Apple Security Update Posted

patpro writes "Apple has just released a security update for Mac OS X. It includes Apache 1.3.23, OpenSSH 3.1p1, PHP 4.1.2, rsync 2.5.2, and sudo 1.6.5p2 (among other things). For the moment it's available only via the Software Update pane in System Preferences, but it should be available later at the Apple Downloads Page."

/me is still wating for 10.2

[Niksie3]

I miss my folder popping open... it really rocked. especially when draggin' and droppin' oh well... macosX kicks macos9's butt in all other areas (especially running *nix apps ;-) ).

Re:/me is still wating for 10.2

[Matty_]

I read on a rumor site that spring-loaded folders (or whatever they're called) will be appearing in the next major release of OS X (10.2 ??), which is supposed to be out this Summer.

In other news...

I got home from the bar and at a bunch of that imitation crab meat stuff. Now my ass is a fucking stewing mess of frothy shit. I need to poop, but I just can't. The gas is killing me. Burping, farting, etc....it fucking reeks, my ass does. Stay from that shit.

Just as I predicted

[PhysicsGenius]

As I've shown in previous posts, simple entropy considerations indicate the insecurity of MacOS in general and OSX in particular.

Another argument can be made on the basis chaos theory. Given two incompatible OS infrastructures plus numerous access methods into them (GUI, command line, etc) show that the incidence of failure cannot be smaller than 80%. This is an elementary problem in the mathematical world, which is why the mathematical world shuns Apple for an OS that can deliver the goods, like NT.

Re:Just as I predicted

"simple entropy considerations" of what exactly? the musings of your so-called mind???

Re:Just as I predicted

warning to anyone who attempts to set this guy straight - he's a flat out troll who attempts to claim a connection between entropy and computer security, and falsely claims that macs have an 80% chance of being hacked into. truth of the matter is that all computers have a 100% chance of getting hacked into when connected to a network, independent of the OS and what servers it's running.

He attempts this on EVERY apple sectioned story. (the "genius" also needs a new topic to troll about, this one's gotten redundant)

Re:Just as I predicted

[ahknight]

all computers have a 100% chance of getting hacked into when connected to a network,

Ok, sure. I'll connect a Mac OS 9 box to the net and let's see if you can get in. =)

Re:Just as I predicted

[paradesign]

Hey! another crappy post from everyones favorite genius! Have you considered that if you ran OSX + Mathematica 4.1 you could come up with a bit more accurate results? Oh what what did you say, your results arent based off of numbers? That would make sense because you probably cant even use a calculator. Too much entropy from typing the keys, nano hackers could slip through the cracks and steal your data!

Re:Just as I predicted

9 was a very secure os believe it or not.

Re:Just as I predicted

Sure you can get it... it will just take a bit longer since you can't go to scriptkiddies.com and download some script to break into your system.

Fast, but not Red Hat Fast

[White+Roses]

I like Apple's Software Update, and it certainly makes keeping abreast of security patches easy. But I'd like Apple to take a look at Red Hat's up2date. It runs with a lot less interaction (mine runs in a cron job every night - a list of installed packages is waiting for me in the moring), and is a lot more flexible (I can pick and choose what type of updates to install). OTOH, Apple's Software Update doesn't require an account, as up2date does. But Software Update doesn't seem to be able to install without interaction with me. Of course, I've only been working with it for 5 days now (seems like longer, because it's pretty darn easy to use, one begins to feel like an expert very quickly).

Other than that, these same updates were available from Red Hat between 2 and 4 weeks ago depending on the package. Apple could be a little faster on the uptake, especially with security patches.

This is constructive criticism, and nothing more.

Re:Fast, but not Red Hat Fast

[Dephex+Twin]

It runs with a lot less interaction (mine runs in a cron job every night - a list of installed packages is waiting for me in the moring)

I think a majority of OS X users like, or at least don't mind, the interaction. I don't want the software update to download or install packages without asking. Even if Apple did want to make this an option, why would they move to this third-party update product, instead of just adding a checkbox "Download and install updates automatically" to the existing app?

and is a lot more flexible (I can pick and choose what type of updates to install).

I'm not sure here what is different about what they have in OS X now. One can both pick, as well as choose, the updates one wishes to install. One can also disable a package that is not needed so that the updater doesn't ask about it again.

mark

Re:Fast, but not Red Hat Fast

[White+Roses]

Agreed about making the option available. That, in fact, was my gripe, really: at this point the option isn't available. Not so much that they should move to a third-party option, just that they might take a look at the third-party's mothodology and emulate it a little. Which would be quite a change for Apple.

To be honest, I like both methods. The Apple version just seems a little too inflexible (AFAIK, again, not much fiddling with it yet). With Apple, I can check daily, weekly or monthly, but at what time? When I boot up? When the system is idle? Midnight? 4 AM? It's a small quibble at best, but I like that flexibility. As to which packages to install, Red Hat's (seems) to let me pick and choose more, which is not to say that Apple doesn't let me choose at all, just not enough (for me).

OTOH, none of my Macs have ever really had good access to cron, which OS X has. So I should really just count my blessings and stop bitching because it's not everything I want it to be one year after introduction. 8)

I'd like a command-line accessible fortune, though. All the versions I've found so far are GUI.

Re:Fast, but not Red Hat Fast

[Dephex+Twin]

Not so much that they should move to a third-party option, just that they might take a look at the third-party's mothodology and emulate it a little. Which would be quite a change for Apple.

If they thought it was really good, I'm sure Apple would have no qualms about even licensing it (look at SoundJam -> iTunes for example). However, I think that Apple wanted the application to work the way it does. I also would see benefit in an "Advanced Options" section on the software update, where I could set the time update checks are run, and possibly also auto-install options. It just seems like they could easily just add these tiny features on with very little effort (which is why I thought they didn't need to use a 3rd-party app).

The average Mac user doesn't want to be bothered with these details, though, and for that reason I think the interface should at least default to the way it is.

I'd like a command-line accessible fortune, though. All the versions I've found so far are GUI.

I think most Mac users are complaining that they want things to go in the other direction-- that is, many say "Great, I have access to all these Unix apps, but that's worthless to me because they don't have a GUI!"

But things seem to be coming together more and more all the time.

mark

Re:Fast, but not Red Hat Fast

apple software update includes things i certainly wouldnt want on automatically my machine such as chinese language updates. i do appreciate being able to pick n choose. I guess they could give you the option to install automatically.

What i want is to get those things off my list of updates to download. other than that, its pretty painless and a functional tool.

Re:Fast, but not Red Hat Fast

[schwanerhill]

"What i want is to get those things off my list of updates to download." In Software Update, select the update(s) you don't want and choose "Make Inactive" from the Update menu.

Re:Fast, but not Red Hat Fast

[bdesham]

I'd like a command-line accessible fortune, though. All the versions I've found so far are GUI.

IIRC, you can get one by installing fortune-mod with Fink.

Re:Fast, but not Red Hat Fast

[CentrX]

Same thing for apt-get, although apt-get doesn't require any "account" with Red Hat.

Re:Fast, but not Red Hat Fast

Wow, cool. I never noticed that option. Now I can rid myself of the half-dozen language updates that I'm never going to need.

Thanks!

Re:Fast, but not Red Hat Fast

Not so much that they should move to a third-party option, just that they might take a look at the third-party's mothodology and emulate it a little. Which would be quite a change for Apple.

That's not a change for Apple. The MacOS 9 UI is pretty much just System 7 with a bunch of formerly freeware/shareware bits either included or cloned.

Even basic things like the menubar clock and the windowshades were once 3rd party. I think even the co-op multitasking ('MultiFinder') was originally a 3rd party (Microsoft?) hack.

Re:Fast, but not Red Hat Fast

[phyxeld]

But I'd like Apple to take a look at Red Hat's up2date.

I'd rather see them look at debian's apt-get.
It's already available via fink for accessing ported unix software, why not make it the official system update mechanism too?

And, as another post mentions below, rh's up2date has that nasty account requirement, which nobody is a big fan of. Why do we need a profile on their server? Why not create a local profile, and let the client request the stuff it wants? WHY?

I long for the day that apt-get is the standard package management tool accross unices.

PHP Module Replaced

[Paul+Burney]

This update will replace the current PHP module you have installed.

Many people use a version of the Apache PHP module compiled for OS X by Marc Liyanage that has PDF/Postgres/curl/gd, etc. enabled, rather than the stock Apple installed module.

After applying the update, you will need to reinstall the Liyanage module. It only takes 3 minutes. The instructions and download are located here:

http://www.entropy.ch/software/macosx/php/

Re:PHP Module Replaced

[Lars+T.]

I'm not an expert, but when a security update replaces a module, maybe there is a reason for it, and simply puting back an older version (even with more features) may not be wise.

Re:PHP Module Replaced

[Paul+Burney]

In general, that's good advice. However, the module in question was updated to 4.1.2 one day after the hole was made public (February 27, 2002).

It's taken Apple over a month to provide the same fix.

FYI, the actual issue is the PHP file upload security hole. For more details see:

http://security.e-matters.de/advisories/012002.htm l

Update bombed on my B&W G3 running 10.1.3

[TedTodorov]

I keep reading about update problems, but until now, everything has always worked for me.

This one bombed though. It downloaded, and then I got a message saying that none of the patches had been installed due to "an error".

The system console was no more explicit. There were reports of problems on Macnn.com as well.

Has anyone installed it successfully on their system?

Ted

Re:Update bombed on my B&W G3 running 10.1.3

[Dephex+Twin]

Has anyone installed it successfully on their system?

Yes, I have. There's not much to say, it was a completely ordinary install for me.

I haven't altered the default config for any of the items updated, so maybe that is a factor?

mark

Re:Update bombed on my B&W G3 running 10.1.3

No problems here. Unlike previous security updates, this one didn't ask for a restart.

As the other guy said, the most likely reason for install problems is if you moved or renamed any of the relevant files.

Re:Update bombed on my B&W G3 running 10.1.3

worked for me on TiG4 550 running 10.1.3.

Re:Update bombed on my B&W G3 running 10.1.3

[usr122122121]

Update went smoothly on my B&W G3, which was also running 10.1.3.
I've changed a lot of the configs, so I really don't think that has much to do with it.
The only thing the installer didn't do was restart Apache, but that's fine because it gave me an opportunity to be graceful :-)

Re:Update bombed on my B&W G3 running 10.1.3

I have a Blue & White G3, 450Mhz, and it just installed without problem.

Take care,

~ Matthew

Re:Update bombed on my B&W G3 running 10.1.3

[TedTodorov]

I found my problem -- not enough disk space. An error message saying that might have been nice, but anyway, live and learn.

Ted

Surely not fast enough in fact...

[patpro]

I'm affraid the rsync 2.5.2 Apple just released for OSX is still vulnerable...

the FreeBSD-SN-02:01 Security Notice reads this :

Port name: rsync
Affected: versions < rsync-2.5.4
Status: Fixed.
Incorrect group privilege handling, zlib double-free bug.
URL:http://online.securityfocus.com/bid/4285
URL:http://www.rsync.org/

so what ? is MacOSX immune to the "Incorrect group privilege handling" bug of rsync < 2.5.4 or does Apple just released a buggy sec. update ? This bug appears to be known for 3 weeks now...

Re:Surely not fast enough in fact...

[SiMac450]

Mac OS X is immune to the zlib double-free bug. In any application made by Apple, not just rsync.

Anyway, even if it Mac OS wasn't immune, did it occur to you that Apple might have patched the version of rsync?

Simon

Re:Surely not fast enough in fact...

In response to an e-mail question, Apple responded that it's implementation of malloc() is not susceptible to the double free() vulnerability exposed by zlib.

Apache not included

This is from Apple's update page:

Security Update April 2002 includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system.

OpenSSH v3.1p1
rsync v2.5.2
groff v1.17.2
PHP v4.1.2
sudo v1.6.5p2
mod_ssl v2.8.7
mail_cmds

No reboot required!

[rgraham]

Not like these sorts of updates should require a reboot but sometimes they do, like with the recent Airport software update.

Microsoft Update

[Perdo]

You guys must feel like the MS hordes, installing security updates with known vulnerabilities and that break things that worked before.

Apple keeps you tinkering with software long enough, and you guys might decide that tinkering with the hardware will be fun too.

Then you will realize that Apple doesn't give you that option and if you find a way around it, they'll issue a firmware update that is "critical to system stability" that disables whatever offending piece of hardware that you purchased at fair market price, instead of paying Apple's premium price.

*cough* CAS 322 PC100 memory *cough*

Of course you can always disable the memory check at startup that disables your ram.. but only if it will boot at all (you didn't replace *all* your ram with inexpencive aftermarket stuff did you?) and you know the secret hotkey decoder ring handshake to press and hold while opening the memory control panel.

Must be Mac addicts. I thought crackheads were the only people willing to get fucked by their dealers.

btw, Can anyone tell me where the microphone on my old iBook is?

Oh, did you know the price of a new x86 system has dropped to $300 with firewire?

Apple: Dude, you're not gettin' a reach around!

Re:Microsoft Update

>Oh, did you know the price of a new x86 system has dropped to $300 with firewire?

Oh, did you realize the Mac isn't going to be a piece of shit?

(btw, how much do you plan to spend on decent editing software?)

Re:Microsoft Update

[Perdo]

At least post as a user next time asshole, so I know who I'm about to make a fool of.

Cinema Tools $999
iMovie 2 $999
iDVD $999
Final Cut Pro $999

Do you think they all have identical developement costs and therefore are all priced the same or do you think Apple might be ripping you off?

Apple recomended additional software:

Adobe After Effects $1999

They are certainly ripping you off with their hardware cost:

At least $2500 for a slow G4. At least wait for this to get some decent hardware at a fair price.

And what can you use this for? Home movies, low budget porn and local commercials. You see, you can only burn an hour of video using iDVD. Apple is trying to make you think you are shooting video just like the pros, just like they are trying to make you think that that pricey toy you have is a real computer. And they have you fooled. To the tune of $10,000.

A fool and his money are soon parted. By the way, to me $10,000 is a Beowulf cluster with 50 CPUs, just like Pixar uses, Steve Jobs' other company.

Go pout or LOG IN to respond you bitch assed coward.

Re:Microsoft Update

[ndpatel]

dude, your list of sw is /fucked/.

imovie comes with a $799 imac.

idvd comes with a $1300 imac.

all the pro stuff is just that, pro stuff

so, yeah, apple charges pro prices for pro soft, and gives the consumer stuff away for free. what a fucking surprise.

Re:Microsoft Update

>At least post as a user next time asshole, so I know who I'm about to make a fool of.

>iMovie $999
>iDVD $999

Are both free, dumbass. Now who's the fool?

>Go pout of LOG IN to respond you bitch assed coward.

Haha, suck shit, wiener boy.

Re:Microsoft Update

*cough* CAS 322 PC100 memory *cough*

Macs use PC133

Re:Microsoft Update

[DavidRavenMoon]

Of course you can always disable the memory check at startup that disables your ram.. but only if it will boot at all (you didn't replace *all* your ram with inexpencive aftermarket stuff did you?) and you know the secret hotkey decoder ring handshake to press and hold while opening the memory control panel.

Actually my "inexpencive aftermarket" [sic] $49 512 MB PC133 RAM works just fine in my G4 with all the latest firmware updates.

And your point was?

NEXT! ;-)

Re:Microsoft Update

[Perdo]

133mhz fsb G4s use pc133. The G4 iMac, TiBook, 168 pin G3 iMac, New iBook and Older G4 towers ALL USE PC100 Memory in either Dimm or Sodimm form factor. They can all use PC133 because it is better than PC100 Cas 322. The firmware update disabled any memory that did not run at least that speed.

Re:Microsoft Update

[Perdo]

PC133 is faster memory than PC100 cas 322. So the firmware did not disable it. Here is the breakdown:

PC66 Cas 222 is the same as PC100 cas 333. Except for minor architectural changes in reguards to reporting it's speed to the bios.

PC100 cas 222 is Identicle to PC133 cas 333.
PC133 cas 222 can be run as PC150 cas 333.
PC150 cas 222 can be run at PC166 cas 333.

You have been kept in the dark about your hardware. If Apple hardware was in any way tweakable, you would understand how much crap you have been fed. Is your G4 a 100mhz fsb version or a 133mhz fsb version?

Re:Microsoft Update

[DavidRavenMoon]

Is your G4 a 100mhz fsb version or a 133mhz fsb version

All but the first two G4s (the Yikes!, which was a G3 MB and the Sawtooth both had 100 MHz busses) have 133 MHz system busses and use PC133 RAM. I have a "Digital Audio" G4, with a 133 MHz bus. It wont run on PC100 no matter what the cas rating is. Some chips from dealers are mislabeled also and this is where the firmware problems arose. The firmware was catching PC100 RAM labeled as 133.

I know about hardware, do you think because I use Macs I haven't had any experience building computers? I rebuild Macs and PCs all the time. I have 12 Macs and several PCs I built. Not every one has the bargan basement mentality that a lot of PC users have. Sometimes cheap is just junk.

Also you are over simplifying the RAM issues, and RAM is not always interchangeable. The Apple firmware update only disabled RAM that was not up to spec. Some of this RAM could be reprogramed to spec, but did not leave the factory that way. Apple doesn't expect people to buy memory from them, they only expect people to use qualified parts. I always buy the cheapest memory I can find and never have any problems. But I dont buy junk either. There is a difference. I also don't try to put PC100 DIMMs in where it calls for PC133. What's the point? Some memory controllers are fussier than others. Try and put out-of-spec RAM in a SUN or SGI for instance!

Re:Microsoft Update

Sigh. We know you are jealous. A "Beowulf cluster with 50 CPUs" is a *toy*. I'll give you a *big* hint. If it's got x86 in it, IT IS A TOY - cheap, antiquated hardware that can play some games. If you want a "real" computer you'll need to look into some "real" CPUs - PowerPC (designed from the ground up to be a nice, "modern" CPU - not a hacked-up 4004), Sparc series, Alpha (64 bit for 6 years now?).

Face it - you don't know what the hell you are talking about.

damn troll

Go away, silly troll. Pray to the cock-obelisk of Bill Gates.

Re:damn troll

[Perdo]

Why post AC? Say it right too, dammit.

Bill Gates, named his company after his Penis.

Aaaarrgh! Why now?

[frogmella]

I would dearly love this update, but my damn Software Update thingy's stopped working. Can't connect, although every other program works. Anyone suggest a solution?

Re:Aaaarrgh! Why now?

[TotallyUseless]

find and delete the preferences file for software update. or more advisable, move it out of the preferences folder and make sure it doesnt totally break the app before deleting it.
~/library/preferences/com.apple.SWUpdateEngine.pli st

No, not 100% chance

[CentrX]

If all computers had a 100% chance of getting broken into when connected to a network, ALL computers would be broken into, no matter how long they were online. Simply, this is not true. It's not true for the time, and even ignoring the time, it's not true for many operating systems, or even many individual machines that are left on for a long time.

Re:No, not 100% chance

Any computer could be hacked if one had the time and desire to hack it. Never think that only happens to the other guy, once you do you will be attached and hacked. Just a fact of life, to bad it sucks.

Open SSL Version Mismatch

[daviddennis]

Has anyone else had this problem? It's been around for quite a while on my PowerMac G4, and no matter how many security updates I install it doesn't change.

When I try running SSH, I get

OpenSSL version mismatch. Built against 90581f, you have 90602f

So how do I get 90581f, or whatever I actually need?

Thanks for any help.

D

Re:Open SSL Version Mismatch

[pfistech]

You likely installed a custom build of OpenSSH at some point in time and now when you run 'ssh' it runs this outdated copy instead of Apple's copy. Outdated here means that it was built against OpenSSL 0.9.4something or 0.9.5something, not the 0.9.6b that is currently provided by Apple.

Run "which ssh" and see what it tells you. If it says "/usr/local/bin/ssh", you may want to remove that copy of ssh so that it uses Apple's version (/usr/bin/ssh).

Re:Open SSL Version Mismatch

[daviddennis]

That fixed it!

Many thanks.

D

Are you installing updates in order?

Have you been installing the various updates in the right order? Apple has a page that tells you the order in which you have to put them on. Anyway, before you install the April security update, you have to first install these other updates in this order:

1. 1. Mac OS X 10.1

1. 2. Security Update 10-19-01

1. 3. Installer Update 1.0

1. 4. Mac OS X Update 10.1.3