Mac OS X 10.2.8 Available

Transfan76 writes "The 10.2.8 Update delivers enhanced functionality and improved reliability for the following applications, services and technologies: Audio, Bluetooth, Classic compatibility, Finder, Graphics, LDAP, Power Management, Safari, and FireWire and USB device compatibility. The update also provides updated security services and includes the latest Security Updates." Does this have the update to ssh?

Yes.

[Brazzo]

%ssh -V
OpenSSH_3.4p1+CAN-2003-0693

Yes.

Re:YAY Update :)

[Otter]

OK, so how many of you Apple owners saw this, and reached instantly for the Software Update with glee?

I dunno -- some of us who remember the iTunes updater fiasco like to wait a day or two before applying patches and updates. If there's a disaster out there, let it be someone else who stumbles across it. Same for Linux kernels, new versions in emerge (do I really need a new point release of awk this minute) and anything else.

I mean, I get your point but Mac users do get burned too, and I'd rather it's you than me.

Odd monitor gotcha

[thatguywhoiam]

Installed 10.2.8 on a 12" PowerBook (aka 'the footlong'), no discernable problems so far.

An odd thing was that it reset my monitor settings back to 16bit colour ('Thousands'), so you may want to watch out for that. Aqua does such a good job of dithering you probably wouldn't even notice at first.

Another odd thing was that my display went a little funky when doing the cross-fading desktop pictures just a second ago. Fixed itself after the transition was complete, no idea what that's about.

If you're superstitious like me don't forget to do the Repair Permissions trick - its the new Rebuild Desktop - although I had no issues there either.

One last thing, be prepared to have your frickin Keychain pestering you for the next week....

Re:from tech article...

[heychris]

So here's my $50,000 question. Since the newest G4s were supposed to actually have USB 2.0 chipsets in them, but the software was throttling them back to 1.1, does this update magically turn the late G4 MDDs into USB 2.0 machines? CC

All Recent Security Updates

[Rosyna]

APPLE-SA-2003-09-22 Mac OS X 10.2.8

Mac OS X 10.2.8 is now available. It contains fixes for recent
vulnerabilities in:

OpenSSH: Mac OS X 10.2.8 contains the patches to address CVE
CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682. On Mac OS X
versions prior to 10.2.8, the vulnerability is limited to a denial
of service from the possibility of causing sshd to crash. Each
login session has its own sshd, so established connections are
preserved up to the point where system resources are exhausted by
an attack.

To deliver the update in a rapid and reliable manner, only the
patches for CVE IDs listed above were applied, and not the entire
set of patches for OpenSSH 3.7.1. Thus, the OpenSSH version in
Mac OS X 10.2.8, as obtained via the "ssh -V" command, is:
OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
0x0090609f

Sendmail: Addresses CVE CAN-2003-0694 and CAN-2003-0681 to fix a
buffer overflow in address parsing, as well as a potential buffer
overflow in ruleset parsing.

fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in
the fb_realpath() function that may allow attackers to execute
arbitrary code.

arplookup(): Fixes CAN-2003-0804. The arplookup() function caches
ARP requests for routes on a local link. On a local subnet only,
it is possible for an attacker to send a sufficient number of
spoofed ARP requests which will exhaust kernel memory, leading to
a denial of service.

Re:The SSH version

[Graff]

Well, this has *an* update to ssh, I dunno if it's *the* update to ssh.

Yep, according to this technote it's *the* update to ssh:

Mac OS X 10.2.8

OpenSSH: Addresses CAN-2003-0693, CAN-2003-0695, and CAN-2003-0682 to fix buffer management errors in OpenSSH's sshd versions prior to 3.7.1

sendmail: Addresses CAN-2003-0694 and CAN-2003-0681 to fix a buffer overflow in address parsing, as well as a potential buffer overflow in ruleset parsing.

fb_realpath(): Fixes CAN-2003-0466 which is an off-by-one error in the fb_realpath() function that may allow attackers to execute arbitrary code.

arplookup(): Fixes CAN-2003-0804. The arplookup() function caches ARP requests for routes on a local link. On a local subnet only, it is possible for an attacker to send a sufficient number of spoofed ARP requests which will exhaust kernel memory, leading to a denial of service.

Re:Where is 10.1.6??

[HSpirit]

That misses the point entirely.

1. When was OSX 10.1 released? After Windows 2000, right? What kind of outcry would there be if Micro$oft announced:

   "There's a critical security update available for Windows XP. The issue affects Windows 2000 too, but we don't support that any more."

   There'd be people wanting to charge Micro$oft with Treason...!
2. If I update the vendor included version with SSH with a version compiled from source, or even a binary not obtained from the vendor, in terms of support I am screwed, no?

I recommended purchase of a Mac in our office recently, due to the fact it could handle both the graphic design and web/mail serving requirements. My boss knows about Jaguar, but his opinion is that he shouldn't have to upgrade only a year after purchasing the Mac - he has a point, surely?

ETHERNET PROBLEM

[gidds]

10.2.8 includes a new version of the internal Ethernet driver; many folks have found it stops their Ethernet from working!

Discussed further here. Respect to Andrew McPherson for coming up with a workaround: make a backup of /System/Library/Extensions/AppleGMACEthernet.kext before upgrading, and restore it afterwards. If you've already upgraded, follow the link for more info.