Slashdot Mirror
Apple Posts Security Update for OpenSSL Vulnerability
mattvd writes "Apple has posted Security Update 2002-08-02. According to the release notes it 'includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system: Apache v1.3.26, OpenSSH v3.4p1, OpenSSL v0.9.6e, SunRPC, mod_ssl v2.8.10.' As usual, Apple has mirrored the MD5 checksum for the update at a secure server."
From: Product Security
Date: Fri Aug 02, 2002 05:45:34 PM US/Central
To: security-announce@lists.apple.com
Subject: Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl
-----BEGIN PGP SIGNED MESSAGE-----
Security Update 2002-08-02 is now available. It contains fixes for recent
vulnerabilities in:
OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657,
CAN-2002-0655, and CAN-2002-0659. Details are available via:
http://www.cert.org/advisories/CA-2002-23.html
mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
mod_ssl Apache module. Details are available via:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN
Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder.
Details are available via:
http://bvlive01.iss.net/issEn/delivery/xforce/ale
Affected systems: Mac OS X client and Mac OS X Server
Note: Mac OS X client is configured by default to have these services turned
off, and is only vulnerable if the user has enabled network services which rely
on the affected components. It is still recommended for Mac OS X client users
to apply this security update to their system.
System requirements: Mac OS X 10.1.5
Security Update 2002-08-02 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
http://docs.info.apple.com/article.html?artnum=12
SSL server:
https://depot.info.apple.com/security/129403bc5e1
To help verify the integrity of Security Update 2002-08-02 from the
Software Downloads web site:
The download file is titled: SecurityUpd2002-08-02.dmg
Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367
Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/secu
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/securi
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZS
2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9ch
789zLQLK2JTB75nc0fNyx2CdfHlEIM00v
tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXT
vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozX
FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwI
=fdGO
-----END PGP SIGNATURE-----
Why does this update require a reboot?
If you don't think it requires a reboot just force-quit the installer when it's finished.
-- thinkyhead software and media
I think they make good APPLE.slashdot.org material. If it's really hot, then it gets moved over to the main page. Not a problem.
Seems apple is doing a patch for security once a month.
Its really nice that they are automatically detected, and you are asked if you want to apply them.
But is once a month too frequently? Many have their update set to check every day, so the day they release the patch, hundreds of thousands will download it all at once.
On the downside a vulnerability could be known about for up to a month before the patch is released...
But on the upside, these regular updates, and how they are automatically distributed, seems far better than other systems I've used.
Yeah, and you guys panned the ipod too: http://apple.slashdot.org/article.pl?sid=01/10/23
Are tiny Apple security updates really Slashdot material?
:)
... story, was checked my software update.
YES!
Well, apple.slashdot material.
I mean, first thing I did after reading the
---
Live Long & Prosper \\//_
CYA STUX =`B^) 'da Captain,
Jedi & Last *-fytr
Because you could be running any number of demons that were linked to these libraries.
apache
sshd
stunnel
To name 3 that I'm running. Note that Apple only knows about 2 of these. Rebooting is the right thing to do in this case.
Are tiny Apple security updates really Slashdot material?
...
...
...l .
The Apple update is not the most interesting part of this article. The most interesting part is what they DO NOT make you do. I'm beginning to really doubt my OS choice for a server. From the FreeBSD update on the same issues:
###
Subject: FreeBSD Security Advisory FreeBSD-SA-02:33.openssl [REVISED]
===
FreeBSD-SA-02:33.openssl Security Advisory The FreeBSD Project
Topic: openssl contains multiple vulnerabilities
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems.
c) Recompile the operating system as described in
http://www.freebsd.org/doc/handbook/makeworld.htm
###
Recompile THE WHOLE DAMN OS.
To fix your OSX Server... Grab the update from apple and reboot.
I've switched for my desktop - time to think about the server, too.
Why not just restart them? I just think if apple is to be serious about unix they should also be serious about some of the more compelling factors of it's use ie stability, reliability. I do understand though that for the average user it's probably the easier route to take.
How are they supposed to know which ones to restart?
Or you're suggesting that I simply restart the ones I need to - how do I know the ones to restart?
You'll note another post I made, FreeBSD suggests you recompile the whole system (before rebooting). I don't know where SUN's update page is for this one, but I bet they recommend a restart, too.
The bottom line is: if you feel confident restarting some demons and leaving the rest, Apple isn't stopping you. The truth is, this was a VERY BIG fix to some of the core OS functionality - authentication, after all!
Bottom line: if YOU are serious about stability and reliability, you have a set of failover servers, anyway. Reboot them sequentially. Heck, you probably do that already, don't you?