In your Mac OS X Software Update:


Security Update 2003-06-09 addresses a potential security issue when the Apple Filing Protocol (AFP) is used to reshare a Network File System (NFS) mount. This update also addresses a situation where LDAP bind authentication requests may be improperly sent when using Kerberos authentication.

321123

umm I installed and now I'm sleepy...to bed I go...everything installed just fine

Think Secret predicted this update earlier today. They've been freakishly accurate as of late (keep it up!).

:confused:

I guess I don't need this update since I have hardly half a clue what all that means.

I am curious though as to where the Apache update is. There was a security update in the 2.0.x series (IIRC, from 2.0.44 to 2.0.45) last week that Apple hasn't put in an update yet.

What does this mean, exactly? Anyone?

Dan

1. Regarding AFP resharing. NFS is a file system. Resharing is means that you can (essentially) "log in" to NFS volumes (hard disks or arrays or whatever) from one machine (a Mac server) and then can republish them over your local network for other client machines as if they were locally connected (e.g. via AFP - Apple File Protocol over TCP/IP). It is a nice feature for enterprise use. Thus, the update addresses a security issue when someone goes from [NFS volume] <----> [Mac server] <----resharing---> [Mac client]. Apparently there was a problem in the resharing section. I don't know exactly what, but I bet it just hits a limited number of installations. However, I would guess those installations have LOTS of users (e.g. large enterprises) which is why this came out -- its important to BIG customers.

2. Kerberos is a network authentication protocol (see http://web.mit.edu/kerberos/www/#what_is), helping provide network security via encryption. LDAP is Lighweight Directory Access Protocol, helping to look up contact info for example from an email program. I haven't looked at this in particular, but you can use Kerberos to make the LDAP connection secure and there was a problem with the bind (part of the connection and setup) here.

For example, you'd go to look up information from Mail (or Eudora or ...) and have selected Kerberos to do the security and sometimes it would not work (if you want to get completely NON technical). ;-)

So, does that mean that I can surf the net faster?:rolleyes: :D

Originally posted by centauratlas
2. Kerberos is a network authentication protocol (see http://web.mit.edu/kerberos/www/#what_is), helping provide network security via encryption. LDAP is Lighweight Directory Access Protocol, helping to look up contact info for example from an email program. I haven't looked at this in particular, but you can use Kerberos to make the LDAP connection secure and there was a problem with the bind (part of the connection and setup) here.

For example, you'd go to look up information from Mail (or Eudora or ...) and have selected Kerberos to do the security and sometimes it would not work (if you want to get completely NON technical). ;-) [/B]

Apple's LDAP implementation does not support kerberos. For more info on this bug see cert's reporthttp://www.kb.cert.org/vuls/id/467828.

Some guys found a new bug that came with the update: login by pressing the Log In button doesn't work anymore. You can still log in using the return key, though.
Not that I'd use the button, but... :rolleyes:

Originally posted by leo
Some guys found a new bug that came with the update: login by pressing the Log In button doesn't work anymore. You can still log in using the return key, though.
Not that I'd use the button, but... :rolleyes:
pretty funny :-D

Originally posted by maradong
pretty funny :-D

It is actually, something in your face like that can be bugged with an update.

>Apple's LDAP implementation does not support kerberos. <

Yes it does, see:
http://docs.info.apple.com/article.html?artnum=107579
(For example : "When using a Kerberos login and integration with an LDAPv3 server, a account password may be sent in clear text format. When the authentication authority attribute is not set, Login Window tries to authenticate the account to the configured LDAP server. " One would presume that if one is using Kerberos login with an LDAPv3 server from Mac OS X that then Mac OS X would indeed support the combination of the two.)


http://docs.info.apple.com/article.html?artnum=107543
http://www.apple.com/macosx/jaguar/morefeatures.html

Here is how to config LDAP and Kerberos if you want to see how

http://homepage.mac.com/iclements/Using%20Kerberos%20and%20LDAP.pdf

this is a kind of old document so there may be easier ways to do so with current OS X versions.

Originally posted by centauratlas
[B]>Apple's LDAP implementation does not support kerberos. <

Yes it does

Yes, Apple does offer Kerberos, and yes, Apple does offer LDAP, but they do not offer kerberized LDAP.

Apple is close, but they need to offer kerberos binds as a method to access the LDAP server.

Originally posted by centauratlas
I am curious though as to where the Apache update is. There was a security update in the 2.0.x series (IIRC, from 2.0.44 to 2.0.45) last week that Apple hasn't put in an update yet.

Maybe because Apple isn't using Apache 2.x in OS X yet? The current version in OS X is 1.3.27.

Originally posted by Arcady
Maybe because Apple isn't using Apache 2.x in OS X yet? The current version in OS X is 1.3.27.

Actually Apple uses Apache 2 for Mac OS X server (http://www.apple.com/server/macosx/). I think the security update for the server is already posted. I seem to remember the developer website contained the Apple-supplied patches for getting Apache 2 to compile, but I imagine that has long since been put into the Apache codebase.

v 2.0 of Security Update 2003-06-09 avaliable in Software Update;

Security Update 2003-06-09 addresses a potential security issue when the Apple Filing Protocol (AFP) is used to reshare a Network File System (NFS) mount. This update also addresses a situation where LDAP bind authentication requests may be improperly sent when using Kerberos authentication.