Slashdot Mirror

← Back to Stories (view on slashdot.org)

OS X Security Update: Apache, SSL and SSH

Posted by jamie on from the sounds-like-a-good-idea dept.

payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.

11 of 216 comments (clear)

  1. Ruins custom PHP installs by arson1 · · Score: 5, Informative

    be prepared to reinstall PHP if you had a customized verison. This updates writes over it.

    --


    --
    Don't sweat the petty things, and don't pet the sweaty things.
  2. RTCW by cyphersoft · · Score: 5, Informative

    Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.

  3. Re:Problem seen - addressed by nbvb · · Score: 5, Informative

    NOT TRUE.

    Apple still *does* ship the compilers. On the newer machines go to /Applications/Utilities/Installers and install the "Developer Tools.pkg" file. That will do it :-)

    I don't know why they don't install it with the base OS, but at least they put the installer on the disk for you!

    --NBVB

  4. RtCW failing is related to RtCW upgrade 1.33 by redwoodtree · · Score: 4, Informative

    10.1.5 has nothing to do with RtCW failing. Recently the 1.33 version of return to castle wolfenstein was released for linux and PC. When this happened many multi-player server started to require 1.33 (pure servers) in order to play.

    There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.

    These instructions are highligted at the bottom of this URL on Aspyr's site

  5. Re:FYI, no reboot needed by scorpioX · · Score: 5, Informative

    Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't.

    iTunes updates usually also update the core CD/DVD burning libraries as well as the kernel extensions that support the drives. This is why iTunes requires a reboot. The original poster did say '...as long as the kernel or core libraries aren't updated'.

  6. Re:Mac running webservers? by marmoset · · Score: 4, Informative
    You can start it and stop it from System Preferences (analagous to the Control Panels in MacOS 9.x and below.) There's a pane on the sharing button that essential hooks up to "apachectl" on the backend, which fires off httpd just like every other Unix box in the world.



    Pages under the hierachy /Library/WebServer/Documents and in the users home directories (/Users/[username]/Sites) are served, you can tweak everything in Private/etc/httpd, logs go in /Private/var/log/httpd

  7. Update does not address privilege separation issue by Alex+Reynolds · · Score: 4, Informative

    While OpenSSH 3.4p1 fixes the bug that lead to offering a priv-sep version in 3.3p1, the July Security Update does not modify the Netinfo tables to add a sshd user and group, along with the other configuration steps listed in README.privsep. It is suggested that Apple engineers may address privilege separation in Jaguar or an update to Jaguar.

  8. Didn't ruin my installation by patrickoehlinger · · Score: 5, Informative

    Didn't ruin anythink in my php installation. By the way there is a great step by step php installation guide to get the newest version of php (this one is even recommanded by apple).

    --
    >> Had I been going to bed earlier every night? Have I been sleeping later? Has Tyler been in charge longer and l
  9. mod_ssl 2.8.9 has a security hole by chrysalis · · Score: 4, Informative

    The version they should upgrade to is 2.8.10, that fixes a buffer overlow that can be triggered through .htaccess files.

    --
    {{.sig}}
  10. Just in time by paco+verde · · Score: 4, Informative

    Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0

  11. Re:Problem seen - addressed by Frater+219 · · Score: 5, Informative
    Yes, they produced an update. No, it wasn't fast enough.

    For what it's worth, Apple has responded more promptly to the Apache vulnerability than have other commercial Unix vendors. I do security work for my employer (a research institution with dozens of independent Web servers). We have all manner of systems running Apache -- but mostly Red Hat, Sun, and SGI. Guess which one of those three is the only one to have an officially supported patch out -- and which two I'm telling people they need to compile the new version from source?

    No, Apple didn't have the patch out as quickly as Red Hat or Debian. Nevertheless, it is interesting to note that the open-source distributors patched quickest, the closed-source vendors (Sun and SGI) haven't patched yet -- and halfway-open Apple is right in the middle. For a company with precious little experience on the server side of things, Apple has done quite nicely.