Slashdot Mirror
OS X Security Update: Apache, SSL and SSH
payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
Apache makes the vulnerability known, and Apple's right there with an OS patch bringing the new version into the fold.
How it should be. OS X.
blakespot
-- Heisenberg may have slept here.
iPod Hacks.com
be prepared to reinstall PHP if you had a customized verison. This updates writes over it.
--
Don't sweat the petty things, and don't pet the sweaty things.
RedHat just came out with their updated RPMS also. Last time that SSH came out with a security vulnerability (the same time the zlib one hit) I WAS HACKED! Do you know how bad you feel after you've been hacked? Its like being neutered.
In college, really poor, need a flatscreen.
Two minute install, no reboot required. Nice.
This space unintentionally left unblank.
Nicely enough, this does not require a reboot to get working. Downloads and killed off the old sshd (and one would assume Apache if I had a web server on my laptop!).
Apache 1.3.26 fixes the hole; This is the Apache version supplied in the OS X update.
... the hole [cert.org] that allows a specially crafted, chunk-encoded HTTP request to execute arbitrary code on the server ...
Well, Apache 1.3.26 is included in the update, and as far as I thought, Apache 1.3.26 was an update specifically to fix that hole. But I could be wrong.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.
I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.
Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.
10.1.5 has nothing to do with RtCW failing. Recently the 1.33 version of return to castle wolfenstein was released for linux and PC. When this happened many multi-player server started to require 1.33 (pure servers) in order to play.
There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.
These instructions are highligted at the bottom of this URL on Aspyr's site
Pages under the hierachy
Wow, when Microsoft issues security update they are lambasted for putting out an insecure operating system.
Apple releases massive security update and they are lauded for their focus on protecting their users.
Red Hat releases security updates and no one mentions them at all.
While OpenSSH 3.4p1 fixes the bug that lead to offering a priv-sep version in 3.3p1, the July Security Update does not modify the Netinfo tables to add a sshd user and group, along with the other configuration steps listed in README.privsep. It is suggested that Apple engineers may address privilege separation in Jaguar or an update to Jaguar.
Didn't ruin anythink in my php installation. By the way there is a great step by step php installation guide to get the newest version of php (this one is even recommanded by apple).
>> Had I been going to bed earlier every night? Have I been sleeping later? Has Tyler been in charge longer and l
The version they should upgrade to is 2.8.10, that fixes a buffer overlow that can be triggered through .htaccess files.
{{.sig}}
It runs as a daemon, and is started by a shell script, just like on every other UNIX.
Lost: Sig, white with black letters. No collar. Reward if found!
Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0
Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS, and that means that Apple doesn't have to rush these minor updates out the door as soon as they are developed.
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months. Most mac users would rather not have Software Update launch and pester them every week.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
I guess your new to this whole computer security thing. If you don't understand the difference between how MS and redhat have reacted to security problems for the past 6 years, then I am not going to explain it to you.
If you wanna get rich, you know that payback is a bitch
I know.. i know.. a unix/linux site. But interesting indeed how Microsoft got BASHED for releasing 3 VERY easy to install patches that aren't really exploited at this point, and EVERY unix that uses the apache, ssl, ssh combination previous to the listed versions is needing a repair as well.
can't we all just get a bong?
1. Repost every post from the previous MS security release thread here changing MS to Apple/Unix/Linux and vice versa.
2. ???
3. Profit!
Mmmm.. Donuts
it's not like this is open source or anything. IT's not like the users could get patches themselves from apache and install them.
I mean, if you want to rely on a vendor supplied package based on an open project, of COURSE there is going to be a lag.
Scott Anguish has an article on stepwise.com that shows you how to build OpenSSH yourself. He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
I don't know if Apple configures their update similarly, but I'll bet they do.
Sapere aude!
typically the reason apache is enabled on many macos machines is for web development. up until now, it was a bit difficult to get ssi and php and other server side stuff working while developing on a mac. now that apache and osx can work together, the combination is used much more often.
There is no good reason for your sysadmin not to let you on the network - they are being overbearing and unprofessional. If they were professional and genuinely worried they would have blocked incoming ports to your host at the switch (or at worst - the gateway).
Like most other administrators I have to work with, it sounds like they are simply exhibit big ego's and little professionalisim (though I would not wish to jump to conclusions, it's most likely in my experience).
Apart from upgrading the SSH and Apache binaries yourself (I know I was too lazy and waited for Apple because I knew one was coming out) you could simply have disabled thoses services - after all they are disabled by default on Mac OS X.
Lastly, in response the origional poster, Apple's response was slower than I would have liked (as the OpenSSH one was disclosed to vendors like Apple ~10 days before it was announced) but timely and the fix was very elegant and appears to be bug free (clean install all round, no reboot required, etc).
Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS...
I don't think that they care whether it's MacOS or not. It's Apache or it's SSH -- they're familiar enough with those.
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months.
You're trolling, right? You must be trolling. You really think that Apple should leave big, known, gaping holes unpatched for months on end? Check it, man, a week wasn't fast enough for a number of posters in this forum... if Apple let 3 months go by they'd be crucified, even if not a single mac was 'sploited
Most mac users would rather not have Software Update launch and pester them every week.
I don't know. I feel a frisson of excitement when SU has something new for me. Usually it means that something that was broken will soon be less broken, or better yet, there will be new functionality for me to enjoy. Granted the latest AirPort update was a major bust, but I'm all in favor of their rolling out the lastest bugfixes as soon as they've been thoroughly tested.
He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
If you run every non-privileged service (http, anon ftp, ntp, nntp, etc.) and partial service (ssh, mail, etc.) as the same non-privileged user, it defeats a lot of the purpose of the non-privilegedness. Even with chrooting, a process running as a non-root user can affect other processes that belong to the same user (e.g. send them signals). This is why vendors and sysadmins who know what they're doing create a different user for each service.
1. The patch needed to become available.
2. Apple needed to test the patch.
3. Apple needed to build the updater.
Those who were willing to have been able to apply the patches to their machines for a week. How many machines running OpenSSH and Apache have been patched (no, not just OS X - all machines that run those)?
Apple has made its update available and easily installable. Within 1-2 weeks, over 80% of MacOS X systems are likely to be patched. Somehow I doubt that any other OS will be able to claim those numbers within a month of the bugs being found.
Of course, the majority of those systems aren't *running* Apache and OpenSSH, but other people have pointed that out.
Well, simple really:
- 1. You're not telling the truth. The link and count you gave was for all patches against Red Hat 7.2 since its release, not "alone in 2002" -- and includes enhancements as well as security patches. Microsoft doesn't hand out enhancements to its software as patches -- it charges for them as new releases.
- 2. Red Hat has more software. The amount of functionality Red Hat ships dwarfs that available in Windows. The diversity of software shipped on two or three CDs of Red Hat dwarfs that in a comparable amount of OS and application distribution from Microsoft. Microsoft has a few large "integrated" applications, whereas Red Hat has many smaller, intercompatible ones.
- 3. Red Hat doesn't delay and hide. Microsoft has a practice of delaying patches and releasing several in one bundled "service pack" -- whereas Red Hat releases one patch per problem, promptly. That inflates the counts on Red Hat's side, but improves the actual security -- and actions count more than words, or numbers.
- 4. Red Hat actually releases fixes! Microsoft's software has at least 18 publicly known, exploitable, unpatched vulnerabilities -- and that's just in one product, Internet Explorer. Show me a comparable list for any current version of any open-source product or distribution.
Sorry, Bill -- you lose this round. Red Hat is far from the best of Linux distributors or open-source operating systems in its security record, but it's far and away above your little offering. Maybe you should spend less time plotting ways to subvert democracy, destroy the public domain, and harm your customers -- and more time checking your code?While looking at the Apache setup in MacOS X, I decided to set up log analysis, and discovered that this security update implements Apache's rotatelogs. A minor upgrade, but a nice improvement that shows Apple is serious about their server platform. The (fairly) speedy response to ththe OpenSSH and Apache security holes also shows Apple is taking pains to do it right.
I don't know how to do this in pure Darwin, but I assume you can since all power management is handled by Darwin.
"Reality is just a convenient measure of complexity" -Alvy Ray Smith
Each update that requires a reboot will have a little "restart" icon (aqua gumdrop with a triangle in it) next to it. I think there's also some text down at the bottom that says "restart required" when you highlight the update. Anyways, the icon makes it easy to tell which updates will require you to reboot and which won't.
Apple has been shipping ATI hardware acceleration in OS X since 10.0. 10.1.5 added support for some of the ancient ATI cards. 10.2 adds hardware accelerated scrolling support for ATI and NVidia cards, in addition to Quartz Extreme for Radeon/GeForce cards (it's not a VRAM issue as much as it is support for textures that aren't a power of two in a dimension).
-jon
Remember Amalek.
I got confused with Mac OS X Server. rotatelogs was in Mac OS X Server before the July Security Update. You could turn it on and off with the Server Admin GUI.
I'm not sure when rotatelogs got added to regular Mac OS X. My mistake. I've only been working with Apache on X Server.
Then the 10.1.4 update broke PHP...
...because you chose to install your custom Apache in the same location as the stock version that Apple maintains. Apple didn't force you to install it there - you made that choice. The update may have broken your PHP install, but that's only because you put a big sign on it that said "break me."
If you walk out into traffic, you'll get run over. If you hit yourself on the head with a hammer, you'll get a concussion. If you install Apache over top of the copy that Apple provides, then when (not if) they update their install, yours will be overwritten. In each case, the answer is simple: don't fscking do that!
Good lord people, think! This isn't rocket science. It's simple. If you ask for problems, you'll get them.
Lost: Sig, white with black letters. No collar. Reward if found!
HAHA -- well, I see that I left the smiley out. Seeing as I am the admin, I can now let my machine back on the network running httpd and ssh. :)
:( Time for a rebuild on that one -- and a new hard drive. In the meantime, its web server is down -- which is unfortunate because that's my primary web server. :(
Disabling the services is exactly what I did. I used the SSH workaround and I disabled Apache. Now I can reenable it. Oh, and this particular machine is outside the firewall.
My Linux box is so customised that I can't install Apache with RPM. I don't even have the drive space to compile httpd.