Apple Computer Inc. Information for VU#298233
Samba contains buffer overflow in SMB/CIFS packet fragment reassembly code
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 25 Mar 2003
-----BEGIN PGP SIGNED MESSAGE-----
APPLE-SA-2003-03-24 Samba, OpenSSL
Security Update 2003-03-24 is now available. It contains fixes for
recent vulnerabilities in:
* OpenSSL: Fixes CAN-2003-0147, a timing attack on RSA keys.
* Samba: Fixes CAN-2003-0085 and CAN-2003-0086 which could allow
unauthorized remote access to the host system. The built-in Windows
file sharing in Mac OS X is based on Samba. Windows file sharing is
off by default in Mac OS X, but it is recommended that all users
install this Security Update.
Note: This update only applies the security fixes to the
currently-shipping 2.2.3 version of Samba on Mac OS X 10.2.4, and the
Samba version is otherwise unchanged. The presence of the following
file indicates that the update has been applied:
Affected systems: Mac OS X 10.2.4 and earlier
Mac OS X Server 10.2.4 and earlier
System requirements: Mac OS X 10.2.4 or Mac OS X Server 10.2.4
Customers with earlier Mac OS X versions are encouraged to either
upgrade to Mac OS X 10.2.4, or visit the Samba and OpenSSL web sites
for information on the available fixes.
Security Update 2003-03-24 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
To help verify the integrity of Security Update 2003-03-24 from the
Software Downloads web site:
The download file is titled: SecurityUpd2003-03-24.dmg
Its SHA-1 digest is: 0a80081453bca85493fcbaccd6adad222b41809e
Information will also be posted to the Apple Product Security web site:
This message is signed with Apple's Product Security PGP key, and
details are available at:
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
-----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.