Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X 10.2.8 Update, Take Two

Posted by michael on from the do-you-feel-lucky? dept.

javaxman writes "OS X users will find Mac OS X Update version 10.2.8 is available via 'Software Update'. If you did not install the previous 10.2.8 update, the size of the new update is 40.6MB. If you installed the previous update, the size of the new update is small, ~680K... if you can connect to the network, that is. Clearly you get different downloads depending on what you did with the previous 10.2.8 update. Apple Knowledge Base article 25524 has the details. It looks very familiar. I'm installing mine right away, how about you?"

7 of 208 comments (clear)

  1. OpenSSL update? by phch · · Score: 3, Insightful

    It's a little unclear whether the new problems in OpenSSL have been patched. According to the CERT page, Apple is reporting the vulnerability as fixed in 10.2.8. On the other hand, I have a 10.2.8 machine that still indicates OpenSSL version 0.9.6i, which is supposedly vulnerable.

    Again, on a side note, I wish Apple would allow security updates to be installed independently of the main bulk upgrade.

  2. Re:Just installed it... by damiam · · Score: 2, Insightful
    OS X is a little weird.

    It's not like things don't work the exact same way in every other OS created in the past 10 years.

    --
    It's hard to be religious when certain people are never incinerated by bolts of lightning.
  3. Re:worst thing was 2 weeks to get ssh/sendmail fix by dstillz · · Score: 5, Insightful

    Perhaps, if SSH and Sendmail were enabled in a default install, you might have a point.

  4. Re:This fix is great! by Scrameustache · · Score: 2, Insightful

    Flame me if you'd like

    This sentence is garanteed to get you modded down.

    I recommend not uttering it.

    --

    You can't take the sky from me...

  5. Re:worst thing was 2 weeks to get ssh/sendmail fix by Llywelyn · · Score: 3, Insightful

    Meanwhile sendmail is not only not enabled by default, but there is no way to enable without the command line.

    As for ssh, is there a working root exploit out? Just about *everything* that connects to the internet is vulnerable to connection overloading via a DoS. This makes it easier, sure, but that a DoS is possible isn't exactly a deal breaker.

    Finally, if you are using these in a production environment where security patches are time-critical, you should probably be compiling your own versions of these services and not depending on Apple.

    I would have liked to see the security patches to come faster as well, but for these kinds of things its not a big deal to me if they are a bit lax.

    --
    Integrate Keynote and LaTeX
  6. Re:worst thing was 2 weeks to get ssh/sendmail fix by valmont · · Score: 5, Insightful

    Well, maybe Apple has once failed to manage to do the grunt work for you in a timely manner. If i recall well, most other security holes had been addressed very rapidly in the past. This particular one tanked because it was rolled out as part of a buggy overall update. Big deal. That security hole existed on a service that is not enabled by default. And unless you are an Xserve customer with a valid, active support license, Apple doesn't owe you shit. Complain all you want. But if you enable "remote access" from your control panel, you should have a minimal understanding of the risks it presents and be prepared to cope with potential security issues, and unless you pay Apple, be prepared to wait for a patch.

    But you see, in the end, you still benefit from Apple's original architecture decision for the core of their operating system: An open-source operating system. Full disclosure as to where the bug lives. As you said it, even the OS X server people had to remove the system-installed version and compile their own to not be vulnerable to Denial of Service attacks.

    Be GLAD you were able to do that. Systems administrators who maintain production-environment servers have had OPTIONS as to how to deal with this situation, based on priorities. Sure it would have been nice to let Apple do the work for you. But hey, if you maintain something of importance, you'd better know your way around the operating system you maintain. But since those are all open-source components, chances are there were about 892739847238974 other people who had found a workaround and/or a solution to your problem within hours of the vulnerability being found, and chances are a good chunk of them have shared those solutions with the community at large.

    There is no such thing as a secure operating system. A secure operating system is not connected to any network and doesn't otherwise interact with anything or anybody. Security is a frame of mind, procedures and processes surrounding the usage of computing facilities, and does not exist in an absolute form. Certain practices and philosophies allow administrators to build systems that are more secure than others. But it is all relative.

    Take an off-the-shelf Jaguar installation, install it on a mac, then run nmap on that machine. How many ports will you find open? ZERO. NONE. NADA. ZILCH. not one. Why? How many will you find on windows? 5 to 10 depending on which flavor you're installing.

    --
    Extraordinary Vacations. Exceptional Prices
  7. Re:yup! by cunnilingus · · Score: 2, Insightful

    now that's a cool news.. geesh.. maybe we should start posting every linux/windows updates here too ? i mean, wtf ?