Security Updates Released for Panther and Jaguar

ZackSchil writes "Apple has released security updates for both Mac OS X 10.3.1 and, as promised, 10.2.8. The update to 10.3.1 updates OpenSSL and zlib's gzprintf() function. In addition to those updates, the 10.2.8 update contains changes to gm4, groff, Mail w/CRAM-MD5 authentication, Personal File Sharing, and QuickTime for Java. Run Software Update for more information and to install the updates."

seems to work

[for_usenet]

I tried the update to 10.2.8, and all seems to be well. Thanks to Apple for keeping the older OS's secure. Now if they'd only let us use 3rd party drives with their Disc-recording software in 10.3, it would be golden !! ;-)

Re:seems to work

[HTH+NE1]

Now if they'd only let us use 3rd party drives with their Disc-recording software in 10.3, it would be golden !!

Not all third-party drives are reliable. I can't burn DVD-Rs with DVD Studio Pro 2 on my DVD-R/-RAM drive because the drive reports its two burn speeds as 1x and 64x (as relayed by Toast). DSP2 presumes to use the highest speed, 64x, with no control to tell it otherwise. It then hangs. I have to have DSP2 create a disk image file instead and then burn that with Toast.

But at least I got it to run on an underpowered non-AGP Mac. (Blue & White G3 upgraded with 550 MHz G4.)

Re:seems to work

[puff+the+barbarian]

It used to be (according to things that I have read on the 'net) that as long as you installed an IDE/ATA DVD recorder internally, then iDVD would use it. Is this no longer the case?

Re:seems to work

[for_usenet]

The reason why I mentioned this is some of us would still like the choice of being able to experiment with 3rd party drives. I have the same model Toshiba DVD-ROM/CD-RW drive that Apple uses on its iBooks. However, when I installed it, all of the OS software claimed it was "unsupported." Seems like Apple used a different firmware version.

However, using the PatchBurn software, I was able to modify some of the system files to get the drive to be recognized by all of the system software (iTunes, Disc Copy, etc). With 10.3, if the drive is no longer supported out of the box, I am SOL, at least till someone else hacks the Disc Recording Framework. I am not asking Apple to give support for all these drives, just to let us be able to try them out for ourselves, and not close up the OS entirely.

Re:seems to work

[bill_mcgonigle]

Yeah, but they don't support a significant number of drives that do not have such failures.

Patchburn works great on Jaguar for most people. The drive descriptions file in 10.3 is xml-based instead of binary, but after editing the XML file (probably correctly) it still doesn't recognize my drive, so there must still be another step to get the OS to recognize the changes (compile it?).

Anybody know?

Just downloaded and.....

[ihatewinXP]

Everything still works. I havent seen any killer bugs popping up on macfixit or versiontracker either. Also note that the QT Java update is included - fixed one broken site for me that Panther QT had knocked out.

Oh and a bluetooth update, but my Sony Ericsson already works flawlessly (and still does post-update).

And yes, it does require a restart for all of you running the "Show Off" uptime screen saver.

This just in: THE SKY DIDN'T FALL

[mattbot+5000]

Where are all the people who were crying last week about Apple not supporting Jaguar? Huh?!? WHAT DO YOU HAVE TO SAY FOR YOURSELVES NOW!!!

Go ahead and mod me +1 Flamebait, just RECOGNIZE that you people are the FISH that took the bait last week!

So high and mighty with your mod points.

Re:This just in: THE SKY DIDN'T FALL

[aristotle-dude]

They had been saying all along they were going to support Jaguar. Confirmed by @stake? I thought they were the ones that found the bug. What motivation would they have to be impartial when they can generate more publicity for themselves with sensationalism. I see nowhere where Apple said they would not release an update for Jaguar.

Re:This just in: THE SKY DIDN'T FALL

[MoneyT]

Indeed, Cnet said it was confirmed, and if you read what the guy at @stake said, he said those he spoke to did not think that Apple would. And as people quite clearly pointed out, it was an anonymous paraphrase, or IOW, nothing more than hearsay

On a related note

[Tengoo]

I haven't seen this mentioned yet so I'll pass this tidbit along.
SecurityTracker has information on a new sudo vulnerability. Only laptops are affected.

Re:On a related note

This is a pretty serious issue, but there are a couple of more practical workarounds than the ones mentioned in the link, until the problem is fixed (if this security update doesn't fix it)

Users running Panther can also set the "Require password to wake this computer from sleep or screen saver" option in the Security preference pane.

Jaguar users can grab the program sleepwatcher and make it issue the 'sudo -k' command on sleep.

Remember though, if someone can get unsupervised access to your laptop, they can usually just walk off with it anyway. So if anyone does get caught out by this bug, it's a sign that they're probably too lax with physical security.

via terminal

[djupedal]

[Zen:~] bmt% softwareupdate -l
Software Update Tool
Copyright 2002-2003 Apple Computer, Inc.

Software Update found the following new or updated software:
! SecurityUpd2003-11-19-1.0
Security Update 2003-11-19, 1.0, 1360K [required] [restart]
[Zen:~] bmt%

10.3 broke the network gui - fixed soon?

[gobbo]

Panther breaks the networking GUI that was pretty good in Jaguar. Now, servers you've connected to through browsing in the Finder don't show up on the desktop, and if they're an SMB share, can't be ejected without throwing your powerbook through a window, er, restarting. To get an icon on your desktop that represents a mounted server, you have to know and type in its IP address and protocol, or its precise network name --browsing doesn't work.

The Apple Discussion boards are buzzing with this one. The GUI implementation is horribly confusing to newbies especially, but bad enough for those of us who know what smb:// or afp:// or DHCP actually is. They must be getting a ton of feedback from us aggravated types.

Until this is fixed, no-one I know here at the university will be advised to upgrade to 10.3, despite the many juicy new features and optimization.

Re:10.3 broke the network gui - fixed soon?

[gobbo]

"i went to the finder, hit cmd-K, typed in smb://myserver/share, and it instantly mounted on my desktop. i clicked the eject button in the finder's new sidebar and it unmounted just fine."

RTFP. That's exactly what I'm talking about. You have to type in the smb address, presuming you know it (OK for me, not my newbie interns or tweedy colleagues). Then you'll get the icon showing a mounted share, and an eject button. But that isn't browsing, is it? It's a command line approach with a simple entry form, why not just use Terminal.app?

Now try that using the Finder's GUI sidepanel... click on the Network icon, drill down to an SMB share that you want, connect, then... just try it, you'll see. Try to disconnect that smb share, if it works, you're one of the lucky ones.

Re:10.3 broke the network gui - fixed soon?

[gobbo]

Even if mounted servers don't show on the desktop (one of my user configs obsoletes the desktop anyway, so I personally can understand where you're coming from), they still don't show in the Finder window sidepanel that lists drives and favorites etc. if you've connected using the Network icon. That means no feedback about mounted shares, and no eject button, and even worse behaviour like Finder locking up when you unplug.

I'd say having to ask someone or look up, then type in ip addresses and protocols is more Old School than (cmd-K, let's see, oh there it is, arrow-right arrow-down-down-down, return key), don't you think? I have more important things to think about than
smb://obscure-27.someadmincruft.weird-9.domain.con
and the like.

Axiom:
Discovery is better done in the interface than in meatspace.

Now go and describe how to use this setup to someone who reads Habermas and McLuhan all day and night, and just wants to get to their damn files, or who thinks that Windows was always called XP and Britney is cool.
[/rant]

Low interest in this item?

[AtariAmarok]

Sheesh. There sure is a low amount if interest in this news item. It must have to do with the security reputation of the Apple OS.

Why bother to put up another new electric fence around Fort Knox :)

Siegfried and Roy?

[AtariAmarok]

Now they put out "Security Updates for Panther and Jaguar". It's just a little late to save Roy from that pain in the neck, but it's a step in the right direction! Make those big cats safer.

OpenSSL?

[dema]

I ran the update today, and it appears (naive?) that my OpenSSL was not updated. While the date seems accurate, the version is not the suggested update. I know I read somewhere yesterday (I can't find the link again today) that the fix was to update to 0.9.6j, although this is the output on my "updated" g4 with jag:

[akira:~] dema% openssl version
OpenSSL 0.9.6i Feb 19 2003

Any ideas what's up with that?

Re:OpenSSL?

[Frequency+Domain]

All three of the machines which I updated today report identical results, a newer version than yours:

shiva:~ freq$ openssl version
OpenSSL 0.9.7b 10 Apr 2003

Is it possible you installed your own copy, say in /usr/local/bin, and then forgot about it? Try running "which openssl", and see if it reports something other than /usr/bin/openssl. Alternatively, explicitly run the system's openssl: "/usr/bin/openssl version".

Safari Updated (at least on 10.3)

[blb]

Note this update also brings Safari up to 1.1.1 (100.1); not sure what changed (still no mention of changes to Safari at the kbase page).

Fink?

[grocer]

I did the same thing on my iBook and get the same output:

[Adam-Laptop:/usr/bin] user% openssl version
OpenSSL 0.9.7a Feb 19 2003
[Adam-Laptop:/usr/bin] user%

Now, the weird thing is there is openssl command in /usr/bin/ but when I run "which openssl" I get "/sw/bin/openssl" and running "/usr/bin/openssl version" returns "Command not found."

Now I have to ask why is this?