Mac OS X 10.2.8 Update, Take Two

javaxman writes "OS X users will find Mac OS X Update version 10.2.8 is available via 'Software Update'. If you did not install the previous 10.2.8 update, the size of the new update is 40.6MB. If you installed the previous update, the size of the new update is small, ~680K... if you can connect to the network, that is. Clearly you get different downloads depending on what you did with the previous 10.2.8 update. Apple Knowledge Base article 25524 has the details. It looks very familiar. I'm installing mine right away, how about you?"

Deja Vou

[profet]

In the immortal words of George "DoubleYa":

"Fool me once...shame on you....
Fool me twice...umm....
Shame..on...Shame...on...
Well you're not gonna fool me again..."

I'll wait for some other people to install first..

yup!

[nocomment]

I'm installing mine righ
[NO CARRIER]

This doesn't fix the crashing for me

[RalphBNumbers]

This may fix the ethernet problem, I don't know, it didn't affect me, but there were other problems with 10.2.8, www.MacFixIt.com made a fairly extensive list.

This definitely does not fix the crashing problem. (on my beige G3)
It can happen at any time, and is sometimes mistaken as an inability to wake from sleep, but you can get it to happen reliably by trying to repair permissions.
It outputs the following, then shuts down the display, and needs to be hard-restarted.

2003-10-03 17:36:12 -0400 - Repair of privileges has started
We are using special permissions for the file or directory ./System/Library/Filesystems/hfs.fs/hfs.util. New permissions are 33261
Permissions differ on ./System/Library/Filesystems/hfs.fs/hfs.util, should be -rwxr-xr-x , they are -rwsr-xr-x
Owner and group corrected on ./System/Library/Filesystems/hfs.fs/hfs.util
Perm issions corrected on ./System/Library/Filesystems/hfs.fs/hfs.util
Grou p differs on ./private/var/run/utmp, should be 0, group is 1
Owner and group corrected on ./private/var/run/utmp
Permissions corrected on ./private/var/run/utmp

Re:This doesn't fix the crashing for me

[sg3000]

> This definitely does not fix the crashing problem. (on my
> beige G3)

Indeed! And this new petroleum distillate from the local service shoppe doesn't work for me either. Without the added "lead", it wreaks havoc with my Stutz Bearcat.

Tell you what, if you can find a way to re-vulcanize my tires, I'll give you a shiny new nickel so you can buy a new Macintosh.

Battery life is back!

[Trurl's+Machine]

I don't want to start a holy war here, but I was really scared that 10.2.8 ate my battery life for good. I'm so happy to see the familiar 4h+ is back (battery is about a year old; iBook 800 12").

OpenSSL update?

[phch]

It's a little unclear whether the new problems in OpenSSL have been patched. According to the CERT page, Apple is reporting the vulnerability as fixed in 10.2.8. On the other hand, I have a 10.2.8 machine that still indicates OpenSSL version 0.9.6i, which is supposedly vulnerable.

Again, on a side note, I wish Apple would allow security updates to be installed independently of the main bulk upgrade.

one word

[sohp]

WORKSFORME

(ok that's really 3, but bugzilla users will understand)

Re:worst thing was 2 weeks to get ssh/sendmail fix

[dstillz]

Perhaps, if SSH and Sendmail were enabled in a default install, you might have a point.

only 680k?

[FuShock]

>If you installed the previous update, the size of >the new update is small, ~680K... if you can >connect to the network, that is.

Well, you could always put it on a floppy di....damnit.

Re:worst thing was 2 weeks to get ssh/sendmail fix

[Llywelyn]

Meanwhile sendmail is not only not enabled by default, but there is no way to enable without the command line.

As for ssh, is there a working root exploit out? Just about *everything* that connects to the internet is vulnerable to connection overloading via a DoS. This makes it easier, sure, but that a DoS is possible isn't exactly a deal breaker.

Finally, if you are using these in a production environment where security patches are time-critical, you should probably be compiling your own versions of these services and not depending on Apple.

I would have liked to see the security patches to come faster as well, but for these kinds of things its not a big deal to me if they are a bit lax.

10.1.5?

[HSpirit]

The message from Apple Product Security includes advice on fixing the sendmail vulnerability on 10.1.5 - which is a very good thing - but nothing similar for OpenSSH or OpenSSL.

Now, OK, from what I gather the sendmail bug is more serious in that the vulnerabilities in OpenSSH and OpenSSL seem to be limited to DoS, but wouldn't similar instructions to updating OpenSSH/SSL on 10.1.5 be useful?

APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised

...

How to install Sendmail for Mac OS X 10.1.5 systems:

- - From the UNIX command-line, perform the following steps:

1. Download sendmail version 8.12.10 which contains the fix to the
Zalewski advisory, released on 2003/09/17, by executing the following
command:
curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12. 10.tar.gz

2. Verify the integrity of this file by typing:
cksum sendmail.8.12.10.tar.gz
which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz"

3. Unpack the distribution as follows:
tar xvzf sendmail.8.12.10.tar.gz

4. Add the following line to your /etc/master.passwd file:
smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false

5. Add the following line to your /etc/group file:
smmsp:*:25:

6. Now invoke /Applications/Utilities/Netinfo Manager.app and add the
same smmsp user and group entries to your netinfo database. The
easiest way is to duplicate existing entries and edit them to match
the entries in steps 4 and 5. For example, in the users pane you
could select and the duplicate (%D) the entry for "www" and then edit
the uid/gid/name/home directory fields in the new "www copy" to match
those in step 4. Similarly, for groups you could select the entry for
"mail" and duplicate it, editing just the name and gid fields to match
those in step 5. When you're done, you should see a users/smmsp entry
and a groups/smmsp entry.

7. Now you're ready to start building the distribution. cd to the
sendmail-8.12.10 directory and type "make"

8. The next two steps will install the new sendmail:

sudo mkdir /usr/share/man/cat1 /usr/share/man/cat5 /usr/share/man/cat8
sudo make install

Make sure the permissions on your root directory are 755 (or set
DontBlameSendmail in /etc/mail/sendmail.cf) and reboot. You should
now be running the patched sendmail.

Re:worst thing was 2 weeks to get ssh/sendmail fix

[valmont]

Well, maybe Apple has once failed to manage to do the grunt work for you in a timely manner. If i recall well, most other security holes had been addressed very rapidly in the past. This particular one tanked because it was rolled out as part of a buggy overall update. Big deal. That security hole existed on a service that is not enabled by default. And unless you are an Xserve customer with a valid, active support license, Apple doesn't owe you shit. Complain all you want. But if you enable "remote access" from your control panel, you should have a minimal understanding of the risks it presents and be prepared to cope with potential security issues, and unless you pay Apple, be prepared to wait for a patch.

But you see, in the end, you still benefit from Apple's original architecture decision for the core of their operating system: An open-source operating system. Full disclosure as to where the bug lives. As you said it, even the OS X server people had to remove the system-installed version and compile their own to not be vulnerable to Denial of Service attacks.

Be GLAD you were able to do that. Systems administrators who maintain production-environment servers have had OPTIONS as to how to deal with this situation, based on priorities. Sure it would have been nice to let Apple do the work for you. But hey, if you maintain something of importance, you'd better know your way around the operating system you maintain. But since those are all open-source components, chances are there were about 892739847238974 other people who had found a workaround and/or a solution to your problem within hours of the vulnerability being found, and chances are a good chunk of them have shared those solutions with the community at large.

There is no such thing as a secure operating system. A secure operating system is not connected to any network and doesn't otherwise interact with anything or anybody. Security is a frame of mind, procedures and processes surrounding the usage of computing facilities, and does not exist in an absolute form. Certain practices and philosophies allow administrators to build systems that are more secure than others. But it is all relative.

Take an off-the-shelf Jaguar installation, install it on a mac, then run nmap on that machine. How many ports will you find open? ZERO. NONE. NADA. ZILCH. not one. Why? How many will you find on windows? 5 to 10 depending on which flavor you're installing.