Apple Patches Sendmail Bug Quickly

90XDoubleSide writes "Apple has released Security Update 2003-03-03 (available through Software Update) which addresses the sendmail vulnerability reported earlier today, and includes a newer version of OpenSSL. Seems that Apple is getting much faster with their patches."

score 1 for apple.

[seann]

that was very quick response from them, I look foward to updating my work machine tomorrow.

Re:score 1 for apple.

[commodoresloat]

I'm glad they responded to this quickly, but more glad that sendmail is not enabled by default, and that they try to take minimal security risks on a basic install by turning off a lot of stuff most desktop users don't need. On another note, I am impatient for a fix for the annoying 1969 time/date bug; the workaround they posted is weak.

Re:score 1 for apple.

[am46n]

Everybody knows that when macs forget the time they should reset to 1904, not 1970!

Re:Sick of editorial bias at this site

Based on your user ID, let me say that after reading /. for around 2-3 years, I wouldn't hold my breath if I were you.

Re:Sick of editorial bias at this site

I'm sure if it were Microsoft

But the fact is it's not microsoft

and microsoft don't do even simple patches this quickly

you're basing your accusation of bias on "if microsoft did this". *IF* microsoft did, then we wouldn't be biased against them.

Reality's harsh hey.

jeezus smeezus

C'mon guys, I have the Jobs shrine in my bedroom closet like the rest of you, but apple (and everybody else) had WEEKS to prepare for the announcement today.

Hell, even if they did put out the fix on short notice, is that newsworthy? that's EXPECTED!

And I notice it included the recent OpenSSL fix from a few days ago. What took them so long on THAT one? (I know, they were waiting for today's announcement to do them together. But why didn't they just release two seperate fixes?)

Let's not take the apple worship TOO far.

Re:jeezus smeezus

[astrodawg]

If the headline would have read "Appple Patches Sendmail Bug", would that have been ok with you? It is news - people do need to know about it. The patch needs to be applied.

Do you simply have a problem with the word "quickly"? Or, do you think it was not worthy of posting anything about it?

Re:jeezus smeezus

It wouldn't make me happy. There's no reason for this article other than Apple worship. We don't see an article for each other vendor that patches sendmail and I hope we don't. I know loving Apple makes you all feel special, but this is crazy.

Why Wait?

[rrf]

ssh (login)@(yourmacbox)
sudo softwareupdate

Of course, this only works if you have access to it from the outside ;)

Re:Why Wait?

[dago]

"Of course, this only works if you have access to it from the outside"

If you don't have access to your box from the outside ...

• Nobody has access to it -> no need to update now
  
• Use the sendmail vulnerability, got root and update
  

Re:Why Wait?

Nobody has access to it -> no need to update now

Wrong. You can run Sendmail and not have SSH login enabled.

Use the sendmail vulnerability, got root and update

Wrong. There is no known exploit written for the flaw yet, so you would actually have to come up with one.

Allow me to be the first...

anti-Apple troll to say that Apple didn't do it fast enough.

Yes, that was sarcasm.

Re:tsarkon Fuck Apple and Fuck Slashdot ASSHOLES

Sure took you a long time to come up with that one.
You are so clever and smart, if only you had a girlfriend
other than your mom. Of course there's Tom, the
manager down at work. He thinks you're pretty cute.

like the fast response but...

...the date for the security update is wrong, it's 2003-03-03 not 2002-03-03.

They Weren't the Only Ones

[themo0c0w]

Looking at bugtraq, RedHat, Mandrake, SuSE, Connective, IBM's AIX, FreeBSD, and SGI also updated their sendmail packages. They've all had much advance notice for this, so it is no big surprise they have updates soon (i.e., simulaneously with the release from sendmail.org).

What would have been more interesting was if Apple hadn't updated their sendmail packages. With them advertising Xserve's as big iron, I would hope they would be quick with the patches.

Re:They Weren't the Only Ones

[bigsteve@dstc]

Sun has also released patches for this vulnerability on Solaris.

Hmmmm...

[FireBreathingDog]

I wonder how long it'll take Microsoft to issue their patch for sendmail...

quickly, my ass

[warren69]

Redhat was much faster. Look at the post on the original slashdot article, Redhat had allready a patch available.

Which brings me to another point, Quick is a relative term, but I definitely would not use it in relation to RedHat (I would in relation to M$ patches), but comeon, use some journalistic principles here, and not blindly support OSX, I realize this is apple.slashdot.org, but we should push Apple to do better.

cheers,
Daniel

Re:quickly, my ass

[afantee]

For OS X, the updating can be done by 2 mouse clicks with the Software Update tool. How long does it take on other system. I know it takes much longer to do Windows updating.

Re:quickly, my ass

[warren69]

Sure it is quick for me to update, once the patch was made available, but the point is, when I saw the posting on Slashdot, I went to software updates, and there was no update there.

If I ran an ISP, I would rather the patch be made immediately available, why did Apple not have their patch released as others did when the annoucement was made? Can you imagine me saying to my customers, I'm sorry I choose Apple not Redhat, you can not send e-mail for the next while (undetermined amount of time) while I keep the mail server offline waiting for a patch. . .

Now obviously I could manually put in a patch from Sendmail, but hey I picked OS X because of its ease of use . . .

Oh, and then I would have to explain why the late coming of the ssl patch too . . .

Re:quickly, my ass

People still run ISP's? I thought the big corps bought them all up.

Warning!

[Znonymous+Coward]

I had some problems with this update.

Here is what happened...

1. Ran SW update.
2. I took a really long time to "optimize".
3. "You must reboot", OK.
4. SBOD (Spinning Beachball of Death).
5. Let it sit there for about 6 hours (while I was sleeping).
6. Still SBOD so I powered it off.
7. File system errors.
8. Whit it came backup, it fsckd and rebooted a couple of times.

Seems to be working now, anyone else have problems with this update?

Re:Warning!

[astrodawg]

I had no problems at all.

1. Ran SW update.
2. "You must reboot", OK.

It rebooted.. there was no step 3.

Re:Warning!

[jtrascap]

2 machines, no problem at all...

Like the man wrote -
* update (let app run, get coffee)
* reboot (adjust chair, hide dirty coffee cups)

All done..

Re:Warning!

[NeuroKoan]

I had 1-4, but after about 10 minutes it told me I needed to reboot.

Re:Warning!

I had SBOD after I pressed restart but it was just the Finder hanging. Force quitting that gave me a restart with no other problems.

Re:Warning!

[jht]

No problems on my TiBook - like virtually all updates, it took around 2-3 minutes to optimize, then the reboot proceeded as normal.

A typical reboot on my TiBook (667) takes around a minute and a half - 30 seconds to shut down, and a minute to come back up. Most of the reboot time is the initial checks and spinning bars at boot. It's usually about 15-20 seconds from the appearance of the startup dialog box to desktop.

I go into too much detail here, I know, but this update was utterly routine - in fact, all my updates have been. This TiBook has been running OS X since I bought it in the fall of 2001, starting with 10.1, and I've applied all patches to it pretty much as they've been released. Never had a problem yet.

Re:Warning!

I hate to be a "metoo", but we updated an iBook and a Quicksilver last night.

Both updated and rebooted w/o a problem. The iBook took a little longer to optimize (about 5 minutes compared to 2 minutes)

Re:Warning!

[drokus]

Old beatup Wallstreet, but no problems with this or any other update.

Re:Warning!

[Dinosaur+Jr.]

Update was smooth on my iBook 700. No errors, no beachball...

Re:Warning!

[KalenDarrie]

I installed. It took an inordinately long amount of time to optimize, but when I rebooted all was as it has been before so far as I can see.

Re:Warning!

I notice that sometimes it doesn't seem to do anything at all during optimization, while other times it seems to take forever. Im not sure of the reasons for this, but could it have something to do with the last time you optimized?

Whoa...

Apple has released Security Update 2002-03-03 (available through Software Update) which addresses the sendmail vulnerability reported earlier today, [...]

Wow, Apple actually patched the hole a year before it was discovered! Time travel?

Re:Whoa...

[commodoresloat]

Wow, Apple actually patched the hole a year before it was discovered! Time travel?

Yeah, man. They even posted a first post to this discussion about it, but it got moderated "Troll."

Insightful, my arse

[Xenex]

"Redhat was much faster. Look at the post on the original slashdot article, Redhat had allready a patch available."

Look at the original Slashdot story yourself. The comment relating to Apple's patch was there within 3 hours of the one relating to Red Hat.

And note, that is when Slashdot mentioned it, not when Apple posted it. Basically, the two companies had patches out at virtually the same time.

Yay! Update!

[tuxedobob]

I needed an excuse to reboot my iBook.

Is anyone else unnerved when there are no new updates for a while? To anything?

1 thing for that

[__aafkqj3628]

Too bad we can't say the same for J2SE 1.4 and J2EE.

Re:bad news -- bug leaves Apple most vulnerable

[commodoresloat]

PowerMac sales were down 20%, while iBook sales fell 8%.

Come on, man, we need some more consequential numbers here. How many posts to Usenet about OS X in the past year?

Re:bad news -- bug leaves Apple most vulnerable

[geniusj]

Wow.. This makes more sense than any comment I've ever read. Thanks Mr. Coward!

Re:bad news -- bug leaves Apple most vulnerable

[geniusj]

Damn you.. You've defeated me both in the speed of your response and wit as well..

I surrender.

Quick, yes, but not as quick as you think

[Hanashi]

It's worth noting the vendors were all notified of the sendmail problem in mid-February. They all agreed to release the patches and the vulnerability announcements on 3 March.

One of my colleagues was complaining about not being notified immediately, but I think the situation was rather well handled (in contrast to some other recent vulnerability disclosures I could name). The vendor patches were available nearly as soon as I had heard of the vulnerability, and I won't even *guess* when the last time that happened to me was.

Why do they include sendmail in the first place?

[capmilk]

I agree that it is a good thing sendmail is not enabled by default.

But why do they include it in the first place? They could include postfix instead which is known to be much more secure. (As I do not want to start an MTA war here: yes, they might as well go for qmail, which is also known to be more secure than sendmail.)

Re:Why do they include sendmail in the first place

Sendmail has a better license than postfix. You love postfix so much? Talk to the authors and get them to release it under BSD. Thanks.

Really??

[NitroPye]

sendmail has vunerabilities?? ;)

Patch too quick?

[jilbert]

I have installed it, restarted, but it came up on Software Update again. So I installed it, restared, and it is still there on Software Update! Maybe they should have tested it a bit more before pushing it out of the door? (Or there is something weird with my Mac.)

Re:Patch too quick?

I've got the same problem here...

Re:Patch too quick?

[Slur]

Try this: Use "Download checked items to Desktop" from the Software Update panel. This will give you a package installer so you don't have to download it again. Next run Disk Utility and do "Repair Permissions" on your startup disk. Next throw away the receipt for this update, which will be in the /Library/Receipts folder and has "2003-03-03" in its name (I haven't patched this machine here so I don't know the exact name). Finally, run the patch from the package file on your desktop. If this doesn't fix it I don't know what will!

Reboot?

They must have gotten this patch from Microsoft. There should be no need to reboot. Sendmail is not part of Mach.

Re:Sick of editorial bias at this site

[pudge]

Heh, the title was bad. I should have rewritten it, I just used what the submission had. It was late, my bad. But you're right, saying "if Microsoft did this" is just laughable. :-)

10.1 still vulnerable

[metamatic]

Unfortunately, Apple hasn't bothered to patch 10.1 yet, and there are a lot of people who didn't want to pay $130 for a point release only months after paying full price for 10.1.

So Apple's doing a substantially worse job than RedHat, who have released patches for the last three major versions of RedHat, plus all the point releases.

Re:10.1 still vulnerable

Wait for 01 January 2004 and see what you have to say about RedHat's updates then.

Re:10.1 still vulnerable

Point release it may be but jeebus is the update worth it...

Quit bitching about prices XP cost a shit load and my friend had to reinstall the thing about 18 times before it was stable (Thanks NVIDIA/Creative/Microsoft you make me have a lot of faith that you don't know how to write drivers).

Speaking of drivers where the hell is my Mac SBLive! support?

Re:10.1 still vulnerable

If yer too cheap to upgrade to Jaguar, download sendmail 8.12.8 from http://www.sendmail.org and compile it yourself.

There are lots of other security fixes which have not been released for 10.1.

I would feel differently if there were hardware running 10.1 which could not run 10.2 (or whose performance would suffer if it did). Then Apple would have an obligation to issue security updates to 10.1 to support that hardware.

But, at this point, anyone running 10.1 ought to be prepared to compile sendmail (and openssl and ...) for themselves.

Re:10.1 still vulnerable

[trash+eighty]

oh stop moaning! a patch for 10.1.5 is out now...

http://www.versiontracker.com/dyn/moreinfo/macos x/ 15352

you only had to wait an extra day!

Re:bad news -- bug leaves Apple most vulnerable

Congrats on successfully trolling a couple of stupid apple users (I know that was redundent).

Re:bad news -- bug leaves Apple most vulnerable

You really need to look up 'irony', dude.

Re:bad news -- bug leaves Apple most vulnerable

irony

\I"ron*y\, a. [From Iron.] 1. Made or consisting of iron; partaking of iron; iron; as, irony chains; irony particles. [R.]

What's your point?

WRONG

Get a sense of humor. FUCKTARD.

Probably the fastest patch I have seen...

[pvera]

Within hours of reading about the bug I noticed the patch published in versiontracker.com. Probably minutes after I finished the patch, johncompanies sends me an email with exact instructions on how to patch my freeBSD jail server. I am positive all this happened within an hour!

Re:Why do they include sendmail in the first place

I don't know much about the Secure Mailer Liscense that IBM uses for postfix, but it appears to be Free enough that it made it in to Debian proper. The qmail in debian has to be built from source for liscense reasons (the package is qmail-src) or installed from an unofficial apt source, but postfix is there like any other package. I know apple ships some GPL software with OS X now, I can't imagine why they couldn't ship postfix. It would be awesome if fink had a bundle-djb kind of package, that disabled BIND and sendmail and replaced them with qmail and djbdns... Of course, such a package would also need to include an update script to be run after every system update (where apple clobbers your mta to update sendmail). Postfix from fink has a switch-mta command that does just this, actually. Oh yeah, that reminds me, if you want a non-sendmail mta in os x and don't want to dick around with building qmail, just fink install postfix . It's not 2.x yet, but 1.x is stable and secure, and it beats the fuck of of sendmail any day. When I breifly played with the idea of running a mailserver in osx, thats what I used.

OT Googlism.. might shed some insight ;)

[dave1212]

Oh well.. there goes the karma..

Googlism for: steve jobs

steve jobs is an innovation leader in this industry
steve jobs is right on target with where apple must go
steve jobs is the man
steve jobs is a visionary in the world of personal computers that led the entire computer hardware and software industry to restructure itself
steve jobs is supreme over steve wozniak
steve jobs is not your friend
steve jobs is running the company
steve jobs is the ceo of apple
steve jobs is the man staff report
steve jobs is simply a fluke by jim dalrymple
steve jobs is an innovation leader in this industry jimmy greene
steve jobs is right on target with where apple must go to survive
steve jobs is that he's a fair
steve jobs is so obsessed with toy story he can barely stay in his seat when talking about it
steve jobs is telling us things are going to continue to get worse
steve jobs is one of the big names in the computer industry
steve jobs is not particularly interested in doing
steve jobs is ceo for as long as he may choose
steve jobs is invited to see the graphical user interface which has been developed by xerox
steve jobs is the rosetta stone of high tech
steve jobs is a nine fire in japanese astrology
steve jobs is a compelling look at an individual who has changed the face of technology and entertainment for the twenty
steve jobs is anywhere close to what one might define as normal
steve jobs is still very much involved with the company
steve jobs is a master of keeping his message simple
steve jobs is nothing but my imagination
steve jobs is full of shit
steve jobs is still an asshole out to screw the apple faithful in the same easy manner that he's done similar takes with co
steve jobs is in the pressure cooker once again
steve jobs is at it again
steve jobs is the ceo of apple computer
steve jobs is ceo of pixar animation studios
steve jobs is co
steve jobs is still hanging out as apple computer's interim chief executive officer a year after the company gave its last ceo
steve jobs is not that he revolutionized computing in the 1980s
steve jobs is the chairman of the board in apple computer inc
steve jobs is a genius
steve jobs is credited with most of the credit for building apple computers
steve jobs is currently ceo of apple computer corporation but only after a long and tumultuous history
steve jobs is the co
steve jobs is one of four action figures
steve jobs is on time's cover this week
steve jobs is even more remarkable
steve jobs is een aparte figuur in de it
steve jobs is more that just a smart guy
steve jobs is well known for many things
steve jobs is available for instant download
steve jobs is a complicated character
steve jobs is missing from c
steve jobs is scheduled to take the stage at the big sight auditorium in tokyo to deliver the macworld tokyo 2002 keynote beginning at 7
steve jobs is chairman and ceo of pixar
steve jobs is that at least gil had the sense to give his machines different names and market bases
steve jobs is osama bin laden
steve jobs is now running apple computer; but even that is a rumor
steve jobs is a lousy manager
steve jobs is currently the president of next
steve jobs is now back with apple after being ousted in 1985
steve jobs is misschien niet de meest briljante informatietechnoloog
steve jobs is the first name mentioned
steve jobs is not your friend - applelinks
steve jobs is a personal hero of mine
steve jobs is an egotistical jerk with a romantic streak
steve jobs is not exactly a slouch in the enrichment department
steve jobs is more foolish the second time around and better prepared to lead apple into the new millennium than he was 20 years ago?
steve jobs is also pixar's ceo
steve jobs is apple's focus group
steve jobs is nothing if not a pragmatist
steve jobs is gonna make a presentation of the imac
steve jobs is to computers what the beatles were to music
steve jobs is boring and profitable
steve jobs is right on target with where apple must go
steve jobs is an innovation leader in this industry
steve jobs is still very much involved with the company
steve jobs is supreme over steve wozniak
steve jobs is a visionary in the world of personal computers that led the entire computer hardware and software industry to restructure itself
steve jobs is best suited to address
steve jobs is a genius
steve jobs is boring and profitable by paul kapustka september 8
steve jobs is right on target with where apple must go to survive
steve jobs is an innovation leader in this industry jimmy greene
steve jobs is the man to have running apple
steve jobs is doing it his way
steve jobs is in the pressure cooker once again
steve jobs is that he's a fair
steve jobs is the man staff report
steve jobs is so obsessed with toy story he can barely stay in his seat when talking about it
steve jobs is telling us things are going to continue to get worse
steve jobs is invited to see the graphical user interface which has been developed by xerox
steve jobs is anywhere close to what one might define as normal
steve jobs is one of the big names in the computer industry
steve jobs is available for instant download
steve jobs is slowly taking america on a digital lifestyle
steve jobs is ceo of pixar animation studios
steve jobs is trying to kill me
steve jobs is wearing a black sweater
steve jobs is a compelling look at an individual who has changed the face of technology and entertainment for the twenty
steve jobs is scheduled to take the stage at the big sight auditorium in tokyo to deliver the macworld tokyo 2002 keynote beginning at 7
steve jobs is missing from c
steve jobs is still an asshole out to screw the apple faithful in the same easy manner that he's done similar takes with co
steve jobs is the chairman of the board in apple computer inc
steve jobs is not that he revolutionized computing in the 1980s
steve jobs is still hanging out as apple computer's interim chief executive officer a year after the company gave its last ceo
steve jobs is one of four action figures
steve jobs is on time's cover this week
steve jobs is the co
steve jobs is even more remarkable
steve jobs is currently ceo of apple computer corporation but only after a long and tumultuous history
steve jobs is credited with most of the credit for building apple computers
steve jobs is currently the president of next
steve jobs is chairman and ceo of pixar
steve jobs is trying to
steve jobs is that at least gil had the sense to give his machines different names and market bases
steve jobs is guiding the company toward the high
steve jobs is more that just a smart guy
steve jobs is well known for many things
steve jobs is now running apple computer; but even that is a rumor
steve jobs is apple's focus group
steve jobs is a complicated character
steve jobs is een aparte figuur in de it
steve jobs is also pixar's ceo
steve jobs is now back with apple after being ousted in 1985
steve jobs is the first name mentioned
steve jobs is not your friend - applelinks
steve jobs is going to get it into
steve jobs is not exactly a slouch in the enrichment department
steve jobs is more foolish the second time around and better prepared to lead apple into the new millennium than he was 20 years ago?
steve jobs is also the ceo of pixar
steve jobs is boring and profitable
steve jobs is right on target with where apple must go
steve jobs is an innovation leader in this industry
steve jobs is the man to have running
steve jobs is a visionary in the world of personal computers that led the entire computer hardware and software industry to restructure itself
steve jobs is right on target with where apple must go to survive
steve jobs is so obsessed with toy story he can barely stay in his seat when talking about it
steve jobs is telling us things are going to continue to get worse
steve jobs is invited to see the graphical user interface which has been developed by xerox
steve jobs is anywhere close to what one might define as normal
steve jobs is one of the big names in the computer industry
steve jobs is available for instant download
steve jobs is slowly taking america on a digital lifestyle
steve jobs is a compelling look at an individual who has changed the face of technology and entertainment for the twenty
steve jobs is scheduled to take the stage at the big sight auditorium in tokyo to deliver the macworld tokyo 2002 keynote beginning at 7
steve jobs is nothing but my imagination
steve jobs is a master of keeping his message simple
steve jobs is the ceo of apple computer
steve jobs is still an asshole out to screw the apple faithful in the same easy manner that he's done similar takes with co
steve jobs is the chairman of the board in apple computer inc
steve jobs is not that he revolutionized computing in the 1980s
steve jobs is still hanging out as apple computer's interim chief executive officer a year after the company gave its last ceo
steve jobs is currently ceo of apple computer corporation but only after a long and tumultuous history
steve jobs is credited with most of the credit for building apple computers
steve jobs is that at least gil had the sense to give his machines different names and market bases
steve jobs is guiding the company toward the high
steve jobs is more that just a smart guy
steve jobs is well known for many things
steve jobs is now running apple computer; but even that is a rumor
steve jobs is also pixar's ceo
steve jobs is now back with apple after being ousted in 1985
steve jobs is worshipped like a rock star
steve jobs is nothing if not a pragmatist
steve jobs is not exactly a slouch in the enrichment department
steve jobs is more foolish the second time around and better prepared to lead apple into the new millennium than he was 20 years ago?
steve jobs is also the ceo of pixar