Apple Releases Security Update 2002-08-20

Prozy.G3 writes "Mac OS X Security Update 2002-08-20 includes updated components (OpenSSL & Security) which provide increased security to prevent unauthorized access to applications, servers, and the operating system. Mac OS X Security Update 2002-08-20 is available either through the Software Update application (System Preferences) or at the Apple Knowledge Base." According to the Knowledge Base, it is for Mac OS X 10.1.5; are these components already in Mac OS X 10.2, or is another update forthcoming?

Um

[wdr1]

According to the Knowledge Base, it is for Mac OS X 10.1.5; are these components already in Mac OS X 10.2, or is another update forthcoming?

Wouldn't it be better to find that out from Apple as opposed to asking the general Slashdot audience?

-Bill

Re:Not for Jag

[tm2b]

Pre-update, 10.1.5 had OpenSSL 0.9.6b 9 Jul 2001.

Post-update, 10.1.5 has OpenSSL 0.9.6e 30 Jul 2002

So, it looks like 10.2 will generally be vulnerable until Apple rolls out the Jaguar version of the patch.

Re:Slashdot advertizing getting out of hand!

[foobar104]

Just out of curiosity, what build are you using? I'm running 6C106 and I haven't seen anything like that before. I'm wondering if it's a Mozilla bug or a Mac OS X bug.

Re:Not for Jag

[dhovis]

After the update, I get:

OpenSSL 0.9.6e 30 Jul 2002

So Jag will probably require an update too.

Re:Slashdot advertizing getting out of hand!

[RevAaron]

It's not evil advertising so much as either a) mozilla sucking or b) something in the slash HTML that really blows. I've run into this sort of thing in Opera 5 on Linux/PPC occasionally as well.

Re:I used to love OS9

[sparkleytone]

yeah well if you arent running a webserver or using the ssh server, then just dont update. but i have to ask, did apache and ssl run on your os9???

Apple licensing clones again

[danamania]

On the kbase article apple advise you need a:

Mac OS X compatible computer

Note they don't say "Mac OS X compatible Macintosh"

They're making clones again!

brought to you by the reading-too-much-into-things dept.

a grrl & her server

I'm running Jaguar.

[batobin]

I'm running the release version of Jaguar, and as of right now there is no update available (using Software Update). I guess they're punishing the early early adoptors and waiting until the release date.

command line updater?

The previous couple of updates installed a command-line utility to get software updates (/usr/sbin/softwareupdate). Very handy as I usually admin our servers over ssh.

But at the moment, this new update only shows up in the GUI Software Update panel -- running from the CL tells me "Your software is up to date" and then exits. Anyone know why?

Re:command line updater?

[Sam+Treadwell]

Weird, I just updated mine via the command line, as I am logged in to my home box via SSH. See the following:

Software Update Tool
Copyright 2002 Apple Computer, Inc.

Software Update found the following new or updated software:

- SecurityUpd2002-08-20
Security Update 2002-08-20 (1.0), 2680K - restart required

To install an update, run this tool with the item name as an argument.
e.g. 'softwareupdate ...'

I thne installed the update via the command line and it worked just fine. Hope this helps!

-Jeff

Re:Slashdot advertizing getting out of hand!

[extra88]

When that happens to me (Moz 1.0 OS X 10.1.5), I don't get the image, just a gray box in approximately the same position.

Re:Slashdot advertizing getting out of hand!

[frankie]

This is a known issue: Bug 137982 "Page elements are sometimes misdrawn as grey boxes or in wrong position".

http://bugzilla.mozilla.org/show_bug.cgi?id=137982

Please login and vote.

10.2 Update

[rgraham]

According to the Knowledge Base, it is for Mac OS X 10.1.5; are these components already in Mac OS X 10.2, or is another update forthcoming?

There have been reports that Apple will post an update for 10.2 a couple of weeks after it is released to address some security concerns, like the most recent one for 10.1.x and to fix some minor bugs that have shown up since 10.2 went GM.

0.9.6e

[artfulbodger]

The documentation for the previous security update (Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl) said it included 0.9.6e of OpenSSL. But after I installed the update and checked with "openssl version" it said it was still 0.9.6b.

This had me worried for a while, and mad at Apple, until someone pointed out that it looked like the update changed the significant libraries, so it probably was patched. Pretty irritating though.

So why the restart?

[Drishmung]

Was that restart really necessary? Even for an update that replaces libraries, I would have thought the most that would be required would be to restart the odd daemon, not the whole system!

I was under the impression the Darwin framework system was sophisticated enough to deal with new versions replacing old on running systems.

Is this just a holdover in thinking from the OS 9 days?

Re:So why the restart?

[Draoi]

As openssl was part of the update, I'm guessing that daemons like apache and sshd would need to be restarted. The best way of taking care of all these would simply be a reboot.

Re:So why the restart?

[Drishmung]

Best? A reboot is simple, but I don't think it's the 'best'.

Apple could walk through the process list and restart any of the standard daemons that needed it. They could suggest that a reboot would be a Good Idea, but I don't think it should be mandatory.

Debian manages this sort of thing with apt-get just fine without a reboot.

It's a mindset thing. Someone is still stuck in the 'any change to the system = reboot!' frame.

Re:I used to love OS9

[Draoi]

there's a god damned patch every two days

You can't have it every way. The problem with windows is that there *isn't* a 'god damned patch' every time it's necessary.

MacOS X is based on open source tools. Bugs get seen. Bugs get fixed. Lap 'em up and enjoy - it's a small price to pay for decent security.

Re:I used to love OS9

[Draoi]

If you're not running them, then how's some 'loser script kiddie' gonna break into your system? When's the last time you heard of someone breaking into Apache (1.3.26 on my version of MacOS X)?

Personal web sharing is disabled by default, BTW. This was not the case with IIS ...

Furthermore, you don't have to keep getting patches for them. Just stop clicking on that 'software update' button. I'm sure everything will be just fiiiine.

In short - quit bellyaching about patches. They're for your benefit. If you were running Linux, every time openssl rolls you'd have a whole lot of fun DLing the source/RPMs, building/updating a myriad of programs & crossing your fingers in the hope that everything still works. Apple does exactly this for you, packages it up all nice and all you can do is complain? WTF?

Re:I used to love OS9

[Draoi]

You don't *have* to update. Just choose the 'make inactive' option from the menu in Software Update & the nasty security update will go away.

Your OS contains the openssl/modssl/apache packages. Software Update knows this. Just 'coz you're not using web sharing today doesn't mean you won't click that button tomorrow & I'm guessing you'd be one of the first people to complain that, when you did, Apple was running a version of openssl on your box that was three revs behind. Right???