Apple Releases Security Update 2002-08-20

Prozy.G3 writes "Mac OS X Security Update 2002-08-20 includes updated components (OpenSSL & Security) which provide increased security to prevent unauthorized access to applications, servers, and the operating system. Mac OS X Security Update 2002-08-20 is available either through the Software Update application (System Preferences) or at the Apple Knowledge Base." According to the Knowledge Base, it is for Mac OS X 10.1.5; are these components already in Mac OS X 10.2, or is another update forthcoming?

Um

[wdr1]

According to the Knowledge Base, it is for Mac OS X 10.1.5; are these components already in Mac OS X 10.2, or is another update forthcoming?

Wouldn't it be better to find that out from Apple as opposed to asking the general Slashdot audience?

-Bill

Re:Um

[djupedal]

No shit.... "Gee...this looks like a munition...wonder if I should ask my friend bubba if it's dangerous or not?" ...once again, stupidity is passed off as editorial content, when it's really just an excuse to push pixels.

Not for Jag

[BFCx]

10.2 has OpenSSL 0.9.6b 9 Jul 2001
Someone compare this in 10.1.5 (type 'openssl' then 'version' to see, if you didnt already know)

$ Security
bash: Security: command not found ;)

Re:Not for Jag

[tm2b]

Pre-update, 10.1.5 had OpenSSL 0.9.6b 9 Jul 2001.

Post-update, 10.1.5 has OpenSSL 0.9.6e 30 Jul 2002

So, it looks like 10.2 will generally be vulnerable until Apple rolls out the Jaguar version of the patch.

Re:Not for Jag

[dhovis]

After the update, I get:

OpenSSL 0.9.6e 30 Jul 2002

So Jag will probably require an update too.

Re:Not for Jag

[PotPieMan]

This is what I have after Security Update 2002-08-02 for 10.1.5:

[medellia:~] dwc% openssl version
OpenSSL 0.9.6c 21 dec 2001

I haven't installed this latest update:

[medellia:~] dwc% softwareupdate
Software Update Tool
Copyright 2002 Apple Computer, Inc.

Software Update found the following new or updated software:

- SecurityUpd2002-08-20
Security Update 2002-08-20 (1.0), 2680K - restart required

To install an update, run this tool with the item name as an argument.
e.g. 'softwareupdate ...'

So, I'm guessing this is for 10.1.5, and that 10.2 will have a separate update for these items (since the CDs have most likely gone into production already).

Re:Not for Jag

[PotPieMan]

Erm, sorry. That was actually my install of OpenSSL from Fink. The correct version prior to updating is 0.9.6b 9 Jul 2001, and the correct version after updating is 0.9.6e 30 Jul 2002.

Re:Not for Jag

So, it looks like 10.2 will generally be vulnerable until Apple rolls out the Jaguar version of the patch.

Right - I'm running Jaguar as of today, and openssl is still at 0.9.6b. No software updates appear in the update check.

Slashdot advertizing getting out of hand!

[BFCx]

Maybe i should buy a subscription, (Mozilla 1.0 on 10.2)

Screen shot

Re:Slashdot advertizing getting out of hand!

[foobar104]

Just out of curiosity, what build are you using? I'm running 6C106 and I haven't seen anything like that before. I'm wondering if it's a Mozilla bug or a Mac OS X bug.

Re:Slashdot advertizing getting out of hand!

[Gil+Da+Janus]

Happens with Mozilla 1.1b on MacOS X 10.1.5.

Gil

Re:Slashdot advertizing getting out of hand!

[BFCx]

I'm running the final Retail Upgrade, the final has been shipping for a week or so now with new macs and some people have recived copies early. Also it's Mozilla 1.0.0 Final. It only happened once i just hit back and forward and it was gone, just a little bug.

Re:Slashdot advertizing getting out of hand!

[RevAaron]

It's not evil advertising so much as either a) mozilla sucking or b) something in the slash HTML that really blows. I've run into this sort of thing in Opera 5 on Linux/PPC occasionally as well.

Re:Slashdot advertizing getting out of hand!

[extra88]

When that happens to me (Moz 1.0 OS X 10.1.5), I don't get the image, just a gray box in approximately the same position.

Re:Slashdot advertizing getting out of hand!

[frankie]

This is a known issue: Bug 137982 "Page elements are sometimes misdrawn as grey boxes or in wrong position".

http://bugzilla.mozilla.org/show_bug.cgi?id=137982

Please login and vote.

Re:I used to love OS9

at least you don't have to replace your entire kernel every few days to avoid filesystem corruption and IDE brain damage.

Re:I used to love OS9

[sparkleytone]

yeah well if you arent running a webserver or using the ssh server, then just dont update. but i have to ask, did apache and ssl run on your os9???

err (I don't feel so good) ~~

Too many updates...you have reached your limit.
The day I have to buy an Update to GPL software
will be the end of it all. Would you like GPL Fries with that Big Mac ?

brought to you by supercow and madcow....
(super cow powers)

Apple licensing clones again

[danamania]

On the kbase article apple advise you need a:

Mac OS X compatible computer

Note they don't say "Mac OS X compatible Macintosh"

They're making clones again!

brought to you by the reading-too-much-into-things dept.

a grrl & her server

Re:Apple licensing clones again

The Xserve is referred to by apple as "the Xserve computer", not a Macintosh.

I'm running Jaguar.

[batobin]

I'm running the release version of Jaguar, and as of right now there is no update available (using Software Update). I guess they're punishing the early early adoptors and waiting until the release date.

command line updater?

The previous couple of updates installed a command-line utility to get software updates (/usr/sbin/softwareupdate). Very handy as I usually admin our servers over ssh.

But at the moment, this new update only shows up in the GUI Software Update panel -- running from the CL tells me "Your software is up to date" and then exits. Anyone know why?

Re:command line updater?

[Sam+Treadwell]

Weird, I just updated mine via the command line, as I am logged in to my home box via SSH. See the following:

Software Update Tool
Copyright 2002 Apple Computer, Inc.

Software Update found the following new or updated software:

- SecurityUpd2002-08-20
Security Update 2002-08-20 (1.0), 2680K - restart required

To install an update, run this tool with the item name as an argument.
e.g. 'softwareupdate ...'

I thne installed the update via the command line and it worked just fine. Hope this helps!

-Jeff

Re:command line updater?

[ellem]

I did not know about this. Sweet, thank you, thank you very much

PS it works for me too.

Anyone know how I can get the SWU to stop telling me about the other languages (w/o installing them?)

Re:I used to love OS9

You're missing the point. I DON'T run a web server or SSL on my mac in OSX, but now thanks to Apple I have to keep getting patches for them, or else some loser script kiddie will manage to break into my machine and delete my files. When MS ships IIS enabled by default everyone whines, but when apple ships Apache everyone goes "hooray open source!"

Re:I used to love OS9

[nuckin+futs]

the difference is, Unlike MS IIS, nothing is shipped enabled by default. You have to turn it on manually.

Also, if you get a script that tells the computer to delete important files, you will have to authenticate or use su.

Re:I used to love OS9

I DON'T run a web server or SSL on my mac in OSX

Then you have nothing to worry about. Your mac is safe.

10.2 Update

[rgraham]

According to the Knowledge Base, it is for Mac OS X 10.1.5; are these components already in Mac OS X 10.2, or is another update forthcoming?

There have been reports that Apple will post an update for 10.2 a couple of weeks after it is released to address some security concerns, like the most recent one for 10.1.x and to fix some minor bugs that have shown up since 10.2 went GM.

0.9.6e

[artfulbodger]

The documentation for the previous security update (Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl) said it included 0.9.6e of OpenSSL. But after I installed the update and checked with "openssl version" it said it was still 0.9.6b.

This had me worried for a while, and mad at Apple, until someone pointed out that it looked like the update changed the significant libraries, so it probably was patched. Pretty irritating though.

Re:I used to love OS9

Now, with OSX, I feel like I'm running Windows: there's a... patch every two days.

It's more like one a month.

And this one I got before I'd even heard there was a vulnerability.

So why the restart?

[Drishmung]

Was that restart really necessary? Even for an update that replaces libraries, I would have thought the most that would be required would be to restart the odd daemon, not the whole system!

I was under the impression the Darwin framework system was sophisticated enough to deal with new versions replacing old on running systems.

Is this just a holdover in thinking from the OS 9 days?

Re:So why the restart?

[anarkhos]

Apple is just being lazy.

The only time you really need to reboot is if the kernel is updated. You can force quit the updater app if you want to bypass it.

Re:So why the restart?

[Draoi]

As openssl was part of the update, I'm guessing that daemons like apache and sshd would need to be restarted. The best way of taking care of all these would simply be a reboot.

Re:So why the restart?

[Drishmung]

Best? A reboot is simple, but I don't think it's the 'best'.

Apple could walk through the process list and restart any of the standard daemons that needed it. They could suggest that a reboot would be a Good Idea, but I don't think it should be mandatory.

Debian manages this sort of thing with apt-get just fine without a reboot.

It's a mindset thing. Someone is still stuck in the 'any change to the system = reboot!' frame.

Re:I used to love OS9

Then why does software update tell me I have to update?

Re:I used to love OS9

[Draoi]

there's a god damned patch every two days

You can't have it every way. The problem with windows is that there *isn't* a 'god damned patch' every time it's necessary.

MacOS X is based on open source tools. Bugs get seen. Bugs get fixed. Lap 'em up and enjoy - it's a small price to pay for decent security.

Re:I used to love OS9

[Draoi]

If you're not running them, then how's some 'loser script kiddie' gonna break into your system? When's the last time you heard of someone breaking into Apache (1.3.26 on my version of MacOS X)?

Personal web sharing is disabled by default, BTW. This was not the case with IIS ...

Furthermore, you don't have to keep getting patches for them. Just stop clicking on that 'software update' button. I'm sure everything will be just fiiiine.

In short - quit bellyaching about patches. They're for your benefit. If you were running Linux, every time openssl rolls you'd have a whole lot of fun DLing the source/RPMs, building/updating a myriad of programs & crossing your fingers in the hope that everything still works. Apple does exactly this for you, packages it up all nice and all you can do is complain? WTF?

Re:I used to love OS9

[Draoi]

You don't *have* to update. Just choose the 'make inactive' option from the menu in Software Update & the nasty security update will go away.

Your OS contains the openssl/modssl/apache packages. Software Update knows this. Just 'coz you're not using web sharing today doesn't mean you won't click that button tomorrow & I'm guessing you'd be one of the first people to complain that, when you did, Apple was running a version of openssl on your box that was three revs behind. Right???

two different 2002-08-20 updates?

[mah!]

this security update 2002-08-20 appeared (surprise!) on Aug 20th in the SW Update system preferences. I run the update and rebooted.

However the next day, on the 21st, it appeared again with the same name; I reinstalled it and rebooted the machine again. Now it seems to be fine.

Anyone else experienced this?