Slashdot Mirror
OS X Security Update: Apache, SSL and SSH
payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
be prepared to reinstall PHP if you had a customized verison. This updates writes over it.
--
Don't sweat the petty things, and don't pet the sweaty things.
Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.
- Do any of you OSX folks download the Apache source and do your own compile?
Not from Apple. Only Darwin is Open Source. But there is Fink (see SourceForge) which provides all the GNU GNoods you're used to.- Does OSX still ship with a development environment?
Not with the latest machines (this year), but the developer tools are freely downloadable (after registering and having your flesh branded with the Apple logo.....just seeing if you're paying attention....).-- @rjamestaylor on Ello
NOT TRUE.
/Applications/Utilities/Installers and install the "Developer Tools.pkg" file. That will do it :-)
Apple still *does* ship the compilers. On the newer machines go to
I don't know why they don't install it with the base OS, but at least they put the installer on the disk for you!
--NBVB
10.1.5 has nothing to do with RtCW failing. Recently the 1.33 version of return to castle wolfenstein was released for linux and PC. When this happened many multi-player server started to require 1.33 (pure servers) in order to play.
There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.
These instructions are highligted at the bottom of this URL on Aspyr's site
Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't.
iTunes updates usually also update the core CD/DVD burning libraries as well as the kernel extensions that support the drives. This is why iTunes requires a reboot. The original poster did say '...as long as the kernel or core libraries aren't updated'.
Pages under the hierachy
I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software
Good point, but if you think about it, how many of those users (who wouldn't ever want to touch a command line) are running OpenSSH and Apache? A very small group, I'm sure. Those who are running one or both of those services are (usually) at least aware of a command line and how to upgrade without Software Update. Software Update is for those who don't know or care to learn how to use the shell - again, a minority.
Apple's Apache modules are also open sourced. Anyone could have built a fully functional Apache for Mac OS X. Just check Apple's developers site and you'll see they have plenty of code open sourced.
Trollem mirabilem hanc subnotationis exigiutas non caperet
While OpenSSH 3.4p1 fixes the bug that lead to offering a priv-sep version in 3.3p1, the July Security Update does not modify the Netinfo tables to add a sshd user and group, along with the other configuration steps listed in README.privsep. It is suggested that Apple engineers may address privilege separation in Jaguar or an update to Jaguar.
Didn't ruin anythink in my php installation. By the way there is a great step by step php installation guide to get the newest version of php (this one is even recommanded by apple).
>> Had I been going to bed earlier every night? Have I been sleeping later? Has Tyler been in charge longer and l
The version they should upgrade to is 2.8.10, that fixes a buffer overlow that can be triggered through .htaccess files.
{{.sig}}
It runs as a daemon, and is started by a shell script, just like on every other UNIX.
Lost: Sig, white with black letters. No collar. Reward if found!
Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0
1. Repost every post from the previous MS security release thread here changing MS to Apple/Unix/Linux and vice versa.
2. ???
3. Profit!
Mmmm.. Donuts
OpenBSD and NetBSD are ported to PPC. FreeBSD is on x86 & Alpha only. (There might be a port for PPC and Sparc being worked on, but it's not a -RELEASE).
It always comes down to the right tool for the right job. If you run a Mac shop, why run a PC webserver? Apache for MacOS X is not the first webserver to run on a Mac. Macs have served pages for many years, and with fewer exploits (if any).
In fact I have a Beige G3 Desktop right next to my Sun SPARCstation, and my Proliant W2KAS, the G3 is running MacOS X w/Apache hosting my website--Why? 'Cause it can.
Scott Anguish has an article on stepwise.com that shows you how to build OpenSSH yourself. He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
I don't know if Apple configures their update similarly, but I'll bet they do.
Sapere aude!
Sadly Apple has had a (local) exploit in the default install of Mac OS X (10.0 through 10.1).
. html).
/Applications/Utilites/) and leave it running as the foreground Application.
It was was 'gain root access' via NetInfo hack (details here: http://www.securiteam.com/securitynews/6T00O0K2UW
Bascially all you needed to do to expoit this was:
a) Run an application (e.g. Terminal)
b) Run NetInfo Manager (in
c) Run the 1st application (e.g. Terminal) but this time start it from the "Apple->Recent Items->" menu and it will run as setuid root.
In the case of the Terminal application, this gave you a root prompt.
:-(
He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
If you run every non-privileged service (http, anon ftp, ntp, nntp, etc.) and partial service (ssh, mail, etc.) as the same non-privileged user, it defeats a lot of the purpose of the non-privilegedness. Even with chrooting, a process running as a non-root user can affect other processes that belong to the same user (e.g. send them signals). This is why vendors and sysadmins who know what they're doing create a different user for each service.
For what it's worth, Apple has responded more promptly to the Apache vulnerability than have other commercial Unix vendors. I do security work for my employer (a research institution with dozens of independent Web servers). We have all manner of systems running Apache -- but mostly Red Hat, Sun, and SGI. Guess which one of those three is the only one to have an officially supported patch out -- and which two I'm telling people they need to compile the new version from source?
No, Apple didn't have the patch out as quickly as Red Hat or Debian. Nevertheless, it is interesting to note that the open-source distributors patched quickest, the closed-source vendors (Sun and SGI) haven't patched yet -- and halfway-open Apple is right in the middle. For a company with precious little experience on the server side of things, Apple has done quite nicely.
Well, simple really:
- 1. You're not telling the truth. The link and count you gave was for all patches against Red Hat 7.2 since its release, not "alone in 2002" -- and includes enhancements as well as security patches. Microsoft doesn't hand out enhancements to its software as patches -- it charges for them as new releases.
- 2. Red Hat has more software. The amount of functionality Red Hat ships dwarfs that available in Windows. The diversity of software shipped on two or three CDs of Red Hat dwarfs that in a comparable amount of OS and application distribution from Microsoft. Microsoft has a few large "integrated" applications, whereas Red Hat has many smaller, intercompatible ones.
- 3. Red Hat doesn't delay and hide. Microsoft has a practice of delaying patches and releasing several in one bundled "service pack" -- whereas Red Hat releases one patch per problem, promptly. That inflates the counts on Red Hat's side, but improves the actual security -- and actions count more than words, or numbers.
- 4. Red Hat actually releases fixes! Microsoft's software has at least 18 publicly known, exploitable, unpatched vulnerabilities -- and that's just in one product, Internet Explorer. Show me a comparable list for any current version of any open-source product or distribution.
Sorry, Bill -- you lose this round. Red Hat is far from the best of Linux distributors or open-source operating systems in its security record, but it's far and away above your little offering. Maybe you should spend less time plotting ways to subvert democracy, destroy the public domain, and harm your customers -- and more time checking your code?I don't know how to do this in pure Darwin, but I assume you can since all power management is handled by Darwin.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith