Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Posts Security Update for OpenSSL Vulnerability

Posted by pudge on from the secure-y-goodness dept.

mattvd writes "Apple has posted Security Update 2002-08-02. According to the release notes it 'includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system: Apache v1.3.26, OpenSSH v3.4p1, OpenSSL v0.9.6e, SunRPC, mod_ssl v2.8.10.' As usual, Apple has mirrored the MD5 checksum for the update at a secure server."

3 of 47 comments (clear)

  1. Details by mattvd · · Score: 4, Informative


    From: Product Security
    Date: Fri Aug 02, 2002 05:45:34 PM US/Central
    To: security-announce@lists.apple.com
    Subject: Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl

    -----BEGIN PGP SIGNED MESSAGE-----

    Security Update 2002-08-02 is now available. It contains fixes for recent
    vulnerabilities in:

    OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657,
    CAN-2002-0655, and CAN-2002-0659. Details are available via:
    http://www.cert.org/advisories/CA-2002-23.html

    mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
    mod_ssl Apache module. Details are available via:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0653

    Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder.
    Details are available via:
    http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=20823

    Affected systems: Mac OS X client and Mac OS X Server

    Note: Mac OS X client is configured by default to have these services turned
    off, and is only vulnerable if the user has enabled network services which rely
    on the affected components. It is still recommended for Mac OS X client users
    to apply this security update to their system.

    System requirements: Mac OS X 10.1.5

    Security Update 2002-08-02 may be obtained from:

    * Software Update pane in System Preferences

    * Apple's Software Downloads web site:
    http://docs.info.apple.com/article.html?artnum=120 139

    SSL server:
    https://depot.info.apple.com/security/129403bc5e18 4e3b7367.html

    To help verify the integrity of Security Update 2002-08-02 from the
    Software Downloads web site:

    The download file is titled: SecurityUpd2002-08-02.dmg
    Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367

    Information will also be posted to the Apple Product Security web site:
    http://www.apple.com/support/security/secur ity_upd ates.html

    This message is signed with Apple's Product Security PGP key, and
    details are available at:
    http://www.apple.com/support/security/securit y_pgp .html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.3

    iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSN FT d2puXCtOGQ0M8c
    2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chn N8s9EXiavcBG5e/e jtTo3ZHoOGP7bg
    789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8 c2jXySLlnqF+kzwq VnjUL7i2O97Fk5
    tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTp uKYuah/w9NwzL+Ls bPcfXA/H1f4ngc
    vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXd Z9qaVCVRrZlsd9gS SmB2Jba4be/MRX
    FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZ XOXwbbRjqXHmzzgu 8D/Q==
    =fdGO
    -----END PGP SIGNATURE-----

  2. Re:My only question. by dunderwo · · Score: 5, Informative

    Uhh...that doesn't stop the installer from running apachectl graceful, or what have you. Besides, restarting Apache means opening Sharing preferences, clicking "Stop" and then clicking "Start" under Web Sharing...not especially obscure.

    Well, regardless, the reboot is probably just a paranoid gesture...since there's no way of knowing for sure what other running daemons rely on the updated binaries. A reboot removes doubt, and apparently they don't like doubt. At least it doesn't quit all of your apps during the install....

  3. Re:My only question. by mkoz · · Score: 2, Informative

    It makes changes to "System Libraries".