Apple Security Update Posted

← Back to Stories (view on slashdot.org)

Posted by pudge on Friday April 5, 2002 @02:03AM from the but-i-got-r00ted-in-the-meantime dept.

patpro writes "Apple has just released a security update for Mac OS X. It includes Apache 1.3.23, OpenSSH 3.1p1, PHP 4.1.2, rsync 2.5.2, and sudo 1.6.5p2 (among other things). For the moment it's available only via the Software Update pane in System Preferences, but it should be available later at the Apple Downloads Page."

17 of 57 comments (clear)

Min score:

Reason:

Sort:

Re:Just as I predicted by ahknight · 2002-04-05 03:02 · Score: 4, Insightful

all computers have a 100% chance of getting hacked into when connected to a network,
Ok, sure. I'll connect a Mac OS 9 box to the net and let's see if you can get in. =)
Fast, but not Red Hat Fast by White+Roses · 2002-04-05 03:17 · Score: 3, Offtopic

I like Apple's Software Update, and it certainly makes keeping abreast of security patches easy. But I'd like Apple to take a look at Red Hat's up2date. It runs with a lot less interaction (mine runs in a cron job every night - a list of installed packages is waiting for me in the moring), and is a lot more flexible (I can pick and choose what type of updates to install). OTOH, Apple's Software Update doesn't require an account, as up2date does. But Software Update doesn't seem to be able to install without interaction with me. Of course, I've only been working with it for 5 days now (seems like longer, because it's pretty darn easy to use, one begins to feel like an expert very quickly).
Other than that, these same updates were available from Red Hat between 2 and 4 weeks ago depending on the package. Apple could be a little faster on the uptake, especially with security patches.
This is constructive criticism, and nothing more.

--
Do not touch -Willie
1. Re:Fast, but not Red Hat Fast by Dephex+Twin · 2002-04-05 03:37 · Score: 4, Insightful
  
  It runs with a lot less interaction (mine runs in a cron job every night - a list of installed packages is waiting for me in the moring)
  
  I think a majority of OS X users like, or at least don't mind, the interaction. I don't want the software update to download or install packages without asking. Even if Apple did want to make this an option, why would they move to this third-party update product, instead of just adding a checkbox "Download and install updates automatically" to the existing app?
  
  and is a lot more flexible (I can pick and choose what type of updates to install).
  
  I'm not sure here what is different about what they have in OS X now. One can both pick, as well as choose, the updates one wishes to install. One can also disable a package that is not needed so that the updater doesn't ask about it again.
  
  mark
  
  --
  
  If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
2. Re:Fast, but not Red Hat Fast by White+Roses · 2002-04-05 04:28 · Score: 2
  
  Agreed about making the option available. That, in fact, was my gripe, really: at this point the option isn't available. Not so much that they should move to a third-party option, just that they might take a look at the third-party's mothodology and emulate it a little. Which would be quite a change for Apple.
  To be honest, I like both methods. The Apple version just seems a little too inflexible (AFAIK, again, not much fiddling with it yet). With Apple, I can check daily, weekly or monthly, but at what time? When I boot up? When the system is idle? Midnight? 4 AM? It's a small quibble at best, but I like that flexibility. As to which packages to install, Red Hat's (seems) to let me pick and choose more, which is not to say that Apple doesn't let me choose at all, just not enough (for me).
  OTOH, none of my Macs have ever really had good access to cron, which OS X has. So I should really just count my blessings and stop bitching because it's not everything I want it to be one year after introduction. 8)
  I'd like a command-line accessible fortune, though. All the versions I've found so far are GUI.
  
  --
  Do not touch -Willie
3. Re:Fast, but not Red Hat Fast by Dephex+Twin · 2002-04-05 04:56 · Score: 2
  
  Not so much that they should move to a third-party option, just that they might take a look at the third-party's mothodology and emulate it a little. Which would be quite a change for Apple.
  
  If they thought it was really good, I'm sure Apple would have no qualms about even licensing it (look at SoundJam -> iTunes for example). However, I think that Apple wanted the application to work the way it does. I also would see benefit in an "Advanced Options" section on the software update, where I could set the time update checks are run, and possibly also auto-install options. It just seems like they could easily just add these tiny features on with very little effort (which is why I thought they didn't need to use a 3rd-party app).
  
  The average Mac user doesn't want to be bothered with these details, though, and for that reason I think the interface should at least default to the way it is.
  
  I'd like a command-line accessible fortune, though. All the versions I've found so far are GUI.
  
  I think most Mac users are complaining that they want things to go in the other direction-- that is, many say "Great, I have access to all these Unix apps, but that's worthless to me because they don't have a GUI!"
  
  But things seem to be coming together more and more all the time.
  
  mark
  
  --
  
  If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
4. Re:Fast, but not Red Hat Fast by schwanerhill · 2002-04-05 05:25 · Score: 3, Informative
  
  "What i want is to get those things off my list of updates to download." In Software Update, select the update(s) you don't want and choose "Make Inactive" from the Update menu.
PHP Module Replaced by Paul+Burney · 2002-04-05 03:24 · Score: 5, Informative

This update will replace the current PHP module you have installed.

Many people use a version of the Apache PHP module compiled for OS X by Marc Liyanage that has PDF/Postgres/curl/gd, etc. enabled, rather than the stock Apple installed module.

After applying the update, you will need to reinstall the Liyanage module. It only takes 3 minutes. The instructions and download are located here:

http://www.entropy.ch/software/macosx/php/

--
<?php while ($self != "asleep") { $sheep_count++; } ?>
1. Re:PHP Module Replaced by Lars+T. · 2002-04-06 01:10 · Score: 2
  
  I'm not an expert, but when a security update replaces a module, maybe there is a reason for it, and simply puting back an older version (even with more features) may not be wise.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Surely not fast enough in fact... by patpro · 2002-04-05 03:33 · Score: 2, Informative

I'm affraid the rsync 2.5.2 Apple just released for OSX is still vulnerable...

the FreeBSD-SN-02:01 Security Notice reads this :

Port name: rsync
Affected: versions < rsync-2.5.4
Status: Fixed.
Incorrect group privilege handling, zlib double-free bug.
URL:http://online.securityfocus.com/bid/4285
URL:http://www.rsync.org/

so what ? is MacOSX immune to the "Incorrect group privilege handling" bug of rsync < 2.5.4 or does Apple just released a buggy sec. update ? This bug appears to be known for 3 weeks now...
Re:Update bombed on my B&W G3 running 10.1.3 by Dephex+Twin · 2002-04-05 03:40 · Score: 2

Has anyone installed it successfully on their system?

Yes, I have. There's not much to say, it was a completely ordinary install for me.

I haven't altered the default config for any of the items updated, so maybe that is a factor?

mark

--

If you want to make an apple pie from scratch, you must first create the universe. -- Carl Sagan
No reboot required! by rgraham · 2002-04-05 04:38 · Score: 2, Informative

Not like these sorts of updates should require a reboot but sometimes they do, like with the recent Airport software update.
Re:Aaaarrgh! Why now? by TotallyUseless · 2002-04-05 09:16 · Score: 2

find and delete the preferences file for software update. or more advisable, move it out of the preferences folder and make sure it doesnt totally break the app before deleting it.
~/library/preferences/com.apple.SWUpdateEngine.pli st

--

Time for some tasty Shiner Bock!
Open SSL Version Mismatch by daviddennis · 2002-04-05 17:12 · Score: 2

Has anyone else had this problem? It's been around for quite a while on my PowerMac G4, and no matter how many security updates I install it doesn't change.

When I try running SSH, I get

OpenSSL version mismatch. Built against 90581f, you have 90602f

So how do I get 90581f, or whatever I actually need?

Thanks for any help.

D
1. Re:Open SSL Version Mismatch by pfistech · 2002-04-06 01:22 · Score: 2, Informative
  
  You likely installed a custom build of OpenSSH at some point in time and now when you run 'ssh' it runs this outdated copy instead of Apple's copy. Outdated here means that it was built against OpenSSL 0.9.4something or 0.9.5something, not the 0.9.6b that is currently provided by Apple.
  Run "which ssh" and see what it tells you. If it says "/usr/local/bin/ssh", you may want to remove that copy of ssh so that it uses Apple's version (/usr/bin/ssh).
  
  --
  -chrisp
  "If that makes any sense to you, you have a big problem."
2. Re:Open SSL Version Mismatch by daviddennis · 2002-04-06 02:18 · Score: 2
  
  That fixed it!
  
  Many thanks.
  
  D
Re:Microsoft Update by Perdo · 2002-04-08 15:10 · Score: 2

133mhz fsb G4s use pc133. The G4 iMac, TiBook, 168 pin G3 iMac, New iBook and Older G4 towers ALL USE PC100 Memory in either Dimm or Sodimm form factor. They can all use PC133 because it is better than PC100 Cas 322. The firmware update disabled any memory that did not run at least that speed.

--
If voting were effective, it would be illegal by now.
Re:Microsoft Update by Perdo · 2002-04-08 15:46 · Score: 2

PC133 is faster memory than PC100 cas 322. So the firmware did not disable it. Here is the breakdown:

PC66 Cas 222 is the same as PC100 cas 333. Except for minor architectural changes in reguards to reporting it's speed to the bios.

PC100 cas 222 is Identicle to PC133 cas 333.
PC133 cas 222 can be run as PC150 cas 333.
PC150 cas 222 can be run at PC166 cas 333.

You have been kept in the dark about your hardware. If Apple hardware was in any way tweakable, you would understand how much crap you have been fed. Is your G4 a 100mhz fsb version or a 133mhz fsb version?

--
If voting were effective, it would be illegal by now.