Apple Releases Security Update 2004-01-26

ollie_ob writes "Apple's released an important security update for Mac OS X today. The update includes changes to the following important apps and services: Apache 1.3, Classic, Mail, Safari, Windows File Sharing. In addition, it includes the 2003-12-19 Security Update. It's available via Software Update." It's also available for Server.

10.3.3

[CodeBSD]

Shouldn't 10.3.3 be here soon?

Re:10.3.3

[Trillan]

I haven't heard any rumors, but I'd expect it in February.

Re:10.3.3

[rf600r]

Why? Seriously, why?

Re:10.3.3

[zpok]

That hot new auto-toast functionality. You can buy a latte upgrade set to boot.

I'm super happy with 10.3.2, but why not want more? Gimme gimme gimme!

Re:10.3.3

[Trillan]

No particular reason, only that it's my impression (and I could be wrong) that there was a 10.2.x update in February last year. 10.3.1 was definitely rushed out, so I'm sort of viewing 10.3.2 as at the same "maturity" level as 10.2.1. Just feels like we're due for an update soon.

I know it's not a really good reason... :)

Re:10.3.3

This will be modded off topic, but they also just released a Airport/AE software update that includes a firmware support update for the AE base station that gives it WPA support.

Check your software update.

P.S. I dont feel like submitting it, so I'll post as AC.

Re:10.3.3

WPA support has been available for a while now. (5.2 or something like that). I am not sure what they updated in WPA this time - but I have been using AE with WPA since last fall...

Re:10.3.3

They need to fix the "junk filter crashes mail" problem. Every 10 days or so marking a message as junk will crash Mail.app, so to fix I need to delete my ~/Library/Mail/NSMap file (or something like that - I can't look right now...). Of course that "unlearns" all my junk teaching.... Ho-hum..

Like does anyone care?

[AtariAmarok]

This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

Re:Like does anyone care?

[Photar]

Give everyone a chance to install it and test things first.

Re:Like does anyone care?

[thatguywhoiam]

This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

The inherent lickability of OS X remains unchanged - therefore this is one that can wait.

They put in another throbbing button or drawer though, man, I'm there.

Re:Like does anyone care?

[caseih]

OS X in this regard is no better than Windows. It's an opaque operating system and dispite the list of changes that Apple provides, there's no real way to know if the patch is going to kill your system. For example, my local Apple rep warned me not to install the "12-19" security patch, as it will hose my AFP shares. Since this patch includes the 12-19 security patch, I doubt I'd install it without complete assurance from my apple rep. Furthermore, and update to the 10.3.2 service pack really borked my OpenDirectory (and from various web forums I learned that it's borked a lot of people's OpenDirectory). I am working with Apple to resolve this. However, I'm now as nervous as a Windows Sysadmin about installing this patch. Somehow I never felt this way, even with binary updates from RedHat. Linux is just so much more transparent and that makes me feel better than I do with these proprietary operating systems.

Re:Like does anyone care?

[rf600r]

Your "Apple Rep"? Who exactly is this "Apple Rep," a VAR? ...some guy with and Apple polo shirt?

Re:Like does anyone care?

[skinfitz]

This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

Perhaps everyone who has installed it has crashed horribly and can't get online to warn us?

Seriously though - I think many /. OS X users wait to see who is going to chance the install first after the 10.2.8 fiasco.

So has anyone installed it on a jobbing Jaguar XServe yet? Is it safe for me to patch ours overnight?

Re:Like does anyone care?

[skinfitz]

lol - I was only joking in my parent post but I just installed it on my Powerbook and it crashed during reboot! I was like "OH CRAP!"

Fortunately a three fingered salute fixed it.

Don't think I'm going to risk it on the server remotely tonight however :)

Re:Like does anyone care?

[plsuh]

Apple normally posts details of security updates on it's Knowledge base at:

http://docs.info.apple.com/article.html?artnum=617 98

The details of this one are not up yet, but should be soon. Give the guys a break -- they're only human and stuff takes a while to work its way through the system.

--Paul

Re:Like does anyone care?

[Photar]

Unless you need the patch don't patch it on important servers. Patch spares and dick around with them.

Re:Like does anyone care?

[caseih]

He's a special rep (sales and and tech) assigned to my University (and all the other universities in Utah). He's actually an Apple system engineer. He knows his stuff and has worked a lot with their OpenDirectory.

Re:Like does anyone care?

[caseih]

Very true. And I'm not going to patch my servers yet. The problem is that OS X hardware is a bit pricey and I simply don't have any spares. I can take any old piece of crap machine and put linux on to test patches, however.

I'm not blaming Apple here. They are doing a good job trying to break into the server market and they have an excellent product, which I am quite happy with.

Re:Like does anyone care?

[tgibbs]

I'm still installing Apple's updates the moment they come out. I've updated 2 Panthers and one Jaguar (on a beige G3) with this latest update with no problems. So far, I've only had one problem with an Apple update. 10.2.8 knocked out the ethernet connectivity of a dual G4 (out of about 8 machines I installed it on), but there was a non-Apple fix going around by the end of the day, and an official fix a few days later.

Re:Like does anyone care?

[Maserati]

Ebay a Blue & White G3. They're cheap nowadays and run Panther fine. Use that as a test box.

Re:Like does anyone care?

[Photar]

Yeah, I understand though. I think the problem is in the fact that Apple had to make certain design decisions when trying to make their os palatable to the geeks and the users alike.

On one hand you have all the power and flexability of the *nixy goodness in the backend that the geeks love and on the front end you have the polished eye candy that the users love, but its all closed which pisses the geeks off.

Similarly, I think that is the same compramize that is going on with software update. They can't just give you the source and have you compile it because thats not luser friendly and its not all hush hush for the closed src parts of the os. ... I could go on, but I'm boring myself and probably you too.

Re:Like does anyone care?

"The inherent lickability of OS X remains unchanged"

Yes. I find OS X to be just a lickable as ever. MMMMMM....Tasty.

As usual..

[ayersrj]

We're not sure what it does. But it installs fine and seems to work!

Re:As usual..

[Gogo+Dodo]

Only because your post was moderated Insightful...

The Security Update changes are listed in this Tech Note. However, the newest one isn't listed just yet.

So we're still not sure what it does...

Re:As usual..

[joshmoh]

Nah, it's up now. Here's what it does:

http://docs.info.apple.com/article.html?artnum=256 52

Sadly, most of the "Enhancements" sound more like "Bug Fixes." Heh.

Re:As usual..

[Gogo+Dodo]

That's the 10.3.2 release notes, not the Security Update 2004-01-26.

According to Macintouch, here are the fixes:

• AFP Server: Improves AFP over the 2003-12-19 security update.
• Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.
• Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.
• Classic: Fixes CAN-2004-0089 to improve the handling of environment variables. Credit to Dave G. of @stake for reporting this issue.
• Mail: Fixes CAN-2004-0085 and CAN-2004-0086 to deliver security enhancements to Apple's mail application. Credit to Jim Roepcke for reporting CAN-2004-0086.
• Safari: Fixes CAN-2004-0092 by delivering security enhancements to the Safari web browser.
• System Configuration: Fixes CAN-2004-0087 and CAN-2004-0088 where the SystemConfiguration subsystem allowed remote non-admin users to change network setting and make configuration changes to configd. Credit to Dave G. from @stake for reporting these issues.
• Windows File Sharing: Fixes CAN-2004-0090 where Windows file sharing did not shutdown properly.

(The update also incorporates the patches from Security Update 2003-12-19.)

Re:As usual..

[joshmoh]

Heh, you're right; 4 hours sleep can do wonders to how well one filters information :) Thanks for the real update info.

Re:As usual..

Here is what's in the update. Works fine on my iMac 17" 800 MHz, Panther.

APPLE-SA-2004-01-26 Security Update 2004-01-26

Security Update 2004-01-26 is now available. It contains security
enhancements for the following:

AFP Server: Improves AFP over the 2003-12-19 security update.

Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias
and mod_rewrite modules of the Apache webserver.

Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache
2.0.47 to 2.0.48. Installed only on Server systems.

Classic: Fixes CAN-2004-0089 to improve the handling of environment
variables. Credit to Dave G. of @stake for reporting this issue.

Mail: Fixes CAN-2004-0085 and CAN-2004-0086 to deliver security
enhancements to Apple's mail application. Credit to Jim Roepcke
for reporting CAN-2004-0086.

Safari: Fixes CAN-2004-0092 by delivering security enhancements to
the Safari web browser.

System Configuration: Fixes CAN-2004-0087 and CAN-2004-0088 where the
SystemConfiguration subsystem allowed remote non-admin users to
change network setting and make configuration changes to configd.
Credit to Dave G. from @stake for reporting these issues.

Windows File Sharing: Fixes CAN-2004-0090 where Windows file sharing
did not shutdown properly.

Security Update 2004-01-26 is available for the following systems:
- Mac OS X 10.1.5 "Puma" and Mac OS X Server 10.1.5
- Mac OS X 10.2.8 "Jaguar" and Mac OS X Server 10.2.8
- Mac OS X 10.3.2 "Panther" and Mac OS X Server 10.3.2

Apache 2.0?

[tuxedobob]

Anyone know if/when Apple will incorporate Apache 2.0? Or if there would be any use to doing so?

Re:Apache 2.0?

[onebuttonmouse]

You don't have to wait for Apple, there's a packaged version, runs alongside 1.3. I tried it for a bit, but I didn't find any advantages over 1.3 for my purposes (mostly just PHP).

Re:Apache 2.0?

[radicalskeptic]

According to this PDF from Apple, Mac OS X Server already carries both Apache 1.3 and 2.x. If you only have OS X client, you can also download a bundled Apache 2 package from Server Logistics here, if you really want it. I tried it about a year ago, I remember it has a nice preferance pane with which you can change some settings, restart the server, and view and edit your httpd.conf (although it was a little buggy with saving the file, TextEdit had problems with the permissions)... It couldn't do anything that wasn't just as easy to do from the command line, though.

Re:Apache 2.0?

[tuxedobob]

Who's the dumbass mod who modded that offtopic? Apache was just updated. I'm asking about if Apache will be updated to 2.0. Hello?

In any case, thanks for the responses.

Re:just like MS

[Trillan]

The last security update was December 19th.

As for a monthly update... thanks, but I want new features (and especially security updates) as they become available.

Re:just like MS

[lullabud]

Looking at my updates, which actually don't go back too far because I reloaded my laptop, the last system update i did was Dec 20th... that's over a month. The only updates I've done between then and now were application updates, like iCal. That's definitely better than being on a monthly patch release schedule for critical OS bugs.

I care to wait a day or so...

[lullabud]

Ever since the 10.3.2 update crashed my laptop I wait a day or two to see how things are going. That was the only crash I've ever had in Mac OS X though, and I had reloaded and (automatically) had all my settings back to the way they were before the crash, and had the system all patched up, even with the patch that crashed the system, within 35 minutes. This was amazing to me, considering all the hundreds of times I've spent reloading my own or other people's windows boxen and the frustration of importing all the previous settings (and never quite getting them ALL back). I'm not going to say OS X is the OS that does it all, but I will say that after using MS OSes since DOS 3.2 my new desktop OS of choice is OS X for reasons like that... Even so, I still do wait a day or so to patch because clearly things can, and do, go wrong some times.

Re:just like MS

[Kalak]

I don't know weather to write this as troll, astroturfing or just ignorance. I rather update my box more frequently, if it fixes the bugs and security problems. My Fedora boxes run "yum update-check" nightly, my RedHat boxes run up2date nightly, my OS X boxes check software update daily, and I have no complaints when they find an update. I like having notices sent to my mail box, so I can check them all in one place. (you can do this with scripting the OS X command line softwareupdate).

I wish I could automate the checking for updates form Microsoft. Launching a web page and clicking through daily is no way to check for updates (and MS's security announcements are typically not sent when the updates are made available, but can be a day or two later).

MS's "monthly" policy scares me. There is more to an OS than uptime. I'd rather know my boxes are secure than know that it's been a while since I rebooted them (and I run a number Linux, OS X and Windows boxes).

Re:just like MS

[babbage]

I wish I could automate the checking for updates form Microsoft.

Err, you can. I believe the feature is built-in to WinXP, and may have been available as a standard part of Win2k. However, it's also available as a separate update for any version of Windows going back at least as far as Win98.

With the Windows auto-update option installed, the system will periodically check for available updates and, depending on your settings, automatically inform you of them, download first & inform you that updates are waiting to be installed, or automatically download and install. I like the second option, if only to grab a copy of everything and show me before anything is committed, but it's up to you.

I think the auto-update runs weekly, but it should just be controlled by the system scheduler. Depending on your version of Windows, you should be able to go in and set this to run at whatever schedule you please, and if that's not good enough for you, you can probably script it with DOS, VB, Perl (ActiveState), Python (ActiveState), Bash (Cygwin), etc. Windows still lags badly behind the scripting abilities of Linux or Macintosh, but the facilities are there if you want to take advantage of them.

ot - Now that's a funny score!

Looks like someone's abusing the moderation system again. I really wonder why people don't get banned from it after enough Unfairs.

10.2.8?

[antdude]

Do any of these fixes affect 10.2.8 or only for 10.3?

Re:10.2.8?

[Duke+Thomas]

The update is available for both Panther (10.3.1 or later) and Jaguar (requires 10.2.8).

Re:10.2.8?

[Duke+Thomas]

Er, my URLs are wrong, but nonetheless the update is available for Jaguar through software update. :)

Re:10.2.8?

10.2.8 sux....upgrade as soon as you can. 10.3 is finally better then os 9 (i liked os 9 and it never crashed on me, so don't flame about it--unless you're sh*t-bored ;)

Re:10.2.8?

[sonetsst]

As a matter of fact, not only is it available for 10.2.8 but also for 10.1.5, just check the download page under the OS X tab on apple.com.

If only we got that sort of backwards compatibility with windows...

Re:10.2.8?

[HSpirit]

I am not a Micro$oft/Windows apologist by any means, but Microsoft are still supporting Windows 2000 (which predates MacOS X 10.1 aka 'Puma'), and have even given a half-arsed commitment to provide security updates for a fully service-packed Windows NT4 (which probably predates MacOS 9.2, although I could be wrong on that count).

Groundhog Day

[PDubNYC]

I have installed it on 3 machines, and everything seems to work fine with one exception. Every time I install it and reboot, there it is in the Software Update list again. I even tried installing it a 2nd time on one machine, sure enough it was there again after reboot. Big Ben, Parliament, kids

Re:Groundhog Day

[SillyWilly]

I had that with one of the Java Updates, I just made it inactive in the end and it seems to have disappeared now.

Re:Groundhog Day

[Ilgaz]

IMHO run disk utility, repair permissions and try again.

If on 10.3 (panther) you can keep the download after install in case there is problem again.

Re:Groundhog Day

[johnt519]

I feel your pain. I updated 3 machines last night (Dual 2 G5, 15" iMac G4, iBook 800) and it's happening on all three. I'm running the update now on an iBook 500 (dual usb), so we'll see what happens there.

Re:Groundhog Day

already tried that yesterday, no luck

Re:Groundhog Day

[Ilgaz]

"already tried that yesterday, no luck"

That makes me think its about time you do extensive disk check with disk utility or some other program.

Opaque?

[kwerle]

OS X in this regard is no better than Windows. It's an opaque operating system and dispite the list of changes that Apple provides, there's no real way to know if the patch is going to kill your system.

Did you miss http://developer.apple.com/darwin/?

Have fun with the kernel...

Re:Opaque?

[caseih]

The kernel is the least of it all. The kernel is fairly transparent to a developer who knows darwin inside and out. When it comes to the kernel, linux for me is more transparent simply because I understand it better. I'm sure I will understand darwin better over time. But that's not what I was talking about.

The Opaqueness is in how everything is put together. Sure you can study darwin to figure it out. But the fact is that it's unix, but it's not unix. It's not system V, it has a hybrid init mechanism. Apple has also brought together many open source components, which is good, but it has done them in such a way that I can't just take the virgin code from, say, Samba, and compile. I can, however, get the code from apple. But now instead of being able to go to all the internet resources for help with a Samba 3.0 problem, I have to go to apple instead, since they have customized these components very heavily and the Samba developers can't make any real statement on a problem because fo that. It's just frustrating when there are problems. That's all. As with all proprietary operating systems, you really do tie yourself down to one vender. It's a calculated risk, one I'm not yet comfortable with (coming from an exclusive linux server setup) yet. Apple's tech support is very good, though. And the problems I've experienced will be resolved.

Re:Opaque?

[kwerle]

I can't just take the virgin code from, say, Samba, and compile...

You sure about that? Have you tried it? I have not, but I bet it would just work.

OK, so I'm not just BSing, I've downloaded. I'm configuring. Worked. I'm makeing. So far, so good. I gotta post this before it times out. I'll followup with the results.

Re:Opaque?

[kwerle]

Failed due to a linking error after about 20 minutes of compiling. I'm not willing to continue messing with this, as I have no vested interest, but this is a known issue and the workaround is trivial:

http://mailman.mit.edu/pipermail/kerberos/2003-A ug ust/003627.html

It continues to be my belief that you COULD compile vanilla SAMBA out of the box with nearly no extra work.

Re:Opaque?

Hogaaaannnn!

Re:Opaque?

[steeviant]

The Opaqueness is in how everything is put together. Sure you can study darwin to figure it out. But the fact is that it's unix, but it's not unix. It's not system V, it has a hybrid init mechanism. Apple has also brought together many open source components, which is good, but it has done them in such a way that I can't just take the virgin code from, say, Samba, and compile. I can, however, get the code from apple. But now instead of being able to go to all the internet resources for help with a Samba 3.0 problem, I have to go to apple instead, since they have customized these components very heavily and the Samba developers can't make any real statement on a problem because fo that. It's just frustrating when there are problems. That's all. As with all proprietary operating systems, you really do tie yourself down to one vender. It's a calculated risk, one I'm not yet comfortable with (coming from an exclusive linux server setup) yet. Apple's tech support is very good, though. And the problems I've experienced will be resolved.

Firstly, system V init doesn't make something Unix, it's system V, as in there were IV Unix systems before that DIDN'T use that system. They didn't automatically become Un-ix because of that.

It seems like what you're really complaining about is that OS X isn't Linux. It's not FreeBSD either, nor is it Solaris, SCO, HP UX, AIX, QNX, OpenBSD, NetBSD or Minix. None of these systems are the same as each other. They're all still pretty Unix like, but not all of them are system V init, not all of them are able to compile every piece of open source software out there, but some of them are derivatives of actual system V Unix, you must be feeling pretty puzzled right now, given what you seem to think Unix is.

The reason I chose OS X for a desktop operating system is for exactly the opposite of the reasons you mention. Because it's not hard to grab ordinary open source code and compile it, because it is quite easy to see how the different components of the operating system fit together, and because if I have a really titilating issue, I can conceivably grab a new kernel whether Apple want me to or not.

I share your fears about proprietary vendors and technology tie-in, and it's one of the reasons I'd be reluctant to endorse OS X as a server OS. As a desktop OS however, I don't see any reason to fear any kind of vendor lock in, the only thing of this nature that I've found yet is iMovie, since no alternatives as simple and powerful exist in Windows or Linux yet. :)

Re:Opaque?

[caseih]

Of course Samba would work out of the box, but it would not work with OpenDirectory or the OpenLDAP schema that apple uses. Those require patches.

Re:Opaque?

[kwerle]

Please supply a reference to that information.

It was twenty years ago today...

[ptimmons]

Happy 20th Anniversary, Macintosh users. You get... a security fix.

Re:It was twenty years ago today...

[bennomatic]

So will my patch for AmigaOS be coming out some time in the next five years or so?

Airport Extreme update too!

[djupedal]

Fingers crossed...been waiting for months.

Re:just like MS

[gumbi+west]

I don't know weather to write this as troll, astroturfing or just ignorance

Nope, it was genuflecting pissed offness at Apple. I love Macintosh, I am a devoute Mac fan (all my home computers are macs and all my work computer that I buy are Macs, including the servers if at all possible) however, since I started using OS X I have noticed that I have to restart way more than when I was a RedHat user, though certainly less than when I was a MS user. However, in the last two months, I have installed 5 updates that required a restart. That just sucks.

Alright, posted a comment that is negative twords apple in an apple article, mod me down just like the grandparent post.

Updates are

1. Todays
2. Security Update 2003-12-19 (Panther) 1.0
3. QuickTime 6.5
4. Mac OS X Update 10.3.2
5. Security Update 2003-12-05 for Panther 1.0

Re:just like MS

[Kalak]

A small icon in the bottom of the start bar (which is what the auto-update gives you using the settings you describe) is a far cry from an e-mail that lets me know from my workstation. I really have no desire to log in to each server to check this. Plus, the small icon doesn't show up when you log in to a Windows Server via RDP connection, and yes I am aware of Timbuktu, VNC, radmin, etc. RDP is how I'm connecting to one of my windows servers right now from home since work is snowed in (bandwith isn't limitless). Big difference between one desktop and a number of servers. Windows Auto-update just doesn't cut it for this. It's fine for my notebook. Just not for my servers.

There is some improvement to this situation thanks to a program written by someone here at Virginia Tech called Daisy that helps to check for updates to more than just the OS, but this is still a far cry from an update notification in one central location (central meaning my e-mail where I get the messages from all my other systems). You can run Daisy scripted. It's a great package.

However, updating an OS is efficiently should be the responsibility of the OS distributor, not the responsibility of third party developers.

(I highly recommend Daisy. Best thing to hit Windows server administration ever.)

Re:just like MS

im not entirely sure, but instead of downloading Apache security updates made by Apple, you could roll your own patches, download them from the source, compile and install them. No restart needed then.

Details of update

[3gramsofcrack]

APPLE-SA-2004-01-26 Security Update 2004-01-26

Security Update 2004-01-26 is now available. It contains security enhancements for the following:

AFP Server: Improves AFP over the 2003-12-19 security update.

Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.

Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.

Classic: Fixes CAN-2004-0089 to improve the handling of environment variables. Credit to Dave G. of @stake for reporting this issue.

Mail: Fixes CAN-2004-0085 and CAN-2004-0086 to deliver security enhancements to Apple's mail application. Credit to Jim Roepcke for reporting CAN-2004-0086.

Safari: Fixes CAN-2004-0092 by delivering security enhancements to the Safari web browser.

System Configuration: Fixes CAN-2004-0087 and CAN-2004-0088 where the SystemConfiguration subsystem allowed remote non-admin users to change network setting and make configuration changes to configd. Credit to Dave G. from @stake for reporting these issues.

Windows File Sharing: Fixes CAN-2004-0090 where Windows file sharing did not shutdown properly.

This message is signed with Apple's Product Security PGP key, and details are available at:
http://www.apple.com/support/security/securit y_pgp .html

Re:just like MS

[Kalak]

Or, if you know that it's say just Apache being updated. force quit the Software Update app, then restart Apache by hand. This is unix afterall. If it's not a core part of the OS, then you don't *need* a restart, but this is a consumer driven OS company (X Server is still based on the concept of a consumer server OS) they keep it simple with a reboot. If you know what to issue the kill command to, you're all set. I've avoided a number of reboots this way. Become Zen with your OS, no matter what it is. (yes, that includes Windows as well). Zen multi-platform? What crack am I smoking at this hour? Become one with the universe of operating systems! OK, time to go to bed now.