Slashdot Mirror

← Back to Stories (view on slashdot.org)

OS X Security Update: Apache, SSL and SSH

Posted by jamie on from the sounds-like-a-good-idea dept.

payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.

37 of 216 comments (clear)

  1. Problem seen - addressed by blakespot · · Score: 3, Insightful

    Apache makes the vulnerability known, and Apple's right there with an OS patch bringing the new version into the fold.

    How it should be. OS X.

    blakespot

    --
    -- Heisenberg may have slept here.
    iPod Hacks.com
    1. Re:Problem seen - addressed by erohw+amrak · · Score: 3, Interesting


      [ This is not a troll, nor flame, just opinion ]

      The apache vulnerability was known 6/17 (aka 11 days ago). The exploits were circulating by 6/20 (aka 8 days ago).

      The openssh vulnerability is more recent, so I won't hassle with that, but not producing an update until a week after exploits are already circulating is dangerous at the very least. Yes, they produced an update. No, it wasn't fast enough.

    2. Re:Problem seen - addressed by nbvb · · Score: 5, Informative

      NOT TRUE.

      Apple still *does* ship the compilers. On the newer machines go to /Applications/Utilities/Installers and install the "Developer Tools.pkg" file. That will do it :-)

      I don't know why they don't install it with the base OS, but at least they put the installer on the disk for you!

      --NBVB

    3. Re:Problem seen - addressed by Anonymous Coward · · Score: 5, Insightful
      I totally agree. They took their sweet time with this one.


      YEAH! Those boneheads prolly wasted time testing and crap like that.

    4. Re:Problem seen - addressed by Frater+219 · · Score: 5, Informative
      Yes, they produced an update. No, it wasn't fast enough.

      For what it's worth, Apple has responded more promptly to the Apache vulnerability than have other commercial Unix vendors. I do security work for my employer (a research institution with dozens of independent Web servers). We have all manner of systems running Apache -- but mostly Red Hat, Sun, and SGI. Guess which one of those three is the only one to have an officially supported patch out -- and which two I'm telling people they need to compile the new version from source?

      No, Apple didn't have the patch out as quickly as Red Hat or Debian. Nevertheless, it is interesting to note that the open-source distributors patched quickest, the closed-source vendors (Sun and SGI) haven't patched yet -- and halfway-open Apple is right in the middle. For a company with precious little experience on the server side of things, Apple has done quite nicely.

  2. Ruins custom PHP installs by arson1 · · Score: 5, Informative

    be prepared to reinstall PHP if you had a customized verison. This updates writes over it.

    --


    --
    Don't sweat the petty things, and don't pet the sweaty things.
  3. Whew by sheepab · · Score: 5, Funny

    RedHat just came out with their updated RPMS also. Last time that SSH came out with a security vulnerability (the same time the zlib one hit) I WAS HACKED! Do you know how bad you feel after you've been hacked? Its like being neutered.

    --


    In college, really poor, need a flatscreen.
    1. Re:Whew by MisterBlister · · Score: 5, Funny
      Do you know how bad you feel after you've been hacked? Its like being neutered.

      You must have been neutered, right? To make that comparison?

      Wow man, you must have big balls to admit in a public forum that you've been neutered. Wait, strike that...

  4. Quick and easy by znu · · Score: 4, Insightful

    Two minute install, no reboot required. Nice.

    --
    This space unintentionally left unblank.
  5. FYI, no reboot needed by stripes · · Score: 4, Interesting

    Nicely enough, this does not require a reboot to get working. Downloads and killed off the old sshd (and one would assume Apache if I had a web server on my laptop!).

    1. Re:FYI, no reboot needed by uncleFester · · Score: 5, Insightful

      Upgrading Apache and OpenSSH (and most other apps, even daemons/services) doesn't even require a reboot on Win2000/XP. Welcome to the future!

      No, welcome to the past. Updating ANY daemon, service or software not directly related to the kernel or core libraries does not require reboot. Where the hell have you been?

      It's quite sad when the words 'update' or 'patch' are considered synonymous with 'reboot.'

      --
      -'fester
    2. Re:FYI, no reboot needed by marmoset · · Score: 3, Funny
      He's probably referring to the OS X Networking Update last week that some people bitched about because it forced a reboot. That one required a reboot because it replaced the network stack, not just a few daemons.



      Apple tends to err on the side of caution with their Software Update scripts, usually forcing a reboot.
      I don't mind myself, not being one of those people who equates uptime with anatomical endowment.

    3. Re:FYI, no reboot needed by scorpioX · · Score: 5, Informative

      Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't.

      iTunes updates usually also update the core CD/DVD burning libraries as well as the kernel extensions that support the drives. This is why iTunes requires a reboot. The original poster did say '...as long as the kernel or core libraries aren't updated'.

  6. Re:Does this fix the apache hole? by whee · · Score: 4, Interesting

    Apache 1.3.26 fixes the hole; This is the Apache version supplied in the OS X update.

  7. Let's hope Apple gets quicker.... by hoya · · Score: 3, Insightful
    I am happy to see that Apple is doing the right thing. I just hope their next update comes a little bit quicker after a vulnerability is announced.

    I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.

    I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.

    1. Re:Let's hope Apple gets quicker.... by TheAJofOZ · · Score: 5, Interesting

      Ironically though, since SSH and Apache are both off in the default install, does that mean that OS X takes over the title of "Never had an exploit in the default install"? It's been out a year now so that's actually a reasonably impressive claim.

      Have I missed a bug along the way somewhere? I do remember doing a manual apache upgrade at one point but don't recall that being a remote root bug.

    2. Re:Let's hope Apple gets quicker.... by BWJones · · Score: 5, Insightful

      I am happy to see that Apple is doing the right thing. I just hope their next update comes a little bit quicker after a vulnerability is announced.

      Jeez, cut them a break man. I just heard of this vulnerability a couple of days ago myself, and was surprised to see an update to remedy this issue so quickly. Because of their commitment to quality in their products, I am sure Apple wanted to QA this thing first before releasing something buggy on their customers.

      You have to admit that Apple has been FAR more responsive to their customers with a variety of issues than has M$ and even a bunch of Linux distros.

      --
      Visit Jonesblog and say hello.
    3. Re:Let's hope Apple gets quicker.... by daeley · · Score: 4, Funny

      They spend hours--nay--days getting their virtual desktop decorated just right.

      We have to have *something* to do when we're not rebooting after crashing, reinstalling the entire system thanks to yet another virus attack, or beating back the EULA police.. That's the kind of substance I can do without, thank you very much.

      Boy, the trolls sure do come out of the woodwork on Apple stories, don't they?

      --
      I watched C-beams glitter in the dark near the Tannhauser gate.
    4. Re:Let's hope Apple gets quicker.... by @madeus · · Score: 3, Informative

      Sadly Apple has had a (local) exploit in the default install of Mac OS X (10.0 through 10.1).

      It was was 'gain root access' via NetInfo hack (details here: http://www.securiteam.com/securitynews/6T00O0K2UW. html).

      Bascially all you needed to do to expoit this was:
      a) Run an application (e.g. Terminal)
      b) Run NetInfo Manager (in /Applications/Utilites/) and leave it running as the foreground Application.
      c) Run the 1st application (e.g. Terminal) but this time start it from the "Apple->Recent Items->" menu and it will run as setuid root.

      In the case of the Terminal application, this gave you a root prompt.

      :-(

  8. RTCW by cyphersoft · · Score: 5, Informative

    Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.

  9. RtCW failing is related to RtCW upgrade 1.33 by redwoodtree · · Score: 4, Informative

    10.1.5 has nothing to do with RtCW failing. Recently the 1.33 version of return to castle wolfenstein was released for linux and PC. When this happened many multi-player server started to require 1.33 (pure servers) in order to play.

    There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.

    These instructions are highligted at the bottom of this URL on Aspyr's site

  10. Re:Mac running webservers? by marmoset · · Score: 4, Informative
    You can start it and stop it from System Preferences (analagous to the Control Panels in MacOS 9.x and below.) There's a pane on the sharing button that essential hooks up to "apachectl" on the backend, which fires off httpd just like every other Unix box in the world.



    Pages under the hierachy /Library/WebServer/Documents and in the users home directories (/Users/[username]/Sites) are served, you can tweak everything in Private/etc/httpd, logs go in /Private/var/log/httpd

  11. What is going on? by jonnythan · · Score: 4, Insightful

    Wow, when Microsoft issues security update they are lambasted for putting out an insecure operating system.

    Apple releases massive security update and they are lauded for their focus on protecting their users.

    Red Hat releases security updates and no one mentions them at all.

    1. Re:What is going on? by beagle · · Score: 3, Insightful

      Well, first, the problems fixed here are not the fault of Apple -- they are security holes in popular third-party tools. Contrast that to Microsoft's own security holes in their own code.

      Second, Apple took way too long to release the Apache update. Red Hat had a fix available the next day...Apple's fix is well over a week after the fact.

      See, Red Hat got mentioned! ;)

  12. Update does not address privilege separation issue by Alex+Reynolds · · Score: 4, Informative

    While OpenSSH 3.4p1 fixes the bug that lead to offering a priv-sep version in 3.3p1, the July Security Update does not modify the Netinfo tables to add a sshd user and group, along with the other configuration steps listed in README.privsep. It is suggested that Apple engineers may address privilege separation in Jaguar or an update to Jaguar.

  13. Didn't ruin my installation by patrickoehlinger · · Score: 5, Informative

    Didn't ruin anythink in my php installation. By the way there is a great step by step php installation guide to get the newest version of php (this one is even recommanded by apple).

    --
    >> Had I been going to bed earlier every night? Have I been sleeping later? Has Tyler been in charge longer and l
  14. mod_ssl 2.8.9 has a security hole by chrysalis · · Score: 4, Informative

    The version they should upgrade to is 2.8.10, that fixes a buffer overlow that can be triggered through .htaccess files.

    --
    {{.sig}}
  15. Just in time by paco+verde · · Score: 4, Informative

    Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0

  16. Re:Good to see... by Aqua+OS+X · · Score: 4, Insightful

    Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS, and that means that Apple doesn't have to rush these minor updates out the door as soon as they are developed.

    It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months. Most mac users would rather not have Software Update launch and pester them every week.

    --
    "Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
  17. Re:Update does not address privilege separation is by Graff · · Score: 3, Informative

    Scott Anguish has an article on stepwise.com that shows you how to build OpenSSH yourself. He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.

    I don't know if Apple configures their update similarly, but I'll bet they do.

    --
    Sapere aude!
  18. Re:Do Apple's make good webservers? by GutBomb · · Score: 5, Insightful

    typically the reason apache is enabled on many macos machines is for web development. up until now, it was a bit difficult to get ssi and php and other server side stuff working while developing on a mac. now that apache and osx can work together, the combination is used much more often.

  19. Re:Good to see... by tdelaney · · Score: 4, Insightful

    1. The patch needed to become available.

    2. Apple needed to test the patch.

    3. Apple needed to build the updater.

    Those who were willing to have been able to apply the patches to their machines for a week. How many machines running OpenSSH and Apache have been patched (no, not just OS X - all machines that run those)?

    Apple has made its update available and easily installable. Within 1-2 weeks, over 80% of MacOS X systems are likely to be patched. Somehow I doubt that any other OS will be able to claim those numbers within a month of the bugs being found.

    Of course, the majority of those systems aren't *running* Apache and OpenSSH, but other people have pointed that out.

  20. Re:metrics contradict slashdot truisms by Frater+219 · · Score: 3, Informative
    How can this be?

    Well, simple really:

    • 1. You're not telling the truth. The link and count you gave was for all patches against Red Hat 7.2 since its release, not "alone in 2002" -- and includes enhancements as well as security patches. Microsoft doesn't hand out enhancements to its software as patches -- it charges for them as new releases.
    • 2. Red Hat has more software. The amount of functionality Red Hat ships dwarfs that available in Windows. The diversity of software shipped on two or three CDs of Red Hat dwarfs that in a comparable amount of OS and application distribution from Microsoft. Microsoft has a few large "integrated" applications, whereas Red Hat has many smaller, intercompatible ones.
    • 3. Red Hat doesn't delay and hide. Microsoft has a practice of delaying patches and releasing several in one bundled "service pack" -- whereas Red Hat releases one patch per problem, promptly. That inflates the counts on Red Hat's side, but improves the actual security -- and actions count more than words, or numbers.
    • 4. Red Hat actually releases fixes! Microsoft's software has at least 18 publicly known, exploitable, unpatched vulnerabilities -- and that's just in one product, Internet Explorer. Show me a comparable list for any current version of any open-source product or distribution.
    Sorry, Bill -- you lose this round. Red Hat is far from the best of Linux distributors or open-source operating systems in its security record, but it's far and away above your little offering. Maybe you should spend less time plotting ways to subvert democracy, destroy the public domain, and harm your customers -- and more time checking your code?
  21. Minor New Features by sakusha · · Score: 3, Interesting

    While looking at the Apache setup in MacOS X, I decided to set up log analysis, and discovered that this security update implements Apache's rotatelogs. A minor upgrade, but a nice improvement that shows Apple is serious about their server platform. The (fairly) speedy response to ththe OpenSSH and Apache security holes also shows Apple is taking pains to do it right.

  22. Re:Do Apple's make good webservers? by 90XDoubleSide · · Score: 3, Informative
    To have an OS X machine turn back on after a power failure, go to System Preferences, go to the Energy Saver tab, go to the options tab, and check, "Restart automatically after a power failure." All G4 machines (and most G3s) have this feature.

    I don't know how to do this in pure Darwin, but I assume you can since all power management is handled by Darwin.

    --
    "Reality is just a convenient measure of complexity" -Alvy Ray Smith
  23. Re:Bye Apple by TWR · · Score: 3, Interesting
    No flame, but you should realize that the 500MHz iBook is slow with OS X because it has a tiny L2 cache (256K) and a 66MHz bus to main memory. The 100MHz memory bus on later models (and the 512K of L2 cache) really help performance.

    Apple has been shipping ATI hardware acceleration in OS X since 10.0. 10.1.5 added support for some of the ancient ATI cards. 10.2 adds hardware accelerated scrolling support for ATI and NVidia cards, in addition to Quartz Extreme for Radeon/GeForce cards (it's not a VRAM issue as much as it is support for textures that aren't a power of two in a dimension).

    -jon

    --

    Remember Amalek.

  24. Re:Do Apple's make good webservers? by bsartist · · Score: 4, Insightful

    Then the 10.1.4 update broke PHP...

    ...because you chose to install your custom Apache in the same location as the stock version that Apple maintains. Apple didn't force you to install it there - you made that choice. The update may have broken your PHP install, but that's only because you put a big sign on it that said "break me."

    If you walk out into traffic, you'll get run over. If you hit yourself on the head with a hammer, you'll get a concussion. If you install Apache over top of the copy that Apple provides, then when (not if) they update their install, yours will be overwritten. In each case, the answer is simple: don't fscking do that!

    Good lord people, think! This isn't rocket science. It's simple. If you ask for problems, you'll get them.

    --
    Lost: Sig, white with black letters. No collar. Reward if found!