing the display may see the user’s name and password

  Description: Screen sharing via the Xsan Admin application could present an error dialogue containing the user’s name and password. A person who can view the user’s display could see the user’s credentials in cleartext. The issue is addressed by not embedding credentials in the connection URL. This issue only affects Xsan Admin, and not Xsan Filesystem. Credit to Ben Greisler of Kadimac Corp Macintosh Integrators for reporting this issue.