OS X Security Update: Apache, SSL and SSH

payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.

FYI, no reboot needed

[stripes]

Nicely enough, this does not require a reboot to get working. Downloads and killed off the old sshd (and one would assume Apache if I had a web server on my laptop!).

Re:Does this fix the apache hole?

[whee]

Apache 1.3.26 fixes the hole; This is the Apache version supplied in the OS X update.

Re:Problem seen - addressed

[erohw+amrak]

[ This is not a troll, nor flame, just opinion ]

The apache vulnerability was known 6/17 (aka 11 days ago). The exploits were circulating by 6/20 (aka 8 days ago).

The openssh vulnerability is more recent, so I won't hassle with that, but not producing an update until a week after exploits are already circulating is dangerous at the very least. Yes, they produced an update. No, it wasn't fast enough.

Re:Let's hope Apple gets quicker....

[TheAJofOZ]

Ironically though, since SSH and Apache are both off in the default install, does that mean that OS X takes over the title of "Never had an exploit in the default install"? It's been out a year now so that's actually a reasonably impressive claim.

Have I missed a bug along the way somewhere? I do remember doing a manual apache upgrade at one point but don't recall that being a remote root bug.

Do Apple's make good webservers?

[Cutie+Pi]

I haven't seen this topic really ever brought up...

Linux and FreeBSD have been available for PPC for a while now, meaning that people could be running Macs as webservers. Although a very tiny percentage of the server population runs Mac webservers, these are mostly running enthusiast's webpages. The bottom line is, most serious webserving applications use Linux or FreeBSD or (gasp) IIS on PC's. (Also multi-CPU Unix servers, etc.)

My question is... why the small portion of webservers running on Apple? Is it because:
1) Apple computers represent a small portion of the computer market
2) Apple users generally run web servers
3) Apple computers suck at running web servers
4) Network admins don't like Apples
5) Some combination of the above

I'd be interesting in hearing some people's comments.

Cheers!

Minor New Features

[sakusha]

While looking at the Apache setup in MacOS X, I decided to set up log analysis, and discovered that this security update implements Apache's rotatelogs. A minor upgrade, but a nice improvement that shows Apple is serious about their server platform. The (fairly) speedy response to ththe OpenSSH and Apache security holes also shows Apple is taking pains to do it right.

wow

Apple's response time is as fast as Redhat's. That's pretty amazing, considering. Redhat should have been faster though. Although, Redhat's caution paid off in that the ssh vulnerability did not, apparently affect their systems.

Re:Bye Apple

[TWR]

No flame, but you should realize that the 500MHz iBook is slow with OS X because it has a tiny L2 cache (256K) and a 66MHz bus to main memory. The 100MHz memory bus on later models (and the 512K of L2 cache) really help performance.

Apple has been shipping ATI hardware acceleration in OS X since 10.0. 10.1.5 added support for some of the ancient ATI cards. 10.2 adds hardware accelerated scrolling support for ATI and NVidia cards, in addition to Quartz Extreme for Radeon/GeForce cards (it's not a VRAM issue as much as it is support for textures that aren't a power of two in a dimension).

-jon