Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Posts Security Update for OpenSSL Vulnerability

Posted by pudge on from the secure-y-goodness dept.

mattvd writes "Apple has posted Security Update 2002-08-02. According to the release notes it 'includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system: Apache v1.3.26, OpenSSH v3.4p1, OpenSSL v0.9.6e, SunRPC, mod_ssl v2.8.10.' As usual, Apple has mirrored the MD5 checksum for the update at a secure server."

47 comments

  1. god bless by kootch · · Score: 0, Flamebait

    God bless 'em and their new security conscious souls.

    This must be a new thing for Apple... releasing security updates wasn't really something they ever had to do much of in the past.

    1. Re:god bless by gerardrj · · Score: 0, Offtopic

      Apple's never had to rely on third party software as part of the operating system core functions before. They'd always been able to test in-house.
      BTW: there is no god. Commanding your god to bless somtheing seems to mean that you think you know better than it, and means then that you don't actually believe in it anyway.
      Hyporit religous morons.
      Keep your beliefs in your pocket, not in the public posting areas.

      --
      Article X: The powers not delegated... by the Constitution...are reserved...to the people
    2. Re:god bless by Anonymous Coward · · Score: 0

      how is the top post of this thread a flame yet the response is not?

      furthermore, "god bless" is short for "may god bless them", which is not commanding god to bless them, but a request that god, in infinite wisdom, will command his blessing upon them.

      and for the record, stop being an asshole in a public posting area.

    3. Re:god bless by marklark · · Score: 1
      Ah, I see that you were very careful to not share your beliefs...

      Pot - Kettle - "Black."

      God may bless you: The rain falls on the just and unjust, alike.

      Have a nice day. :^)

    4. Re:god bless by Anonymous Coward · · Score: 0

      Screw you hippy! Pico rocks you world.

    5. Re:god bless by poiuyt23 · · Score: 1

      I would think that the BSD core of Darwin makes Apple's OS part of a larger framework or attackable computers and therefore make Apple more inclined to worry about security than before.
      BTW: There is no good. Comparing good and evil is just you forcing your view of the universe on it which seems to mean that you know how it should work better than it does and that seems to mean that you can't appreciate it anyway.
      Hypocrite scientific moron.
      Keep your dogma in your pocket, only take it out in private to play with it.

  2. Already! by raxhonp · · Score: 0, Troll

    Really!

  3. Details by mattvd · · Score: 4, Informative


    From: Product Security
    Date: Fri Aug 02, 2002 05:45:34 PM US/Central
    To: security-announce@lists.apple.com
    Subject: Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl

    -----BEGIN PGP SIGNED MESSAGE-----

    Security Update 2002-08-02 is now available. It contains fixes for recent
    vulnerabilities in:

    OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657,
    CAN-2002-0655, and CAN-2002-0659. Details are available via:
    http://www.cert.org/advisories/CA-2002-23.html

    mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
    mod_ssl Apache module. Details are available via:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0653

    Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder.
    Details are available via:
    http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=20823

    Affected systems: Mac OS X client and Mac OS X Server

    Note: Mac OS X client is configured by default to have these services turned
    off, and is only vulnerable if the user has enabled network services which rely
    on the affected components. It is still recommended for Mac OS X client users
    to apply this security update to their system.

    System requirements: Mac OS X 10.1.5

    Security Update 2002-08-02 may be obtained from:

    * Software Update pane in System Preferences

    * Apple's Software Downloads web site:
    http://docs.info.apple.com/article.html?artnum=120 139

    SSL server:
    https://depot.info.apple.com/security/129403bc5e18 4e3b7367.html

    To help verify the integrity of Security Update 2002-08-02 from the
    Software Downloads web site:

    The download file is titled: SecurityUpd2002-08-02.dmg
    Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367

    Information will also be posted to the Apple Product Security web site:
    http://www.apple.com/support/security/secur ity_upd ates.html

    This message is signed with Apple's Product Security PGP key, and
    details are available at:
    http://www.apple.com/support/security/securit y_pgp .html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.3

    iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSN FT d2puXCtOGQ0M8c
    2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chn N8s9EXiavcBG5e/e jtTo3ZHoOGP7bg
    789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8 c2jXySLlnqF+kzwq VnjUL7i2O97Fk5
    tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTp uKYuah/w9NwzL+Ls bPcfXA/H1f4ngc
    vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXd Z9qaVCVRrZlsd9gS SmB2Jba4be/MRX
    FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZ XOXwbbRjqXHmzzgu 8D/Q==
    =fdGO
    -----END PGP SIGNATURE-----

  4. Re:Why don't you just use a REAL operating system. by bigdog79 · · Score: 1

    yeah, because windows has never released any security updates and bug fixes becasue it's such a stable and user-friendly OS. for the record, i hope people have their sarcasm meters turned on, and i really hope that anonymous coward was joking.

  5. My only question. by iomud · · Score: 3

    Why does this update require a reboot?

    1. Re:My only question. by selderrr · · Score: 2

      my only guess : paranoia. The weird idea that rebooting flushes out the bad bits left of an eventual breakin...

      --
      When will I end this grieving ? When will my future begin ?
    2. Re:My only question. by foonie · · Score: 2, Interesting

      Just a guess... maybe the average user doesn't know how to restart their Apache web server?

    3. Re:My only question. by dunderwo · · Score: 5, Informative

      Uhh...that doesn't stop the installer from running apachectl graceful, or what have you. Besides, restarting Apache means opening Sharing preferences, clicking "Stop" and then clicking "Start" under Web Sharing...not especially obscure.

      Well, regardless, the reboot is probably just a paranoid gesture...since there's no way of knowing for sure what other running daemons rely on the updated binaries. A reboot removes doubt, and apparently they don't like doubt. At least it doesn't quit all of your apps during the install....

    4. Re:My only question. by Anonymous Coward · · Score: 0

      Because they still aren't used to the idea that this is unixy based.

      Damn when I get users using Mac OS X rather than classic I can't start my helpdesk replies with "So have you restarted your mac..." ;)

    5. Re:My only question. by mkoz · · Score: 2, Informative

      It makes changes to "System Libraries".

    6. Re:My only question. by Anonymous Coward · · Score: 0

      rebooting is the only way to ensure anything running against those linked libraries loads the new stuff. Otherwise you may hve bits floating in memory.

  6. Mac Expert Suggests: by Slur · · Score: 2

    If you don't think it requires a reboot just force-quit the installer when it's finished.

    --
    -- thinkyhead software and media
  7. Slashdot Material? by DingoFox · · Score: 1, Interesting

    Are tiny Apple security updates really Slashdot material?

    *clicks ignore next to pudge*

    1. Re:Slashdot Material? by marklark · · Score: 2, Insightful

      I think they make good APPLE.slashdot.org material. If it's really hot, then it gets moved over to the main page. Not a problem.

    2. Re:Slashdot Material? by stux · · Score: 2

      Are tiny Apple security updates really Slashdot material?

      YES! :)

      Well, apple.slashdot material.

      I mean, first thing I did after reading the ... story, was checked my software update.

      --

      ---
      Live Long & Prosper \\//_
      CYA STUX =`B^) 'da Captain,
      Jedi & Last *-fytr
    3. Re:Slashdot Material? by kwerle · · Score: 2

      Are tiny Apple security updates really Slashdot material?

      The Apple update is not the most interesting part of this article. The most interesting part is what they DO NOT make you do. I'm beginning to really doubt my OS choice for a server. From the FreeBSD update on the same issues:
      ###
      Subject: FreeBSD Security Advisory FreeBSD-SA-02:33.openssl [REVISED] ...
      ===
      FreeBSD-SA-02:33.openssl Security Advisory The FreeBSD Project

      Topic: openssl contains multiple vulnerabilities
      ...

      2) To patch your present system:
      The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems.
      ...
      c) Recompile the operating system as described in
      http://www.freebsd.org/doc/handbook/makeworld.html .
      ###

      Recompile THE WHOLE DAMN OS.

      To fix your OSX Server... Grab the update from apple and reboot.

      I've switched for my desktop - time to think about the server, too.

  8. This is pretty frequent... by BitGeek · · Score: 3, Interesting



    Seems apple is doing a patch for security once a month.

    Its really nice that they are automatically detected, and you are asked if you want to apply them.

    But is once a month too frequently? Many have their update set to check every day, so the day they release the patch, hundreds of thousands will download it all at once.

    On the downside a vulnerability could be known about for up to a month before the patch is released...

    But on the upside, these regular updates, and how they are automatically distributed, seems far better than other systems I've used.

    --
    Yeah, and you guys panned the ipod too: http://apple.slashdot.org/article.pl?sid=01/10/23/ 1816257
    1. Re:This is pretty frequent... by Anonymous Coward · · Score: 0

      what planet are u on? apple has done about 3 security patches in last 4 weeks. and they have been released FAST within days of holes being discovered.

    2. Re:This is pretty frequent... by Anonymous Coward · · Score: 0

      They aren't fast enough in my opinion. They lag some days after a Debian Security alert.

    3. Re:This is pretty frequent... by mkoz · · Score: 1

      Security updates can never be too frequent. I for one am very impressed that apple is on the ball. As far as bandwidth goes it cannot be worse than all the quicktime movie trailers that get streamed from apple.

    4. Re:This is pretty frequent... by Anonymous Coward · · Score: 0

      But does Debian have the same QA that apple does? I think not.

  9. Re:Why don't you just use a REAL operating system. by Anonymous Coward · · Score: 0

    this fucker has been flame baiting every apple story this week talki g about how we should all get a REAL OS-Windows. is he serious or just a troll? does it matter? he is full of shit any way you slice it.

  10. Yea.. emacs RULE by Anonymous Coward · · Score: 0

    they do, like all of Apples products :D

  11. Ummm 10.2 couple weeks kill all this by Anonymous Coward · · Score: 0

    I think?.?>?

  12. Why don't you just realize... by Anonymous Coward · · Score: 0

    ...that you're my second fan?

    I'd like to shout out to my homies at Microsoft and the Windows team, yo, yo, yo. Thanks for making such great products!

  13. As a new apple user, wasnt this last month? by Anonymous Coward · · Score: 0

    At least the exploit was last month for OpenSSH. I had to patch my Linux servers and have noticed some hacking attempts at my sshd in the log files. So if this is the same bug wtf took so long? Or is this different. I'd be interested to know.

    BTW, i freaking love my G4 Tower. If you don't know why apple people are zealots, just buy one and you'll figure it out quickly. Best O/S ever (OS X), Unix with a decent freaking GUI. Now if they could only get a damn 3 button mouse w/scroll. That's my only gripe, Unix w/ 1 button. AHHHHHH!!!!!

    1. Re:As a new apple user, wasnt this last month? by Anonymous Coward · · Score: 0

      Lots of people buy those Microsoft Optical Mice and plug them in. Everything works.

      The irony in buying something from M$.

    2. Re:As a new apple user, wasnt this last month? by Anonymous Coward · · Score: 0
      At least the exploit was last month for OpenSSH. I had to patch my Linux servers and have noticed some hacking attempts at my sshd in the log files. So if this is the same bug wtf took so long? Or is this different. I'd be interested to know.
      You're thinking of the late June vulerability that was patched. This is yet another exploit.
    3. Re:As a new apple user, wasnt this last month? by Anonymous Coward · · Score: 0

      Logitech optical mouse - 2buttons+scroll wheel (basically a 3 button mouse) = $18.88 at Wal-Mart and it works out of the box - no drivers required.

  14. 3+n button mice by mbaudis · · Score: 1

    just reactivated an old 4+wheel usb logitech mouse. although i was happy before with the original apple optical + control on my titanium with add. 18" tft, i now feel like working faster... but still, i don't understand the frequent flaming for apple's stubborn sticking with their mice; they are neat, and much better than a 10 button (or so) kensington with terrible ergonomics.

    1. Re:3+n button mice by Anonymous Coward · · Score: 0

      If you haven't noticed, you can download logitech mouse tools for OS X now. :)

      Just found it myself

  15. Petition to remove this Slashdot section by Anonymous Coward · · Score: 0

    It is obviously just for trolling purposes.

    To vote YES reply with the subject I AGREE

    To vote NO reply with LEAVE IT BE

    I trust that the editors of Slashdot will respect democracy in action.

  16. I AGREE by Anonymous Coward · · Score: 0

    only trolls here dude.

  17. I AGREE by Anonymous Coward · · Score: 0

    I've been reading this section for a while and it has really gone to the dogs.

  18. Answer: Demons... Re:My only question. by kwerle · · Score: 2

    Because you could be running any number of demons that were linked to these libraries.
    apache
    sshd
    stunnel

    To name 3 that I'm running. Note that Apple only knows about 2 of these. Rebooting is the right thing to do in this case.

  19. Re:Answer: Demons... Re:My only question. by iomud · · Score: 2

    Why not just restart them? I just think if apple is to be serious about unix they should also be serious about some of the more compelling factors of it's use ie stability, reliability. I do understand though that for the average user it's probably the easier route to take.

  20. Re:Answer: Demons... Re:My only question. by kwerle · · Score: 2

    How are they supposed to know which ones to restart?

    Or you're suggesting that I simply restart the ones I need to - how do I know the ones to restart?

    You'll note another post I made, FreeBSD suggests you recompile the whole system (before rebooting). I don't know where SUN's update page is for this one, but I bet they recommend a restart, too.

    The bottom line is: if you feel confident restarting some demons and leaving the rest, Apple isn't stopping you. The truth is, this was a VERY BIG fix to some of the core OS functionality - authentication, after all!

    Bottom line: if YOU are serious about stability and reliability, you have a set of failover servers, anyway. Reboot them sequentially. Heck, you probably do that already, don't you?