Apple Posts Security Update for OpenSSL Vulnerability

mattvd writes "Apple has posted Security Update 2002-08-02. According to the release notes it 'includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system: Apache v1.3.26, OpenSSH v3.4p1, OpenSSL v0.9.6e, SunRPC, mod_ssl v2.8.10.' As usual, Apple has mirrored the MD5 checksum for the update at a secure server."

Details

[mattvd]

From: Product Security
Date: Fri Aug 02, 2002 05:45:34 PM US/Central
To: security-announce@lists.apple.com
Subject: Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl

-----BEGIN PGP SIGNED MESSAGE-----

Security Update 2002-08-02 is now available. It contains fixes for recent
vulnerabilities in:

OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657,
CAN-2002-0655, and CAN-2002-0659. Details are available via:
http://www.cert.org/advisories/CA-2002-23.html

mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
mod_ssl Apache module. Details are available via:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0653

Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder.
Details are available via:
http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=20823

Affected systems: Mac OS X client and Mac OS X Server

Note: Mac OS X client is configured by default to have these services turned
off, and is only vulnerable if the user has enabled network services which rely
on the affected components. It is still recommended for Mac OS X client users
to apply this security update to their system.

System requirements: Mac OS X 10.1.5

Security Update 2002-08-02 may be obtained from:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:
http://docs.info.apple.com/article.html?artnum=120 139

SSL server:
https://depot.info.apple.com/security/129403bc5e18 4e3b7367.html

To help verify the integrity of Security Update 2002-08-02 from the
Software Downloads web site:

The download file is titled: SecurityUpd2002-08-02.dmg
Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367

Information will also be posted to the Apple Product Security web site:
http://www.apple.com/support/security/secur ity_upd ates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/securit y_pgp .html

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSN FT d2puXCtOGQ0M8c
2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chn N8s9EXiavcBG5e/e jtTo3ZHoOGP7bg
789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8 c2jXySLlnqF+kzwq VnjUL7i2O97Fk5
tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTp uKYuah/w9NwzL+Ls bPcfXA/H1f4ngc
vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXd Z9qaVCVRrZlsd9gS SmB2Jba4be/MRX
FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZ XOXwbbRjqXHmzzgu 8D/Q==
=fdGO
-----END PGP SIGNATURE-----

My only question.

[iomud]

Why does this update require a reboot?

Re:My only question.

[dunderwo]

Uhh...that doesn't stop the installer from running apachectl graceful, or what have you. Besides, restarting Apache means opening Sharing preferences, clicking "Stop" and then clicking "Start" under Web Sharing...not especially obscure.

Well, regardless, the reboot is probably just a paranoid gesture...since there's no way of knowing for sure what other running daemons rely on the updated binaries. A reboot removes doubt, and apparently they don't like doubt. At least it doesn't quit all of your apps during the install....

This is pretty frequent...

[BitGeek]

Seems apple is doing a patch for security once a month.

Its really nice that they are automatically detected, and you are asked if you want to apply them.

But is once a month too frequently? Many have their update set to check every day, so the day they release the patch, hundreds of thousands will download it all at once.

On the downside a vulnerability could be known about for up to a month before the patch is released...

But on the upside, these regular updates, and how they are automatically distributed, seems far better than other systems I've used.