If you find a better source I'd love to know...
The code represented in 10.6.3 doesn't seem to have yet addressed CVE-2009-1888.
The email@hidden archives their security update announcement. One very good thing that Apple has done is include the CVEs in their list of corrected issues.
Searching the security-announce list archive, other @lists.apple.com lists, and the Apple support site(s) yields no matches on the subject CVE.
The Samba security section, which has a convenient display of applicable CVEs, indicates Samba 3.0.34, 3.2.12, and 3.3.5 and newer have addressed that CVE.
Since we know Apple publishes a lot of the code it uses outside of the secret Apple "sauce" one can also check opensource.apple.com and the Samba tree. They gather the patches in a dedicated directory. None cover the CVE or seem (I didn't exhaustively check) to address the problem. 10.6.3 hasn't yet been posted, so my check only covered 10.6.2.
All this for a two-line patch (in 3.0.34).
-- ----------------------------------------------------------------- NASA GSFC Chief Information Security Officer, and IT Security Manager
On Apr 1, 2010, at 11:28 AM, David Downin wrote:
Does anyone know if there is somewhere that I can find out of a particular CVE applies to macs?
Basically, our site (NSWCCD) as well as the folks at NCDOC have been scanning our network for vulnerabilities using the Retina Network Security Scanner by eEye. I personally have been using it as well to scan the macs in our group and remediate them.
I’ve noticed a lot of times, that Retina will report a vulnerability simply because of the version of something. One example:
Audit ID: 8151
Samba Daemon DOS Filemode Override ACL Bypass
CVE-2009-1888
This is reported on a machine running 10.6.3 (client) simply because Retina is running “smbd –V” and is getting “3.0.25B-apple”. Retina does note that the audit is for versions of Samba obtained from samba.org and may be a false finding on vendor specific backports. So, is there any way for me verify that this is indeed a false positive or not?
I have managed to get rid of the Retina warning temporarily by changing the version number that is reported – but for some reason that I have yet to discover why it eventually reverts back to the original version (it’s not because of a software update). Below is what I am doing to change the reported version.
#!/bin/bash
sudo perl -pi.$TIME -e "s/3\.0\.28/4\.0\.28/" /usr/sbin/smbd
_______________________________________________________
Dave Downin
NSWC Carderock
Facility Engineering and Operations Department / Code 5104
9500 MacArthur Blvd.
West Bethesda, MD 20817-5000
(301) 227-4873 / Work
(301) 247-3520 / Cell
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
|