Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X 10.2.8 Available

Posted by pudge on from the only-one-more-before-panther dept.

Transfan76 writes "The 10.2.8 Update delivers enhanced functionality and improved reliability for the following applications, services and technologies: Audio, Bluetooth, Classic compatibility, Finder, Graphics, LDAP, Power Management, Safari, and FireWire and USB device compatibility. The update also provides updated security services and includes the latest Security Updates." Does this have the update to ssh?

4 of 280 comments (clear)

  1. Apple Security Mailing List by Johnny+Mnemonic · · Score: 2, Redundant


    Here's the list of official changes to security in 10.2.8 (read it for yourself at security-announce@apple.com):

    APPLE-SA-2003-09-22 Mac OS X 10.2.8

    Mac OS X 10.2.8 is now available. It contains fixes for recent vulnerabilities in:

    OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X versions prior to 10.2.8, the vulnerability is limited to a denial of service from the possibility of causing sshd to crash. Each login session has its own sshd, so established connections are preserved up to the point where system resources are exhausted by an attack.

    To deliver the update in a rapid and reliable manner, only the patches for CVE IDs listed above were applied, and not the entire set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in Mac OS X 10.2.8, as obtained via the "ssh -V" command, is: OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f

    Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a buffer overflow in address parsing, as well as a potential buffer overflow in ruleset parsing.

    fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in the fb_realpath() function that may allow attackers to execute arbitrary code.

    arplookup(): Fixes CAN-2003-0804. The arplookup() function caches ARP requests for routes on a local link. On a local subnet only, it is possible for an attacker to send a sufficient number of spoofed ARP requests which will exhaust kernel memory, leading to a denial of service.

    --

    --
    $tar -xvf .sig.tar
  2. Re:uptime by burns210 · · Score: 0, Redundant

    my question would be... why do simple OS updates always require i full restart?

  3. Does contain SSH fix...kinda by Packet+Fish · · Score: 1, Redundant

    From apple product security update mailing list:

    OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE
    CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
    versions prior to 10.2.8, the vulnerability is limited to a denial
    of service from the possibility of causing sshd to crash. Each
    login session has its own sshd, so established connections are
    preserved up to the point where system resources are exhausted by
    an attack.

    To deliver the update in a rapid and reliable manner, only the
    patches for CVE IDs listed above were applied, and not the entire
    set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in
    Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
    OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
    0x0090609f

  4. From an AusCERT advisory: by Anonymous Coward · · Score: 0, Redundant

    Mac OS X 10.2.8 is now available. It contains fixes for recent
    vulnerabilities in:

    OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE
    CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
    versions prior to 10.2.8, the vulnerability is limited to a denial
    of service from the possibility of causing sshd to crash. Each
    login session has its own sshd, so established connections are
    preserved up to the point where system resources are exhausted by
    an attack.

    To deliver the update in a rapid and reliable manner, only the
    patches for CVE IDs listed above were applied, and not the entire
    set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in
    Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
    OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
    0x0090609f

    Sendmail: Addresses CVE and CAN-2003-0681 to fix a
    buffer overflow in address parsing, as well as a potential buffer
    overflow in ruleset parsing.

    fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in
    the fb_realpath() function that may allow attackers to execute
    arbitrary code.

    arplookup(): Fixes CAN-2003-0804. The arplookup() function caches
    ARP requests for routes on a local link. On a local subnet only,
    it is possible for an attacker to send a sufficient number of
    spoofed ARP requests which will exhaust kernel memory, leading to
    a denial of service.