Apple Releases Security Update 2004-01-26

ollie_ob writes "Apple's released an important security update for Mac OS X today. The update includes changes to the following important apps and services: Apache 1.3, Classic, Mail, Safari, Windows File Sharing. In addition, it includes the 2003-12-19 Security Update. It's available via Software Update." It's also available for Server.

Re:Apache 2.0?

[onebuttonmouse]

You don't have to wait for Apple, there's a packaged version, runs alongside 1.3. I tried it for a bit, but I didn't find any advantages over 1.3 for my purposes (mostly just PHP).

Re:Apache 2.0?

[radicalskeptic]

According to this PDF from Apple, Mac OS X Server already carries both Apache 1.3 and 2.x. If you only have OS X client, you can also download a bundled Apache 2 package from Server Logistics here, if you really want it. I tried it about a year ago, I remember it has a nice preferance pane with which you can change some settings, restart the server, and view and edit your httpd.conf (although it was a little buggy with saving the file, TextEdit had problems with the permissions)... It couldn't do anything that wasn't just as easy to do from the command line, though.

Re:just like MS

[lullabud]

Looking at my updates, which actually don't go back too far because I reloaded my laptop, the last system update i did was Dec 20th... that's over a month. The only updates I've done between then and now were application updates, like iCal. That's definitely better than being on a monthly patch release schedule for critical OS bugs.

Re:just like MS

[babbage]

I wish I could automate the checking for updates form Microsoft.

Err, you can. I believe the feature is built-in to WinXP, and may have been available as a standard part of Win2k. However, it's also available as a separate update for any version of Windows going back at least as far as Win98.

With the Windows auto-update option installed, the system will periodically check for available updates and, depending on your settings, automatically inform you of them, download first & inform you that updates are waiting to be installed, or automatically download and install. I like the second option, if only to grab a copy of everything and show me before anything is committed, but it's up to you.

I think the auto-update runs weekly, but it should just be controlled by the system scheduler. Depending on your version of Windows, you should be able to go in and set this to run at whatever schedule you please, and if that's not good enough for you, you can probably script it with DOS, VB, Perl (ActiveState), Python (ActiveState), Bash (Cygwin), etc. Windows still lags badly behind the scripting abilities of Linux or Macintosh, but the facilities are there if you want to take advantage of them.

Re:10.3.3

[Trillan]

I haven't heard any rumors, but I'd expect it in February.

Groundhog Day

[PDubNYC]

I have installed it on 3 machines, and everything seems to work fine with one exception. Every time I install it and reboot, there it is in the Software Update list again. I even tried installing it a 2nd time on one machine, sure enough it was there again after reboot. Big Ben, Parliament, kids

Re:Groundhog Day

[SillyWilly]

I had that with one of the Java Updates, I just made it inactive in the end and it seems to have disappeared now.

Re:Groundhog Day

[Ilgaz]

IMHO run disk utility, repair permissions and try again.

If on 10.3 (panther) you can keep the download after install in case there is problem again.

Re:10.2.8?

[sonetsst]

As a matter of fact, not only is it available for 10.2.8 but also for 10.1.5, just check the download page under the OS X tab on apple.com.

If only we got that sort of backwards compatibility with windows...

Re:Like does anyone care?

[plsuh]

Apple normally posts details of security updates on it's Knowledge base at:

http://docs.info.apple.com/article.html?artnum=617 98

The details of this one are not up yet, but should be soon. Give the guys a break -- they're only human and stuff takes a while to work its way through the system.

--Paul

Airport Extreme update too!

[djupedal]

Fingers crossed...been waiting for months.

Re:10.3.3

This will be modded off topic, but they also just released a Airport/AE software update that includes a firmware support update for the AE base station that gives it WPA support.

Check your software update.

P.S. I dont feel like submitting it, so I'll post as AC.

Re:As usual..

[joshmoh]

Nah, it's up now. Here's what it does:

http://docs.info.apple.com/article.html?artnum=256 52

Sadly, most of the "Enhancements" sound more like "Bug Fixes." Heh.

Re:As usual..

[Gogo+Dodo]

That's the 10.3.2 release notes, not the Security Update 2004-01-26.

According to Macintouch, here are the fixes:

• AFP Server: Improves AFP over the 2003-12-19 security update.
• Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.
• Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.
• Classic: Fixes CAN-2004-0089 to improve the handling of environment variables. Credit to Dave G. of @stake for reporting this issue.
• Mail: Fixes CAN-2004-0085 and CAN-2004-0086 to deliver security enhancements to Apple's mail application. Credit to Jim Roepcke for reporting CAN-2004-0086.
• Safari: Fixes CAN-2004-0092 by delivering security enhancements to the Safari web browser.
• System Configuration: Fixes CAN-2004-0087 and CAN-2004-0088 where the SystemConfiguration subsystem allowed remote non-admin users to change network setting and make configuration changes to configd. Credit to Dave G. from @stake for reporting these issues.
• Windows File Sharing: Fixes CAN-2004-0090 where Windows file sharing did not shutdown properly.

(The update also incorporates the patches from Security Update 2003-12-19.)