Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases Security Update 2004-01-26

Posted by pudge on from the restart-on-the-count-of-three dept.

ollie_ob writes "Apple's released an important security update for Mac OS X today. The update includes changes to the following important apps and services: Apache 1.3, Classic, Mail, Safari, Windows File Sharing. In addition, it includes the 2003-12-19 Security Update. It's available via Software Update." It's also available for Server.

29 of 69 comments (clear)

  1. Like does anyone care? by AtariAmarok · · Score: 4, Insightful

    This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

    --
    Don't blame Durga. I voted for Centauri.
    1. Re:Like does anyone care? by Photar · · Score: 4, Insightful

      Give everyone a chance to install it and test things first.

      --
      He who knows not and knows he knows not is a wise man. He who knows not and knows not he knows not is a fool.
    2. Re:Like does anyone care? by thatguywhoiam · · Score: 5, Funny
      This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

      The inherent lickability of OS X remains unchanged - therefore this is one that can wait.

      They put in another throbbing button or drawer though, man, I'm there.

      --
      If Jesus wants me it knows where to find me.
    3. Re:Like does anyone care? by rf600r · · Score: 2, Interesting

      Your "Apple Rep"? Who exactly is this "Apple Rep," a VAR? ...some guy with and Apple polo shirt?

    4. Re:Like does anyone care? by skinfitz · · Score: 2

      This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

      Perhaps everyone who has installed it has crashed horribly and can't get online to warn us?

      Seriously though - I think many /. OS X users wait to see who is going to chance the install first after the 10.2.8 fiasco.

      So has anyone installed it on a jobbing Jaguar XServe yet? Is it safe for me to patch ours overnight?

    5. Re:Like does anyone care? by skinfitz · · Score: 2, Interesting

      lol - I was only joking in my parent post but I just installed it on my Powerbook and it crashed during reboot! I was like "OH CRAP!"

      Fortunately a three fingered salute fixed it.

      Don't think I'm going to risk it on the server remotely tonight however :)

    6. Re:Like does anyone care? by plsuh · · Score: 4, Informative

      Apple normally posts details of security updates on it's Knowledge base at:

      http://docs.info.apple.com/article.html?artnum=617 98

      The details of this one are not up yet, but should be soon. Give the guys a break -- they're only human and stuff takes a while to work its way through the system.

      --Paul

  2. As usual.. by ayersrj · · Score: 5, Funny

    We're not sure what it does. But it installs fine and seems to work!

    1. Re:As usual.. by joshmoh · · Score: 2, Informative

      Nah, it's up now. Here's what it does:

      http://docs.info.apple.com/article.html?artnum=256 52

      Sadly, most of the "Enhancements" sound more like "Bug Fixes." Heh.

      --
      Your ideas are intriguing to me and I wish to subscribe to your newsletter.
    2. Re:As usual.. by Gogo+Dodo · · Score: 2, Informative
      That's the 10.3.2 release notes, not the Security Update 2004-01-26.

      According to Macintouch, here are the fixes:

      • AFP Server: Improves AFP over the 2003-12-19 security update.
      • Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.
      • Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.
      • Classic: Fixes CAN-2004-0089 to improve the handling of environment variables. Credit to Dave G. of @stake for reporting this issue.
      • Mail: Fixes CAN-2004-0085 and CAN-2004-0086 to deliver security enhancements to Apple's mail application. Credit to Jim Roepcke for reporting CAN-2004-0086.
      • Safari: Fixes CAN-2004-0092 by delivering security enhancements to the Safari web browser.
      • System Configuration: Fixes CAN-2004-0087 and CAN-2004-0088 where the SystemConfiguration subsystem allowed remote non-admin users to change network setting and make configuration changes to configd. Credit to Dave G. from @stake for reporting these issues.
      • Windows File Sharing: Fixes CAN-2004-0090 where Windows file sharing did not shutdown properly.
      (The update also incorporates the patches from Security Update 2003-12-19.)
  3. Re:Apache 2.0? by onebuttonmouse · · Score: 3, Informative

    You don't have to wait for Apple, there's a packaged version, runs alongside 1.3. I tried it for a bit, but I didn't find any advantages over 1.3 for my purposes (mostly just PHP).

    --
    MacBook Pro. Worst name since the Bicycle
  4. Re:Apache 2.0? by radicalskeptic · · Score: 5, Informative

    According to this PDF from Apple, Mac OS X Server already carries both Apache 1.3 and 2.x. If you only have OS X client, you can also download a bundled Apache 2 package from Server Logistics here, if you really want it. I tried it about a year ago, I remember it has a nice preferance pane with which you can change some settings, restart the server, and view and edit your httpd.conf (although it was a little buggy with saving the file, TextEdit had problems with the permissions)... It couldn't do anything that wasn't just as easy to do from the command line, though.

    --
    WARNING: If accidentally read, induce vomiting.
  5. Re:just like MS by Trillan · · Score: 3, Interesting

    The last security update was December 19th.

    As for a monthly update... thanks, but I want new features (and especially security updates) as they become available.

  6. Re:just like MS by lullabud · · Score: 3, Informative

    Looking at my updates, which actually don't go back too far because I reloaded my laptop, the last system update i did was Dec 20th... that's over a month. The only updates I've done between then and now were application updates, like iCal. That's definitely better than being on a monthly patch release schedule for critical OS bugs.

  7. I care to wait a day or so... by lullabud · · Score: 5, Interesting

    Ever since the 10.3.2 update crashed my laptop I wait a day or two to see how things are going. That was the only crash I've ever had in Mac OS X though, and I had reloaded and (automatically) had all my settings back to the way they were before the crash, and had the system all patched up, even with the patch that crashed the system, within 35 minutes. This was amazing to me, considering all the hundreds of times I've spent reloading my own or other people's windows boxen and the frustration of importing all the previous settings (and never quite getting them ALL back). I'm not going to say OS X is the OS that does it all, but I will say that after using MS OSes since DOS 3.2 my new desktop OS of choice is OS X for reasons like that... Even so, I still do wait a day or so to patch because clearly things can, and do, go wrong some times.

  8. Re:just like MS by Kalak · · Score: 4, Interesting

    I don't know weather to write this as troll, astroturfing or just ignorance. I rather update my box more frequently, if it fixes the bugs and security problems. My Fedora boxes run "yum update-check" nightly, my RedHat boxes run up2date nightly, my OS X boxes check software update daily, and I have no complaints when they find an update. I like having notices sent to my mail box, so I can check them all in one place. (you can do this with scripting the OS X command line softwareupdate).

    I wish I could automate the checking for updates form Microsoft. Launching a web page and clicking through daily is no way to check for updates (and MS's security announcements are typically not sent when the updates are made available, but can be a day or two later).

    MS's "monthly" policy scares me. There is more to an OS than uptime. I'd rather know my boxes are secure than know that it's been a while since I rebooted them (and I run a number Linux, OS X and Windows boxes).

    --
    I am, and always will be, an idiot. Karma: Coma (mostly effected by .hack)
  9. Re:just like MS by babbage · · Score: 2, Informative
    I wish I could automate the checking for updates form Microsoft.

    Err, you can. I believe the feature is built-in to WinXP, and may have been available as a standard part of Win2k. However, it's also available as a separate update for any version of Windows going back at least as far as Win98.

    With the Windows auto-update option installed, the system will periodically check for available updates and, depending on your settings, automatically inform you of them, download first & inform you that updates are waiting to be installed, or automatically download and install. I like the second option, if only to grab a copy of everything and show me before anything is committed, but it's up to you.

    I think the auto-update runs weekly, but it should just be controlled by the system scheduler. Depending on your version of Windows, you should be able to go in and set this to run at whatever schedule you please, and if that's not good enough for you, you can probably script it with DOS, VB, Perl (ActiveState), Python (ActiveState), Bash (Cygwin), etc. Windows still lags badly behind the scripting abilities of Linux or Macintosh, but the facilities are there if you want to take advantage of them.

    --
    DO NOT LEAVE IT IS NOT REAL
  10. Re:10.3.3 by Trillan · · Score: 2, Informative

    I haven't heard any rumors, but I'd expect it in February.

  11. 10.2.8? by antdude · · Score: 2, Interesting

    Do any of these fixes affect 10.2.8 or only for 10.3?

    --
    Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    1. Re:10.2.8? by sonetsst · · Score: 5, Informative

      As a matter of fact, not only is it available for 10.2.8 but also for 10.1.5, just check the download page under the OS X tab on apple.com.

      If only we got that sort of backwards compatibility with windows...

  12. Groundhog Day by PDubNYC · · Score: 3, Informative

    I have installed it on 3 machines, and everything seems to work fine with one exception. Every time I install it and reboot, there it is in the Software Update list again. I even tried installing it a 2nd time on one machine, sure enough it was there again after reboot. Big Ben, Parliament, kids

    1. Re:Groundhog Day by SillyWilly · · Score: 2, Informative

      I had that with one of the Java Updates, I just made it inactive in the end and it seems to have disappeared now.

      --
      Online & Feelin' Fine
    2. Re:Groundhog Day by Ilgaz · · Score: 2, Informative

      IMHO run disk utility, repair permissions and try again.

      If on 10.3 (panther) you can keep the download after install in case there is problem again.

  13. Re:10.3.3 by rf600r · · Score: 2, Insightful

    Why? Seriously, why?

  14. Opaque? by kwerle · · Score: 3, Insightful

    OS X in this regard is no better than Windows. It's an opaque operating system and dispite the list of changes that Apple provides, there's no real way to know if the patch is going to kill your system.

    Did you miss http://developer.apple.com/darwin/?

    Have fun with the kernel...

    1. Re:Opaque? by caseih · · Score: 3, Interesting

      The kernel is the least of it all. The kernel is fairly transparent to a developer who knows darwin inside and out. When it comes to the kernel, linux for me is more transparent simply because I understand it better. I'm sure I will understand darwin better over time. But that's not what I was talking about.

      The Opaqueness is in how everything is put together. Sure you can study darwin to figure it out. But the fact is that it's unix, but it's not unix. It's not system V, it has a hybrid init mechanism. Apple has also brought together many open source components, which is good, but it has done them in such a way that I can't just take the virgin code from, say, Samba, and compile. I can, however, get the code from apple. But now instead of being able to go to all the internet resources for help with a Samba 3.0 problem, I have to go to apple instead, since they have customized these components very heavily and the Samba developers can't make any real statement on a problem because fo that. It's just frustrating when there are problems. That's all. As with all proprietary operating systems, you really do tie yourself down to one vender. It's a calculated risk, one I'm not yet comfortable with (coming from an exclusive linux server setup) yet. Apple's tech support is very good, though. And the problems I've experienced will be resolved.

  15. It was twenty years ago today... by ptimmons · · Score: 5, Funny

    Happy 20th Anniversary, Macintosh users. You get... a security fix.

  16. Airport Extreme update too! by djupedal · · Score: 2, Informative

    Fingers crossed...been waiting for months.

  17. Re:10.3.3 by Anonymous Coward · · Score: 2, Informative
    This will be modded off topic, but they also just released a Airport/AE software update that includes a firmware support update for the AE base station that gives it WPA support.

    Check your software update.

    P.S. I dont feel like submitting it, so I'll post as AC.