OS X Security Update: Apache, SSL and SSH

payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.

Problem seen - addressed

[blakespot]

Apache makes the vulnerability known, and Apple's right there with an OS patch bringing the new version into the fold.

How it should be. OS X.

blakespot

Re:Problem seen - addressed

I totally agree. They took their sweet time with this one.

YEAH! Those boneheads prolly wasted time testing and crap like that.

Quick and easy

[znu]

Two minute install, no reboot required. Nice.

Let's hope Apple gets quicker....

[hoya]

I am happy to see that Apple is doing the right thing. I just hope their next update comes a little bit quicker after a vulnerability is announced.

I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.

I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.

Re:Let's hope Apple gets quicker....

[BWJones]

I am happy to see that Apple is doing the right thing. I just hope their next update comes a little bit quicker after a vulnerability is announced.

Jeez, cut them a break man. I just heard of this vulnerability a couple of days ago myself, and was surprised to see an update to remedy this issue so quickly. Because of their commitment to quality in their products, I am sure Apple wanted to QA this thing first before releasing something buggy on their customers.

You have to admit that Apple has been FAR more responsive to their customers with a variety of issues than has M$ and even a bunch of Linux distros.

Re:FYI, no reboot needed

[uncleFester]

Upgrading Apache and OpenSSH (and most other apps, even daemons/services) doesn't even require a reboot on Win2000/XP. Welcome to the future!

No, welcome to the past. Updating ANY daemon, service or software not directly related to the kernel or core libraries does not require reboot. Where the hell have you been?

It's quite sad when the words 'update' or 'patch' are considered synonymous with 'reboot.'

What is going on?

[jonnythan]

Wow, when Microsoft issues security update they are lambasted for putting out an insecure operating system.

Apple releases massive security update and they are lauded for their focus on protecting their users.

Red Hat releases security updates and no one mentions them at all.

Re:What is going on?

[beagle]

Well, first, the problems fixed here are not the fault of Apple -- they are security holes in popular third-party tools. Contrast that to Microsoft's own security holes in their own code.

Second, Apple took way too long to release the Apache update. Red Hat had a fix available the next day...Apple's fix is well over a week after the fact.

See, Red Hat got mentioned! ;)

Re:Good to see...

[Aqua+OS+X]

Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS, and that means that Apple doesn't have to rush these minor updates out the door as soon as they are developed.

It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months. Most mac users would rather not have Software Update launch and pester them every week.

Re:Do Apple's make good webservers?

[GutBomb]

typically the reason apache is enabled on many macos machines is for web development. up until now, it was a bit difficult to get ssi and php and other server side stuff working while developing on a mac. now that apache and osx can work together, the combination is used much more often.

Re:Good to see...

[tdelaney]

1. The patch needed to become available.

2. Apple needed to test the patch.

3. Apple needed to build the updater.

Those who were willing to have been able to apply the patches to their machines for a week. How many machines running OpenSSH and Apache have been patched (no, not just OS X - all machines that run those)?

Apple has made its update available and easily installable. Within 1-2 weeks, over 80% of MacOS X systems are likely to be patched. Somehow I doubt that any other OS will be able to claim those numbers within a month of the bugs being found.

Of course, the majority of those systems aren't *running* Apache and OpenSSH, but other people have pointed that out.

Re:Do Apple's make good webservers?

[bsartist]

Then the 10.1.4 update broke PHP...

...because you chose to install your custom Apache in the same location as the stock version that Apple maintains. Apple didn't force you to install it there - you made that choice. The update may have broken your PHP install, but that's only because you put a big sign on it that said "break me."

If you walk out into traffic, you'll get run over. If you hit yourself on the head with a hammer, you'll get a concussion. If you install Apache over top of the copy that Apple provides, then when (not if) they update their install, yours will be overwritten. In each case, the answer is simple: don't fscking do that!

Good lord people, think! This isn't rocket science. It's simple. If you ask for problems, you'll get them.