site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2007-05-31 Xserve Lights-Out Management Firmware Update 1.0 Xserve Lights-Out Management Firmware Update 1.0 is now available. Along with functionality improvements (see release notes), it also addresses the following security issue: Xserve Lights-Out Management Firmware CVE-ID: CVE-2007-2387 Available for: Intel-based Xserve systems Impact: A remote user may be able to gain admin privileges on an Xserve system with IPMI configured in a particular manner Description: A security vulnerability in Apple's implementation of IPMI may allow an unprivileged ipmitool user to gain administrative privileges on an Xserve system. This update addresses the issue by requiring a password for remote usage of IPMI. This issue only affects Intel-based Xserve systems. Credit to James Wilson of LithiumCorp for reporting this issue. Xserve Lights-Out Management Firmware Update 1.0 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: "LOMUpdate.dmg" Its SHA-1 digest is: ee757ce005e627872535eb2a707785f556d636a7 Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQEVAwUBRl8ZqsgAoqu4Rp5tAQj7ggf+Pr7tvWBYrWonkrtg3TVnBblw8Fn+ESZb ZUPbnrazCarkVFjOBuk792YC6Rj8CmSvtyZdQ3QZiQDUucbeXYHjeb2z22pEhDLH Zg02Ut9FKIRgGz8QKBvqDkbr5QS+qWZutuHN7AcjcceACaXcJoAOXNOS9wNpdrLZ gNg+AsMc274CJB6eUZBhp28MwwmKl9oQEr4shYaJ8t81jGG8yXm/UitYDfyakyOq ZJPhMW6SmN8RtN/vYatX0fKrNzVuPgh811ngbEoGuVgSulQZ3sifzvhJoN8iF1Yi 3Lszn1EdY5MnnMJVeyA0f3IfTN8AmXW3/17gjcFAv1l8UJwjo51U0g== =pJ+A -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com