Slashdot Mirror
OS X Security Update: Apache, SSL and SSH
payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
Apache makes the vulnerability known, and Apple's right there with an OS patch bringing the new version into the fold.
How it should be. OS X.
blakespot
-- Heisenberg may have slept here.
iPod Hacks.com
Two minute install, no reboot required. Nice.
This space unintentionally left unblank.
The Slashdot editors do not embrace Free Software, they are ONLY running away from Microsoft.
Sometimes we don't all want to feel like developers. It's good to be a user every now and then.
I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.
I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.
Upgrading Apache and OpenSSH (and most other apps, even daemons/services) doesn't even require a reboot on Win2000/XP. Welcome to the future!
No, welcome to the past. Updating ANY daemon, service or software not directly related to the kernel or core libraries does not require reboot. Where the hell have you been?
It's quite sad when the words 'update' or 'patch' are considered synonymous with 'reboot.'
-'fester
Wow, when Microsoft issues security update they are lambasted for putting out an insecure operating system.
Apple releases massive security update and they are lauded for their focus on protecting their users.
Red Hat releases security updates and no one mentions them at all.
Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS, and that means that Apple doesn't have to rush these minor updates out the door as soon as they are developed.
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months. Most mac users would rather not have Software Update launch and pester them every week.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
I'd like to somewhat lessen the blows that I see against apple for it's not-so-quick release of the apache vulnerability patch. I think they should have released it faster, but at the same time I can see why they gave themselves some time to test it, and when the openssh vuln was revealed, some time to incorporate that into the same patch. There was no exploit released for OS X or anything on PPC arch that I could see. It just wasn't targeted. The worm that is out is for BSD, but it's x86 shellcode, so again, OS X is not affected. I think the worm is only FreeBSD as well. But anyway, what I'm saying is that they probably could have released it faster, but there wasn't really anything at risk unless you were being specifically targeted by someone other than a script kiddie who actually knew what he/she was doing.
Cheers,
-JD-
typically the reason apache is enabled on many macos machines is for web development. up until now, it was a bit difficult to get ssi and php and other server side stuff working while developing on a mac. now that apache and osx can work together, the combination is used much more often.
Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS...
I don't think that they care whether it's MacOS or not. It's Apache or it's SSH -- they're familiar enough with those.
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months.
You're trolling, right? You must be trolling. You really think that Apple should leave big, known, gaping holes unpatched for months on end? Check it, man, a week wasn't fast enough for a number of posters in this forum... if Apple let 3 months go by they'd be crucified, even if not a single mac was 'sploited
Most mac users would rather not have Software Update launch and pester them every week.
I don't know. I feel a frisson of excitement when SU has something new for me. Usually it means that something that was broken will soon be less broken, or better yet, there will be new functionality for me to enjoy. Granted the latest AirPort update was a major bust, but I'm all in favor of their rolling out the lastest bugfixes as soon as they've been thoroughly tested.
Not trying to be a troll, but everyone keeps mentioning that Microsoft gets bashed for security updates while Apple doesn't. Why is this? Because Apple generally takes care of the problem with one or two fixes whereas M$ seems to continue introducing security bugs & holes with every patch. Almost every M$ program (and operating system) associated with internet access seems to have serious security holes, time and time again...Internet Exploder, Internet Information Server, MSN Messenger, Outlook Express, Entourage, Visual Basic, even Office apps....Shall I continue? For all the money that M$ brings in from sales, extortion, bribery, etc...you'd think they would hire the BEST programmers money could buy to write their software. But Oh, slap my fae, the current business model keeps the tech industry gainfully employed.
1. The patch needed to become available.
2. Apple needed to test the patch.
3. Apple needed to build the updater.
Those who were willing to have been able to apply the patches to their machines for a week. How many machines running OpenSSH and Apache have been patched (no, not just OS X - all machines that run those)?
Apple has made its update available and easily installable. Within 1-2 weeks, over 80% of MacOS X systems are likely to be patched. Somehow I doubt that any other OS will be able to claim those numbers within a month of the bugs being found.
Of course, the majority of those systems aren't *running* Apache and OpenSSH, but other people have pointed that out.
Then the 10.1.4 update broke PHP...
...because you chose to install your custom Apache in the same location as the stock version that Apple maintains. Apple didn't force you to install it there - you made that choice. The update may have broken your PHP install, but that's only because you put a big sign on it that said "break me."
If you walk out into traffic, you'll get run over. If you hit yourself on the head with a hammer, you'll get a concussion. If you install Apache over top of the copy that Apple provides, then when (not if) they update their install, yours will be overwritten. In each case, the answer is simple: don't fscking do that!
Good lord people, think! This isn't rocket science. It's simple. If you ask for problems, you'll get them.
Lost: Sig, white with black letters. No collar. Reward if found!