Slashdot Mirror
OS X Security Update: Apache, SSL and SSH
payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
that Apple takes security seriously.
Apache makes the vulnerability known, and Apple's right there with an OS patch bringing the new version into the fold.
How it should be. OS X.
blakespot
-- Heisenberg may have slept here.
iPod Hacks.com
be prepared to reinstall PHP if you had a customized verison. This updates writes over it.
--
Don't sweat the petty things, and don't pet the sweaty things.
You know, the hole that allows a specially crafted, chunk-encoded HTTP request to execute arbitrary code on the server, and as Microsoft would say, "a malicious user" could exploit this to damage systems, take over a box, or worse.
The theory of relativity doesn't work right in Arkansas.
RedHat just came out with their updated RPMS also. Last time that SSH came out with a security vulnerability (the same time the zlib one hit) I WAS HACKED! Do you know how bad you feel after you've been hacked? Its like being neutered.
In college, really poor, need a flatscreen.
Two minute install, no reboot required. Nice.
This space unintentionally left unblank.
Nicely enough, this does not require a reboot to get working. Downloads and killed off the old sshd (and one would assume Apache if I had a web server on my laptop!).
The Slashdot editors do not embrace Free Software, they are ONLY running away from Microsoft.
Sometimes we don't all want to feel like developers. It's good to be a user every now and then.
I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.
I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.
Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.
And it was sure nice to get an update that didn't require a restart! What's up with all the restarts required, anyway? This is Unix...I'm not used to restarting all the time (except kernel upgrades; but those are rare for me)
-- @rjamestaylor on Ello
Does it run under Finder or as a Desk Accessory?
10.1.5 has nothing to do with RtCW failing. Recently the 1.33 version of return to castle wolfenstein was released for linux and PC. When this happened many multi-player server started to require 1.33 (pure servers) in order to play.
There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.
These instructions are highligted at the bottom of this URL on Aspyr's site
How is it not 'real world *nix' compared to Sun and AIX. promptly remove your head from your ass and actually use it before making stupid statements.
Interestingly enough, for me it did require a reboot. Perhaps because I chose to install the Applescript upgrade at the same time.
Wow, when Microsoft issues security update they are lambasted for putting out an insecure operating system.
Apple releases massive security update and they are lauded for their focus on protecting their users.
Red Hat releases security updates and no one mentions them at all.
While OpenSSH 3.4p1 fixes the bug that lead to offering a priv-sep version in 3.3p1, the July Security Update does not modify the Netinfo tables to add a sshd user and group, along with the other configuration steps listed in README.privsep. It is suggested that Apple engineers may address privilege separation in Jaguar or an update to Jaguar.
This isn't an update for OSX that it has control of. Its the use of bad coded open source software that has the vunerablity. Microsoft is in control on how things run and mess up with Windows. Apple doesnt have 100% control because their software relies on open source people to fix it for them.
Didn't ruin anythink in my php installation. By the way there is a great step by step php installation guide to get the newest version of php (this one is even recommanded by apple).
>> Had I been going to bed earlier every night? Have I been sleeping later? Has Tyler been in charge longer and l
The version they should upgrade to is 2.8.10, that fixes a buffer overlow that can be triggered through .htaccess files.
{{.sig}}
Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0
I haven't seen this topic really ever brought up...
Linux and FreeBSD have been available for PPC for a while now, meaning that people could be running Macs as webservers. Although a very tiny percentage of the server population runs Mac webservers, these are mostly running enthusiast's webpages. The bottom line is, most serious webserving applications use Linux or FreeBSD or (gasp) IIS on PC's. (Also multi-CPU Unix servers, etc.)
My question is... why the small portion of webservers running on Apple? Is it because:
1) Apple computers represent a small portion of the computer market
2) Apple users generally run web servers
3) Apple computers suck at running web servers
4) Network admins don't like Apples
5) Some combination of the above
I'd be interesting in hearing some people's comments.
Cheers!
Well. Until recently there where no real hardware options for servers made by Apple. The XServe changes that. But at a price a lot of people that runs some random Linux webserver would never pay anyway.
Linux and BSD is pretty popular especially as 'free' webservers. You have a spare box (or get a new one cheap), hook it up with the lastes UNIX OS of your choice and run Apache. Cheap and stable.
For more serious shops they what things Apple is only getting around to now. And still why use Apple hardware for webservers if you can run almost the same webserver on a box from your usual dealer. That's why Mac shops use Apple hardware for webservers. It's confortable to use the same dealer for everything.
I guess your new to this whole computer security thing. If you don't understand the difference between how MS and redhat have reacted to security problems for the past 6 years, then I am not going to explain it to you.
If you wanna get rich, you know that payback is a bitch
Just look at versiontracker each day and you will be made aware of Apple updates too. Even if they are only available via Software Update.
Not entirely a waste. When a post goes down to -1, it doesn't get archived. Since all archives are done in flat view mode, any remaining junk messages are automatically visible and add noise to the dicussion you're trying to read through.
I know.. i know.. a unix/linux site. But interesting indeed how Microsoft got BASHED for releasing 3 VERY easy to install patches that aren't really exploited at this point, and EVERY unix that uses the apache, ssl, ssh combination previous to the listed versions is needing a repair as well.
can't we all just get a bong?
1. Repost every post from the previous MS security release thread here changing MS to Apple/Unix/Linux and vice versa.
2. ???
3. Profit!
Mmmm.. Donuts
it's not like this is open source or anything. IT's not like the users could get patches themselves from apache and install them.
I mean, if you want to rely on a vendor supplied package based on an open project, of COURSE there is going to be a lag.
I'd like to somewhat lessen the blows that I see against apple for it's not-so-quick release of the apache vulnerability patch. I think they should have released it faster, but at the same time I can see why they gave themselves some time to test it, and when the openssh vuln was revealed, some time to incorporate that into the same patch. There was no exploit released for OS X or anything on PPC arch that I could see. It just wasn't targeted. The worm that is out is for BSD, but it's x86 shellcode, so again, OS X is not affected. I think the worm is only FreeBSD as well. But anyway, what I'm saying is that they probably could have released it faster, but there wasn't really anything at risk unless you were being specifically targeted by someone other than a script kiddie who actually knew what he/she was doing.
Cheers,
-JD-
It was just yesterday macSlash posted an 'article' titled 'Will Apple Support It's Modern OS with Modern Security?' mostly slated to apple waits to long to release security patches and they will not acknowledge security problems until they provide a patch. an 'article' titled 'Will Apple Support It's Modern OS with Modern Security?' mostly slated to apple waits to long to release security patches and they will not acknowledge security problems until they provide a patch.
Scott Anguish has an article on stepwise.com that shows you how to build OpenSSH yourself. He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
I don't know if Apple configures their update similarly, but I'll bet they do.
Sapere aude!
Funny South Park reference...
There is no good reason for your sysadmin not to let you on the network - they are being overbearing and unprofessional. If they were professional and genuinely worried they would have blocked incoming ports to your host at the switch (or at worst - the gateway).
Like most other administrators I have to work with, it sounds like they are simply exhibit big ego's and little professionalisim (though I would not wish to jump to conclusions, it's most likely in my experience).
Apart from upgrading the SSH and Apache binaries yourself (I know I was too lazy and waited for Apple because I knew one was coming out) you could simply have disabled thoses services - after all they are disabled by default on Mac OS X.
Lastly, in response the origional poster, Apple's response was slower than I would have liked (as the OpenSSH one was disclosed to vendors like Apple ~10 days before it was announced) but timely and the fix was very elegant and appears to be bug free (clean install all round, no reboot required, etc).
Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS...
I don't think that they care whether it's MacOS or not. It's Apache or it's SSH -- they're familiar enough with those.
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months.
You're trolling, right? You must be trolling. You really think that Apple should leave big, known, gaping holes unpatched for months on end? Check it, man, a week wasn't fast enough for a number of posters in this forum... if Apple let 3 months go by they'd be crucified, even if not a single mac was 'sploited
Most mac users would rather not have Software Update launch and pester them every week.
I don't know. I feel a frisson of excitement when SU has something new for me. Usually it means that something that was broken will soon be less broken, or better yet, there will be new functionality for me to enjoy. Granted the latest AirPort update was a major bust, but I'm all in favor of their rolling out the lastest bugfixes as soon as they've been thoroughly tested.
A couple points that were brought up that I'd like to address....
First, as to why Macs aren't common web servers, I think the main reasons are cost of the hardware, difficulty in maintaining/upgrading, and lack of expandability. Of course, Apple sort of addressed this with the XServe, but it's still a hell of a lot cheaper to buy, say, an Athlon based PC with Linux than a whole PowerMac.
Second, as to why people are bashing MS for security holes and praising Apple for fixing them, let's keep in mind Microsoft makes their own web server software. Apple is putting in place fixes to programs they did not create, so they need a little more time to get the details and make a fix. Having said that, I agree that Apple could be a bit quicker about it.
-Suffering Bastard (runs web, mail, mp3, and file serving off various OS X boxen)
"Molest me not with this pocket calculator stuff."
- Deep Thought
Redhat has about 70 or 80 advisories for RedHat 7.2 alone in 2002.
How can this be?
Trolls throughout history:
Jonathan Swift
Not trying to be a troll, but everyone keeps mentioning that Microsoft gets bashed for security updates while Apple doesn't. Why is this? Because Apple generally takes care of the problem with one or two fixes whereas M$ seems to continue introducing security bugs & holes with every patch. Almost every M$ program (and operating system) associated with internet access seems to have serious security holes, time and time again...Internet Exploder, Internet Information Server, MSN Messenger, Outlook Express, Entourage, Visual Basic, even Office apps....Shall I continue? For all the money that M$ brings in from sales, extortion, bribery, etc...you'd think they would hire the BEST programmers money could buy to write their software. But Oh, slap my fae, the current business model keeps the tech industry gainfully employed.
He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
If you run every non-privileged service (http, anon ftp, ntp, nntp, etc.) and partial service (ssh, mail, etc.) as the same non-privileged user, it defeats a lot of the purpose of the non-privilegedness. Even with chrooting, a process running as a non-root user can affect other processes that belong to the same user (e.g. send them signals). This is why vendors and sysadmins who know what they're doing create a different user for each service.
not real familiar with bsd are ya? Here's a hint: It's the one that's not the cheap knockoff.....
Imagine a Beowolf Cluster of THESE!!!
While looking at the Apache setup in MacOS X, I decided to set up log analysis, and discovered that this security update implements Apache's rotatelogs. A minor upgrade, but a nice improvement that shows Apple is serious about their server platform. The (fairly) speedy response to ththe OpenSSH and Apache security holes also shows Apple is taking pains to do it right.
the hardware is more expensive for running a web server, and even if you are running it, ive found linux to be alot faster on the same hardware than os-X, not to mention the amount of memmory you save, portability problems, and much better filesystems (though it would be cool if you could use softupdates on os-X) anyway these would show up as linux or bsd so you wouldnt see it as a mac web server.
havnt tried bsd on a mac yet, but i have no reason to believe it wouldnt work just as well. the hardware is good a realiable, but you pay alot for it, and for stuff you wouldnt be using.
(like that geforce or radeon)
also, macs use more power than x86 boxen. look on the power supply. (this is true for the x-serve as well, 3 amps as opposed to the 2 than ibms rackmounts use) in the server room, this can add up quickly.
Apple's response time is as fast as Redhat's. That's pretty amazing, considering. Redhat should have been faster though. Although, Redhat's caution paid off in that the ssh vulnerability did not, apparently affect their systems.
I was worried there for a second. My web programming team uses Atari ST computers using the Magic Sac mac emulator. Thank God a patch was made so quickly and my fortune 500 company is now safe again! Thank you Guy Kawasaki and Steve Wozniak!
Key words, Dev Release. And as far as graphics support goes, 32 megs is required for Quartz extreme, but Jag will run on 16 meg graphics.
Apple has been shipping ATI hardware acceleration in OS X since 10.0. 10.1.5 added support for some of the ancient ATI cards. 10.2 adds hardware accelerated scrolling support for ATI and NVidia cards, in addition to Quartz Extreme for Radeon/GeForce cards (it's not a VRAM issue as much as it is support for textures that aren't a power of two in a dimension).
-jon
Remember Amalek.
sorry, osx still runs like shit on a 667 tibook.
10.2dp included.
i think his point was that they made an os that ran like shit (well, aqua runs like shit) on relatively NEW hardware.
hell, i got suckered (and then trapped) into a 667 tibook. now, less than 6 months later they are going to release an os upgrade that obsolesces my NEW FREAKING COMPUTER.
great job apple.
I got confused with Mac OS X Server. rotatelogs was in Mac OS X Server before the July Security Update. You could turn it on and off with the Server Admin GUI.
I'm not sure when rotatelogs got added to regular Mac OS X. My mistake. I've only been working with Apache on X Server.
Am I the only one wondering where to download this? I have a MacOSX-box on our net, and I was searching desperately for a download earlier so I made a sigh of relief when this was announced here. (I firewalled out SSH last week.)
I googled for 'apple security update' but I still can't find anything, except for text describing some GUI auto-update stuff. The whole point of using a UNIX-like OS on this server would be to have low maintenance, so I expected to be able to SSH in and run some tool like 'dpkg' or 'rpm'.
I'd be happy for your assistance guys (or if this would get a mod point so my question is visible).
HAHA -- well, I see that I left the smiley out. Seeing as I am the admin, I can now let my machine back on the network running httpd and ssh. :)
:( Time for a rebuild on that one -- and a new hard drive. In the meantime, its web server is down -- which is unfortunate because that's my primary web server. :(
Disabling the services is exactly what I did. I used the SSH workaround and I disabled Apache. Now I can reenable it. Oh, and this particular machine is outside the firewall.
My Linux box is so customised that I can't install Apache with RPM. I don't even have the drive space to compile httpd.
i've been waiting for this update for some time, now i see all this talk about it, but when i run software update, it's not there. i viewed my update log and the last stuff was the applescript update, iPhoto, and iPod software updater, that's it. am i missing somthing?
Sticking it to the CLIT and pleasuring those MAC fags. Excellent work!
You make a reasonable point. As far as I can tell, Apple and Microsoft are pretty much the same. Apple has even taken it a step further to embrace hardware monopoly as well. And as far as the boss men go, Gates and Jobs are two peas in a pod.
its free.
^
|
it think it runs just fine on a 700 ibook
It doesn't look as though they enabled privsep at all. No UsePrivilegeSeparation in the sshd_config.