Slashdot Mirror
OS X Security Update: Apache, SSL and SSH
payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
be prepared to reinstall PHP if you had a customized verison. This updates writes over it.
--
Don't sweat the petty things, and don't pet the sweaty things.
RedHat just came out with their updated RPMS also. Last time that SSH came out with a security vulnerability (the same time the zlib one hit) I WAS HACKED! Do you know how bad you feel after you've been hacked? Its like being neutered.
In college, really poor, need a flatscreen.
Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.
Upgrading Apache and OpenSSH (and most other apps, even daemons/services) doesn't even require a reboot on Win2000/XP. Welcome to the future!
No, welcome to the past. Updating ANY daemon, service or software not directly related to the kernel or core libraries does not require reboot. Where the hell have you been?
It's quite sad when the words 'update' or 'patch' are considered synonymous with 'reboot.'
-'fester
Ironically though, since SSH and Apache are both off in the default install, does that mean that OS X takes over the title of "Never had an exploit in the default install"? It's been out a year now so that's actually a reasonably impressive claim.
Have I missed a bug along the way somewhere? I do remember doing a manual apache upgrade at one point but don't recall that being a remote root bug.
NOT TRUE.
/Applications/Utilities/Installers and install the "Developer Tools.pkg" file. That will do it :-)
Apple still *does* ship the compilers. On the newer machines go to
I don't know why they don't install it with the base OS, but at least they put the installer on the disk for you!
--NBVB
Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't.
iTunes updates usually also update the core CD/DVD burning libraries as well as the kernel extensions that support the drives. This is why iTunes requires a reboot. The original poster did say '...as long as the kernel or core libraries aren't updated'.
Didn't ruin anythink in my php installation. By the way there is a great step by step php installation guide to get the newest version of php (this one is even recommanded by apple).
>> Had I been going to bed earlier every night? Have I been sleeping later? Has Tyler been in charge longer and l
I am happy to see that Apple is doing the right thing. I just hope their next update comes a little bit quicker after a vulnerability is announced.
Jeez, cut them a break man. I just heard of this vulnerability a couple of days ago myself, and was surprised to see an update to remedy this issue so quickly. Because of their commitment to quality in their products, I am sure Apple wanted to QA this thing first before releasing something buggy on their customers.
You have to admit that Apple has been FAR more responsive to their customers with a variety of issues than has M$ and even a bunch of Linux distros.
Visit Jonesblog and say hello.
YEAH! Those boneheads prolly wasted time testing and crap like that.
typically the reason apache is enabled on many macos machines is for web development. up until now, it was a bit difficult to get ssi and php and other server side stuff working while developing on a mac. now that apache and osx can work together, the combination is used much more often.
For what it's worth, Apple has responded more promptly to the Apache vulnerability than have other commercial Unix vendors. I do security work for my employer (a research institution with dozens of independent Web servers). We have all manner of systems running Apache -- but mostly Red Hat, Sun, and SGI. Guess which one of those three is the only one to have an officially supported patch out -- and which two I'm telling people they need to compile the new version from source?
No, Apple didn't have the patch out as quickly as Red Hat or Debian. Nevertheless, it is interesting to note that the open-source distributors patched quickest, the closed-source vendors (Sun and SGI) haven't patched yet -- and halfway-open Apple is right in the middle. For a company with precious little experience on the server side of things, Apple has done quite nicely.