Security Update 2004-09-07

← Back to Stories (view on slashdot.org)

Posted by pudge on Tuesday September 7, 2004 @06:26PM from the mo-updates dept.

sizemoresr writes "Security Update 2004-09-07 delivers a number of security enhancements and is recommended for all users of Mac OS X 10.2.8 and later. This update includes the following components: CoreFoundation, IPSec, Kerberos, libpcap, lukemftpd, NetworkConfig, OpenLDAP, OpenSSH, PPPDialer, rsync, Safari and tcpdump."

23 of 77 comments (clear)

Min score:

Reason:

Sort:

Re:Post Install Experiences Here... by inio · 2004-09-07 18:55 · Score: 4, Informative

Downloaded.
Installed.
Optimized................ .
Restarted.
Checked email.
Posted comment.

(dual 1.8 G5)
Worth noting this time... by danamania · 2004-09-07 19:16 · Score: 4, Informative

...s that the update is provided for two Panther releases, 10.3.5 AND for 10.3.4.
From apple's Security Announce list:

Given the relatively recent release of the Mac OS X v10.3.5 Software
Update, this security update is available for both Mac OS X v10.3.4
and Mac OS X v10.3.5. Customers who are still evaluating Mac OS X
v10.3.5 for large-scale deployment can apply the security update for
Mac OS X v10.3.4 to increase the security of their systems during the
evaluation period. After updating to Mac OS X v10.3.5, Security
Update 2004-09-07 should be installed onto Mac OS X v10.3.5 even if it
was previously installed on a Mac OS X v10.3.4 system.

From memory some of the other security updates could be put on before the release they came with, but I wouldn't trust just my memory as far as I could throw it. Anyway, it's specifically noted this time.
Safari bug still there by setesh · 2004-09-07 19:19 · Score: 5, Informative

Still does not fix the bug where if you load a page that changes a cookie and then immediatelly quit Safari the cookie change is not saved.

Thought you logged out of your super secret intranet page - no you didnt...
1. Re:Safari bug still there by oscarmv · 2004-09-07 22:35 · Score: 4, Informative
  
  That's a Safari bug that hopefully will be corrected in a Safari revision (there's one coming for both Panther and Tiger).
  
  Should be out in a few weeks I think.
Webpages not rendering correctly by Anonymous Coward · 2004-09-07 20:24 · Score: 2, Informative

Just go ahead and update and try FedEx.com or DirectTV.com

You may just want to wait a bit

Keep on Folding! Team MaC OS X rocks! Join Us!
1. Re:Webpages not rendering correctly by inblosam · 2004-09-07 23:50 · Score: 2, Informative
  
  Was this problem here before? Looks like both sites have the exact same issue, but from my quick HTML glance I couldn't tell what was causing it.
  
  Mason-powered site showcase: Utah Homes Now.com
  
  That was my sig.
2. Re:Webpages not rendering correctly by Anonymous Coward · 2004-09-08 00:13 · Score: 3, Informative
  
  Yes macslash has some coverage of this. My own experiments indicate that the problem is localized to Safari; the mozilla suite (Camino, Mozilla, Firefox) seem all to work fine.
  
  --MW
3. Re:Webpages not rendering correctly by Gogo+Dodo · 2004-09-08 05:56 · Score: 4, Informative
  
  This was a "Security Update", not a general bug fix release, so I don't expect any bugs in Safari got fixed except the security issue.
killed incoming ftp by ACmtd · 2004-09-08 02:04 · Score: 5, Informative

This update apparently "secures" the FTP daemon in quite an original way, by rendering it completely inoperable.

There are a few reports about it on Apple's discussions site.

The workaround suggested in the above link is to revert to the original ftpd supplied with Panther/Jaguar using the OS X install discs and a tool like Pacifist - though I'm trying to look at the glass as half-full and use this as the kick in the pants I need to start using sftp instead..
1. Re:killed incoming ftp by mgs1000 · 2004-09-08 04:09 · Score: 4, Informative
  
  Yep, same thing happened to me. So, I just installed PureFTPd, partially because there is a pretty god (and free) management frontend out there for it.
2. Re:killed incoming ftp by Dahan · 2004-09-08 05:51 · Score: 4, Informative
  
  Hmm, well that sucks.
  Looks like ftpd was compiled with /usr/etc as its configuration directory, rather than /etc. If you create /usr/etc and copy /etc/ftpusers to /usr/etc/ftpusers, it seems to work.
3. Re:killed incoming ftp by Dahan · 2004-09-08 05:57 · Score: 4, Informative
  
  You can also patch the binary to use /etc by running this as root:
  cd /usr/libexec && cp -p ftpd ftpd.orig && printf '/etc\0' | dd of=ftpd bs=1 seek=100252 conv=notrunc
4. Re:killed incoming ftp by Em+Adespoton · 2004-09-08 08:36 · Score: 3, Informative
  
  Even better, ln -s /etc /usr/etc
  Then, you just get a symbolic link (alias) to the path at the other location, and it will pick up any future updates that come your way.
5. Re:killed incoming ftp by Dahan · 2004-09-08 11:57 · Score: 3, Informative
  
  Well, I'm expecting that Apple will release a fixed ftpd shortly, so that I won't permanently need a /usr/etc/ftpusers file. Symlinking the entire /etc directory seems like overkill for a workaround for one program, but sure, that's fine too :)
  (Actually, I'm using my patched ftpd, so I don't need /usr/etc in any case).
Re:rsync? by eLoco · 2004-09-08 08:06 · Score: 5, Informative

I use the rsync available here because it includes support for HFS+ volumes, meaning it will preserve resource forks. It installs to /usr/local/bin so it doesn't overwrite the existing rsync at /usr/bin. You need to have it installed on all OS X machines that you are syncing between.

To rsync data that includes files with resource forks from a remote server to a local server via ssh, use something like this:

/usr/local/bin/rsync -ave ssh --delete --eahfs --rsync-path=/usr/local/bin/rsync \ <user>@<remoteserver>:<path> <localpath>

The --eahfs switch is what tells it to preserve resource forks.

--
sig != null
Not recommended for G4 users, G5 seems ok... by curtlewis · 2004-09-08 09:07 · Score: 4, Informative

Most of the problems I've encountered are with Safari. The following sites all have similar problems and are entirely unusable with Safari after applying the patch:

http://www.fedex.com/
http://www.compusa.com/
http://www.bestbuy.com/

I'm sure there are many others. G5 systems do not appear to be affected. G4s are.

As noted on http://docs.info.apple.com/article.html?artnum=617 98 :

Component: Safari
CVE-ID: CAN-2004-0361
Available for: Mac OS X 10.2.8, Mac OS X Server 10.2.8
Impact: A JavaScript array of negative size can cause Safari to access out of bounds memory resulting in an application crash.
Description: Storing objects into a JavaScript array allocated with negative size can overwrite memory. Safari now stops processing JavaScript programs if an array allocation fails.
This security enhancement was previously made available in Safari 1.0.3, and is being applied inside the Mac OS X 10.2.8 operating system as an extra layer of protection for customers who have not installed that version of Safari. This is a specific fix for Mac OS X 10.2.8 and the issue does not exist in Mac OS X 10.3 or later systems.
----

This particular fix is specific to 10.2.8 and NOT 10.3 or later, yet appears it may install with the 10.3.x update. This could well be the cause of the problems. This is further supported by the fact that all of the known sites that fail to render properly use JavaScript 1.2 extensively.

Word is the Safari team is aware of the problem and working on it.
1. Re:Not recommended for G4 users, G5 seems ok... by Guy+Harris · 2004-09-08 14:02 · Score: 4, Informative
  
  Most of the problems I've encountered are with Safari. The following sites all have similar problems and are entirely unusable with Safari after applying the patch:
  
  ...and if those sites update the version of OpenCube's QuickMenu Pro that they're using, to fix the browser type/version check, they'll probably be usable again. See the 9/8/04 item on this site and a 9/8/04 item on this site.
Swap file bug not fixed? by jeffasselin · 2004-09-08 09:38 · Score: 2, Informative

I couldn't find anything so far about the swap file password reveal being fixed or not.

That's a serious issue that I expected to be fixed soon.

--
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
rsyncX by Cbs228 · 2004-09-08 10:34 · Score: 5, Informative

The latest Security Update has (predictably) broken my rsyncX install. I was able to fix this by overwriting /usr/bin/rsync (Apple's rsync) with /usr/local/bin/rsync (which is where rsyncX installs by default). However, be sure to RTF-security information first the version of rsync that rsyncX uses (2.6.0) is not secure in daemon mode (use SSH mode instead).

--
At our school, we don't earn a degree when we graduate—we earn pi/180 radians
OpenCube's Visual QuickMenu by Anonymous Coward · 2004-09-08 12:08 · Score: 1, Informative

Looks like that Safari is not correctly rendering some sites that use OpenCube's Visual QuickMenu http://www.opencube.com/
Other sites that aren't rendering correctly:
http://www.subaru.com/
http://www.memcorpinc.com/
Web site display is not Apples fault, see here!! by Anonymous Coward · 2004-09-08 14:45 · Score: 5, Informative

I did some sleuthing today on a Safari bug that came up just after this latest security update, and the problem is not Apple's fault. It's the fault of OpenCube's QuickMenu Pro product, used by FedEx, CompUSA, Best Buy and others. It causes all kinds of garbage menu text to appear before rendering the rest of the page. I reported the error to OpenCube along with the offending line of code in their tdqm_loader.js file.

update: They wrote me back that they have a fix for it available on their updates page. Of course, it's not me, but the above websites which need to apply the update. (OpenCube lists several places that use this product on their front page on the left, so if anyone wants to email them to update their software, please do. I've got to get to other things tonight.)

To verify that this isn't a Safari problem, put this identity string into any browser of your choice: "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.4.2 (KHTML, like Gecko) Safari/125.9" and go to one of the above sites. The "4" in the WebKit number trips up QuickMenu Pro.

http://osx.hyperjeff.net

Good catch Jeff!!
mod parent up by cipher+chort · 2004-09-09 05:53 · Score: 2, Informative

Ahh, at least the culprit is named and shamed!

--
Someone is WRONG on the Internet!
FTP fux by steeviant · 2004-09-09 07:02 · Score: 4, Informative

go to a terminal prompt and type

sudo ln -s /etc /usr/etc

As someone pointed out above, Apple mucked up the ftpd compile and made the ftp daemon look in /usr/etc instead /etc for it's config.