PDA

View Full Version : Mac OS X Security Update 2003-11-19


MacRumors
Nov 19, 2003, 04:55 PM
In your Mac OS X Software Update:

Security Update 2003-11-19 includes the following updated components:

OpenSSL
zlib "gzprintf()" function

Mr.Hey
Nov 19, 2003, 04:57 PM
thanks apple for the timely updates. fpcika

ZildjianKX
Nov 19, 2003, 04:57 PM
Jeez, am I running Windows XP or OS X?

Stike
Nov 19, 2003, 05:00 PM
Too many updates in the past time...
Is Panther less secure, or have new security leaks occured?

celaurie
Nov 19, 2003, 05:02 PM
Originally posted by Mr.Hey
thanks apple for the timely updates. fpcika

Not a problem! ;)

arn
Nov 19, 2003, 05:02 PM
Originally posted by Stike
Too many updates in the past time...
Is Panther less secure, or have new security leaks occured?

More updates doesn't mean "less secure" -- if anything it means "more secure".

If Apple hadn't offered any security updates over the past 2 months... would that make you feel better?

arn

Superdrive
Nov 19, 2003, 05:03 PM
Super! I feel safer already...

celaurie
Nov 19, 2003, 05:04 PM
Originally posted by Stike
Too many updates in the past time...
Is Panther less secure, or have new security leaks occured?

At least Apple fix their problems before the world exploits them... be thankful for small mercies! Comparing Panth and a 'doze OS just doesn't cut it...

cel, in defence!

gwuMACaddict
Nov 19, 2003, 05:05 PM
Originally posted by ZildjianKX
Jeez, am I running Windows XP or OS X?


OUCH! but with the new security update, definitely NOT XP ;)

Stella
Nov 19, 2003, 05:06 PM
Wish you people would stop crying about the amount of updates.

Would you rather have an insecure OS like Windows?!

This is the real world - Apple are not going to find all bugs / security holes before release - otherwise we'd still be waiting for OSX 10.0.

Software should be released when stable, which is what Panther generally is - OK there are some annoying bugs, but the OS itself is stable - doesn't crash every 10 minutes. I've had very little problems with Panther and application stability.

Its good that Apple are releasing patches in a timely manner.



*(FW 800 drive problems should have been noticed during development / testing).

X86BSD
Nov 19, 2003, 05:11 PM
My friend has been sitting on a remote root issue that affects all versions of OS X for months. Apple has *finally* agreed it will get addressed in a future patch. I Love OS X and Apple but come on, they need a serious blow to the head with a blunt object to get them to take a bug serious and do something about it. They finally agreed to patch it after many emails back and forth and finally a pretty curt "fix the issue or im releasing it into the wild without you having time to fix it." email. So let's not all fawn over Apple's "speedy" patch timing.

Stike
Nov 19, 2003, 05:13 PM
Originally posted by arn
More updates doesn't mean "less secure" -- if anything it means "more secure".

If Apple hadn't offered any security updates over the past 2 months... would that make you feel better?

arn

More updates means secure, yes, but no updates would tell me that there are no flaws. A situation that would be better, no?

pgwalsh
Nov 19, 2003, 05:17 PM
There was a quicktime Java update in my udates as well...

Version 2 of the QuickTime for Java update includes support for using QuickTime 6.4 with either Java 1.4.1 or Java 1.3.1. This update is recommended for everyone using QuickTime 6.4 in order to maintain application compatibility. It is also recommended for those who installed the previous QuickTime for Java Update as it retains Java compatibility when upgrading to later versions of Mac OS X.

Maybe this was older, but it just showed up today.

jxyama
Nov 19, 2003, 05:18 PM
Originally posted by Stella
Wish you people would stop crying about the amount of updates.

Would you rather have an insecure OS like Windows?!


no, the complaints mostly come from the fact frequent patching can (but not always) hint at bigger, more fundamental problems underneath.

yes, given a base OS, more patches will make the overall OS more secure. however, the complaint is coming from the fact we came from a base OS (Jaguar) which seemed to require less patching, perhaps indicating Jaguar was more "solid" than Panther?

i don't mind patching. but i'd rather have an OS that didn't require patching than the one that does. wouldn't you?

X86BSD
Nov 19, 2003, 05:23 PM
Keep in mind this is ALL third party software bundled with OS X. OpenSSL is not Apple software nor is zlib.

Rajj
Nov 19, 2003, 05:24 PM
Originally posted by Stike
More updates means secure, yes, but no updates would tell me that there are no flaws. A situation that would be better, no?

What most people don’t understand is that, Operating Systems run differentially on the same hardware, so one system may have an issue with an application and the other system with the same specs.

P.S. It is not possible to have an impeccable OS!!!

Stike
Nov 19, 2003, 05:27 PM
Originally posted by X86BSD
Keep in mind this is ALL third party software bundled with OS X. OpenSSL is not Apple software nor is zlib.

That means, Apple fixed something that OTHERS screwed up!?

X86BSD
Nov 19, 2003, 05:33 PM
That or that they introduced getting said app to work under OS X.

Mr.Hey
Nov 19, 2003, 05:55 PM
Originally posted by X86BSD
My friend

documentation please?....thanks buddy.

X86BSD
Nov 19, 2003, 06:08 PM
I cannot post the documentation without the author's permission. But I will tell you a deadline of Nov. 26th has been issued to Apple. If no security update is forthcoming from Apple by Nov 26 2003 you will see this released in full detail on that date with detailed analysis and workarounds.

moosecat
Nov 19, 2003, 06:09 PM
Security Update 2003-11-19 includes the following updated components:

OpenSSL
zlib "gzprintf()" function


God, you turn me on with your way with words, Apple.

:D

yoman
Nov 19, 2003, 06:10 PM
I for one am happy to have an security update before the hole it patches is utilized maliciosly.


:)

GeeYouEye
Nov 19, 2003, 06:12 PM
This one's not just for Panther. I get it in Jaguar too, but the description's longer:

Security Update 2003-11-19 includes the following updated components:

• gm4
• groff
• Mail w/CRAM-MD5 authentication
• OpenSSL
• Personal File Sharing
• QuickTime for Java
• zlib "gzprintf()" function

Oh and there was also another QT for Java Update.

toughboy
Nov 19, 2003, 06:20 PM
Originally posted by Stike
More updates means secure, yes, but no updates would tell me that there are no flaws. A situation that would be better, no?

Nothing is perfect, yet may be flawless; like OSX.. ;)

arn
Nov 19, 2003, 06:41 PM
Originally posted by Stike
More updates means secure, yes, but no updates would tell me that there are no flaws. A situation that would be better, no?

See, "no updates" doesn't necessarily mean no flaws though. It just means no fixed flaws. :)

btw, as mentioned above, these are unix (opensource) components, not Apple's software.

arn

Counterfit
Nov 19, 2003, 06:50 PM
Well, now I have a real excuse to install the Bluetooth (waiting to see if it broke anything) and Java (just too darn lazy) updates too. Bye-bye uptime.

X86BSD
Nov 19, 2003, 06:55 PM
Dont even get me started on how STUPID it is to require a restart on every single update. It's just plain dumb. It's like they don't know what unix is. Or how to use it even though its sitting underneath the pretty candy UI.

jeremy2
Nov 19, 2003, 06:57 PM
Originally posted by X86BSD
Dont even get me started on how STUPID it is to require a restart on every single update. It's just plain dumb. It's like they don't know what unix is. Or how to use it even though its sitting underneath the pretty candy UI.

Apple requires a restart so they can make sure that everything is reset. It's just easier (and safer) to have it restart rather than quitting whatever is in use, and reloading it.

wilkens
Nov 19, 2003, 07:16 PM
Originally posted by X86BSD
Dont even get me started on how STUPID it is to require a restart on every single update. It's just plain dumb. It's like they don't know what unix is. Or how to use it even though its sitting underneath the pretty candy UI.

A lot of people complain about this without knowing what's going on. When an update includes a new version of a library to which applications may link dynamically, you have to restart all applications that use that library. The problem is that there's no fully reliable way to know which running applications have loaded a particular library and to restart them perfectly cleanly. In some cases you might not care (you can wait for a user restart, risk losing data in a non-interactive one, or risk missing a dynamically-linked app), but when the update is to a widely-used library (like zlib in this case) and it concerns security, you really don't want to take a chance - the only sure bet is to reboot.

Obviously this isn't the case for updates that don't involve shared libraries or that only affect a limited (and known) number of apps - and you see in thoses cases that no reboot is required.

kcmac
Nov 19, 2003, 07:18 PM
Dont even get me started on how STUPID it is to require a restart on every single update. It's just plain dumb. It's like they don't know what unix is. Or how to use it even though its sitting underneath the pretty candy UI.

It is usually this comment that is associated with _____is broke after the update.!!!!!

After a restart or a verify permissions and the problem is almost always solved.

How hard is it to restart and get on with your life? Restarts seem to be associated with security updates, quicktime updates and OS updates. These all seem system critical to me and worth a restart.

But then again, I restart before any OS update because it makes me feel safer. YMMV. :)

X86BSD
Nov 19, 2003, 07:22 PM
It's hard to restart for trivial crap that does NOT need a restart. If you come from the unix universe you would understand. You stop the server in question, (sshd, httpd etc..) patch it, install new server, restart server. Not the whole machine. It's like going to get gas for your car at the pump and having to tear down your engine and rebuild it every time. It's stupid and makes no sense. This is not windows.

X86BSD
Nov 19, 2003, 07:26 PM
No it makes Apple in severe need of acting on serious and fatal security issues a bit quicker then they are.

Wyrm
Nov 19, 2003, 07:41 PM
Originally posted by X86BSD
It's hard to restart for trivial crap that does NOT need a restart. If you come from the unix universe you would understand. You stop the server in question, (sshd, httpd etc..) patch it, install new server, restart server. Not the whole machine. It's like going to get gas for your car at the pump and having to tear down your engine and rebuild it every time. It's stupid and makes no sense. This is not windows.

I agree, at the very most they could force all users to log out, and then restart any system processes that were affected. Only kernel patches should require a reboot (and the Mach kernel is a microkernel arch which was designed so you didn't have to reboot unless you had to patch the core microkernel itself... which was intentionally kept micro so that would be few and far between).

No, I think what we are seeing is the low energy approach - why invest programmer resources to perform an update while running, when you could just patch the files and force a restart/reload?

Does anyone know if you have to restart the OSX Server when installing security patches?

-Wyrm

ITR 81
Nov 19, 2003, 07:44 PM
I would rather see sec. updates come out more freq. then wait for some damn PC sided sec. firm to say OS X has critical sec. flaws even if they are not!

As for the guy complaining about restarting..I know for a fact that not all updates have required a restart so stop complaining. I rather take 1-2mins to restart then have it not work right and screw something else up. 1-2mins of downtime is nothing.

jeremy2
Nov 19, 2003, 07:53 PM
Originally posted by Wyrm
Does anyone know if you have to restart the OSX Server when installing security patches?


OSX Server requires a restart just as OSX client does.

X86BSD
Nov 19, 2003, 07:53 PM
one or one thousand makes no difference. You cannot just reboot a machine every time a security update comes up if you run mission critical services off of it. Unless you want to admit OS X is a toy OS that cant hang with 1970 technology like UNIX that can be patched without taking the entire machine down. Is that what you are trying to say?

I love OS X, but some of you need some experience in the real world about mission critical deployment. And why its retarded to reboot a whole machine or machine's to patch ssh.

mstecker
Nov 19, 2003, 07:54 PM
Originally posted by X86BSD
My friend has been sitting on a remote root issue that affects all versions of OS X for months. Apple has *finally* agreed it will get addressed in a future patch. I Love OS X and Apple but come on, they need a serious blow to the head with a blunt object to get them to take a bug serious and do something about it. They finally agreed to patch it after many emails back and forth and finally a pretty curt "fix the issue or im releasing it into the wild without you having time to fix it." email. So let's not all fawn over Apple's "speedy" patch timing.

Did my last post really get modded out for being insulting? Okay, let me phrase this in a non-insulting way:

This story strikes me as untrue. It's easy to claim that an anonymous friend has an exploit for a bug that I can't tell you about, but let met tell you how slow Apple is in fixing it.

What makes more sense to me is that anyone who tries to blackmail apple into doing anything is likely to end up behind bars.

I hope Apple calls your "friend's" bluff. If it were serious, and a real exploit, they would have fixed it, as they've done instantly for other serious exploits. If not, they're going to let your "friend" huff and puff all he likes.

mstecker
Nov 19, 2003, 07:59 PM
Originally posted by X86BSD
one or one thousand makes no difference. You cannot just reboot a machine every time a security update comes up if you run mission critical services off of it. Unless you want to admit OS X is a toy OS that cant hang with 1970 technology like UNIX that can be patched without taking the entire machine down. Is that what you are trying to say?

I love OS X, but some of you need some experience in the real world about mission critical deployment. And why its retarded to reboot a whole machine or machine's to patch ssh.

Because the underlying libraries are dynamically linked into other running applications, and there's no system-wide way to register which applications are currently using which dynamically linked libraries.

So, genius, how do you guarantee to solve this problem without a reboot:

1) I find a flaw in something like zlib.
2) I issue a patch to zlib.
3) I could restart all of the services that I know of that come preinstalled with the machine that use zlib, but how could I possibly know whether or not some other user program that's been installed after the fact is using the old version?

So, how do you know that?

You should think through these things before you start calling people "retarded".

X86BSD
Nov 19, 2003, 08:13 PM
Originally posted by mstecker
Did my last post really get modded out for being insulting? Okay, let me phrase this in a non-insulting way:

This story strikes me as untrue. It's easy to claim that an anonymous friend has an exploit for a bug that I can't tell you about, but let met tell you how slow Apple is in fixing it.

What makes more sense to me is that anyone who tries to blackmail apple into doing anything is likely to end up behind bars.

I hope Apple calls your "friend's" bluff. If it were serious, and a real exploit, they would have fixed it, as they've done instantly for other serious exploits. If not, they're going to let your "friend" huff and puff all he likes.

You can think whatever you wish. The fact remains by Nov 26th this glaring security hole affecting every version of OS X 10.2+ client and server will be issued forth in a security advisory by said author.
It probably even affects all versions of OS X. Proof is in the pudding you can doubt all you wish, but I will state here for record you will either see another security update by Nov 26th or you will see the SA released on full-disclosure and thereby the rest of the globe. This is not a bluff this is a valid serious security issue Apple has decided is not worth the time to fix as of yet. On the 26th you can decide if Apple was justified or not. Trying to get a vendor to fix a glaring security issue is not blackmail. But I doubt I will convince you of this.

X86BSD
Nov 19, 2003, 08:25 PM
As far as how to fix zlib without rebooting.

Patch zlib
Install new zlib
Recompile app's using zlib.

If it's a kernel lib. *Schedule Downtime*

"But whaaa how do i find out what apps use zlib???"

I don't know how YOU run your servers but I only run one service usually per box.
Static libs only. Never dynamic for obvious reasons And usually in a Jail.
And I know exactly what lib's they link against.

Maybe you need more organization if you have 1000 apps running on a single server and don't know what's using what or linked to what. Which would be a security nightmare anyway.

ITR 81
Nov 19, 2003, 08:34 PM
Hmm...why don't you do updates during the night like most Admin.. do.

Also if it's mission critical most businesses will have more then 1 OS X server to rely on. I worked with guy that did nothing but Unix and said all businesses have backup Unix servers on standby if they do have to switch to them.

Analog Kid
Nov 19, 2003, 09:12 PM
Originally posted by X86BSD
My friend has been sitting on a remote root issue that affects all versions of OS X for months. Apple has *finally* agreed it will get addressed in a future patch. I Love OS X and Apple but come on, they need a serious blow to the head with a blunt object to get them to take a bug serious and do something about it. They finally agreed to patch it after many emails back and forth and finally a pretty curt "fix the issue or im releasing it into the wild without you having time to fix it." email. So let's not all fawn over Apple's "speedy" patch timing.

I say give 'em two months to respond, then publish.

All in all though, Apple has been very up to speed with at least the BSD issues I've seen elsewhere.

Analog Kid
Nov 19, 2003, 09:30 PM
Originally posted by X86BSD
As far as how to fix zlib without rebooting.

Patch zlib
Install new zlib
Recompile app's using zlib.

If it's a kernel lib. *Schedule Downtime*

"But whaaa how do i find out what apps use zlib???"

I don't know how YOU run your servers but I only run one service usually per box.
Static libs only. Never dynamic for obvious reasons And usually in a Jail.
And I know exactly what lib's they link against.

Maybe you need more organization if you have 1000 apps running on a single server and don't know what's using what or linked to what. Which would be a security nightmare anyway.

Dude, listen, I'd like to reboot less than I do. Not because it does me any harm, but because I like to see the 'uptime' number get big.

It's a fetish. Call me weird...

What you're talking about though is sys-admin level decision making. OS X is first and foremost a consumer and small-business OS.

If I'm changing core libraries, and I look at my market and realize that half are home users and the other half are artists-- am I going to ask them to "kill -HUP" all processes dynamically linking to OpenSSL, or am I going to say "click restart to continue"?

If a service is mission critical, you darn well better be able to take a machine down without affecting operations or you've got much bigger concerns than a reboot.

If "scheduled downtime" is acceptable, don't click "check for updates" until the scheduled time...

Analog Kid
Nov 19, 2003, 09:37 PM
Originally posted by X86BSD
I don't know how YOU run your servers but I only run one service usually per box.
Static libs only. Never dynamic for obvious reasons And usually in a Jail.
And I know exactly what lib's they link against.

Sorry, I selectively ignored this bit... Let me restate:

If I'm changing core libraries, and I look at my market and realize that half are home users and the other half are artists-- am I going to ask them to recompile and install all apps statically linked to OpenSSL, or am I going to say "click restart to continue"?

I'd be willing to be less than 50% of users have the dev tools even installed...

Stella
Nov 19, 2003, 09:56 PM
The people who say Apple should ensure bugs are fixed are clueless about software development.

No software is guaranteed bug free - security issues or otherwise.

Mac OSX is not a critical system, otherwise it would cost a lot more than $179 (Canadian). It is not vital that OSX ships with all known bugs fixed. If you are concerned about this then you shouldn't be using Mac OSX. You shouldn't be using Windows or any other consumer OS.

No consumer OS will have known bugs fixed. The OS will be released when it is suitable for consumer usage.

Get real. Apple will ship software with known bugs - but hopefully ship with a suitable software that ensures suitable day to day usage.

If you don't realise this, then you don't know how the software industry works.

This is the reality.

If you don't agree, then hard luck. This is a commerical environment, Apple are out to make money, like any other company.

Other companies will release software with known bugs - but (hopefully) usable software that is at a satisfactory status.

iPC
Nov 19, 2003, 09:57 PM
Originally posted by X86BSD
My friend has been sitting on a remote root issue that affects all versions of OS X for months. Apple has *finally* agreed it will get addressed in a future patch. I Love OS X and Apple but come on, they need a serious blow to the head with a blunt object to get them to take a bug serious and do something about it. They finally agreed to patch it after many emails back and forth and finally a pretty curt "fix the issue or im releasing it into the wild without you having time to fix it." email. So let's not all fawn over Apple's "speedy" patch timing.
Your friend should start posting it everywhere that Mac traffic is significant. /. might be a good start....

h'biki
Nov 19, 2003, 10:00 PM
Originally posted by Analog Kid
Sorry, I selectively ignored this bit... Let me restate:

If I'm changing core libraries, and I look at my market and realize that half are home users and the other half are artists-- am I going to ask them to recompile and install all apps statically linked to OpenSSL, or am I going to say "click restart to continue"?

I'd be willing to be less than 50% of users have the dev tools even installed...

Oh but wait! I'm a UNIX user and they must listen to me. To ME!!!!!

crees!
Nov 19, 2003, 10:09 PM
Originally posted by X86BSD
You can think whatever you wish. The fact remains by Nov 26th this glaring security hole affecting every version of OS X 10.2+ client and server will be issued forth in a security advisory by said author.
It probably even affects all versions of OS X. Proof is in the pudding you can doubt all you wish, but I will state here for record you will either see another security update by Nov 26th or you will see the SA released on full-disclosure and thereby the rest of the globe. This is not a bluff this is a valid serious security issue Apple has decided is not worth the time to fix as of yet. On the 26th you can decide if Apple was justified or not. Trying to get a vendor to fix a glaring security issue is not blackmail. But I doubt I will convince you of this.

What exactly then could a malicious user do with this exploit you're talking about, or what does it affect?

Stella
Nov 19, 2003, 10:12 PM
Consmetic issue. Minor issue.

Originally posted by Analog Kid
Dude, listen, I'd like to reboot less than I do. Not because it does me any harm, but because I like to see the 'uptime' number get big.

GeeYouEye
Nov 19, 2003, 11:48 PM
geez, unwad your panties already, force quit Software Update after the update is installed, and kill and restart the correct processes, if it really matters that much. Lord, if you can't figure out that, you shouldn't be using a Mac, or Unix for that matter. Go use Windows, where you really do have no choice but to restart after an update.

JW Pepper
Nov 19, 2003, 11:48 PM
The last update didn't update java properly and this is a fix for that.

Gymnut
Nov 20, 2003, 12:42 AM
It's only a 1mb update. I wonder how important of an update this was.

crees!
Nov 20, 2003, 01:04 AM
I'm sorry but I just thought this was amusing. I know some people have gone off on the recent updates to 10.3 but I just installed Windows XP Corp Edition under Virtual PC and after I ran Software Update it said there was 45 (forty-five) "Critical Updates and Services Packs."

Lets rethink this rash response to Apple updates.

I'm tickled with amusement.

rauf
Nov 20, 2003, 02:38 AM
One ot two security updates, a few less crtitical software patches. Welll big deal.

I have a home built, ultra stable (researched every component for stability before purchase) win XP pro machine at home. It's not quite as rock solid as my macs but it's close. BUT every time I check for updates, there are literally dozens, some are critical, some are recommended, and some are just new small apps for beta testing. At this stage you have 2 options, install all, which may require 2 or 3 restarts ( some critical updates need restart after installing each one) or manually go through the list and check what the update is for, whether you even need it for your particular setup and whether the new app/feature is something you want to risk messing up your system for.

Given thats what apple's competition is (not unix), what is the beef about. I'm perfectly happy for my occasional osX update which is usually preselected for my particular system, and occasionally needs only one restart.

Unless you use (and maintain) both systems, its' easy to forget how good the mac, and more recently os X, actually is.

Analog Kid
Nov 20, 2003, 03:10 AM
Originally posted by Stella
Consmetic issue. Minor issue.

Exactly my point...

iPC
Nov 20, 2003, 07:20 AM
Originally posted by crees!
I'm sorry but I just thought this was amusing. I know some people have gone off on the recent updates to 10.3 but I just installed Windows XP Corp Edition under Virtual PC and after I ran Software Update it said there was 45 (forty-five) "Critical Updates and Services Packs."

Lets rethink this rash response to Apple updates.

I'm tickled with amusement.
Yeah... I am updating my office machines right now (cheap Dell's). They come with XP Professional with Service Pack 1a and there were 13 critical updates, 15 XP updates (directx, WMP 9, etc), and 1 driver update (video chipset). Not to mention the updates that Norton 2003 anti-virus needs (7 I believe). Turning off directory sharing, changing the default workgroup name, etc etc. It takes a while to get these things up and running. :rolleyes:

Wyrm
Nov 20, 2003, 08:44 AM
I think you guys are missing the point.
There is no need to restart; that is if Apple spent some effort implementing a restart of any shared components that are updated. Instead they implemented the low energy path. It's not a feature that sells more personal copies, but that's high on the list when administering a server.

Look at other Unix systems with package managers... none of them require a reboot unless the kernel itself is patched. I don't care about Windows, Apple says they have UNIX, and UNIX was designed so you didn't have to restart it for any library changes. Windows is not UNIX, and used to require a restart if you changed the network address.

It's a small gripe, I admit, but Apple doesn't have to reinvent the wheel, it's pretty much already there for them to use in BSD.

-Wyrm

stcanard
Nov 20, 2003, 09:12 AM
Well, the funny thing is Apple is doing exactly what everybody wants; giving them a choice.

The people that want the simple install and reboot can use software update.

The more advanced users who know what to restart, or want to remotely administer their OSX server machines can do:

sudo softwareupdate -i SecurityUpd2003-11-19-1.0

Then manually restart the required deamons.

Too easy and everyone's happy.

GeeYouEye
Nov 20, 2003, 10:01 AM
Originally posted by stcanard
sudo softwareupdate -i SecurityUpd2003-11-19-1.0


What's the -i flag? :confused:

rauf
Nov 20, 2003, 10:04 AM
I agree it's a lazy approach by apple - having restart as the default action on some updates.

But I use unix servers at work on mission critical medical apps. true they don't need to be rebooted BUT they do slow down over time (usually a matter of 6-8 days), and it's always obvious when there's been a long time between reboots. So forgive me for not buying all the hype about standard unix, I use unix servers every day and the situation I've described has been true for every machine in every department I've worked in for the last 5 years.

Sure no reboot would be nice, and as already described, for those to whom this is important, there is already that option via terminal. However I'm sure most people are like me - I want a stable bug free responsive os all of the time, and don't mind the occassional 90 second reboot in order to achieve this.

stcanard
Nov 20, 2003, 11:05 AM
Originally posted by GeeYouEye
What's the -i flag? :confused:

install

type "man softwareupate" and all your questions will be answered :)

-i is install
-l is list (so you can see what needs to be updated).

stcanard
Nov 20, 2003, 11:07 AM
Originally posted by rauf
But I use unix servers at work on mission critical medical apps. true they don't need to be rebooted BUT they do slow down over time (usually a matter of 6-8 days), and it's always obvious when there's been a long time between reboots. So forgive me for not buying all the hype about standard unix, I use unix servers every day and the situation I've described has been true for every machine in every department I've worked in for the last 5 years.

What version of unix and what are you running on the servers? That really sounds like a userspace problem to me.

I've had OpenBSD servers with a year's uptime that are still as snappy as they day they were installed.

I've got a Solaris Oracle server here that gets hammered all the time, and I just checked it's got an 86 day uptime with nary a problem.

GeeYouEye
Nov 20, 2003, 12:08 PM
Originally posted by stcanard
install

type "man softwareupate" and all your questions will be answered :)

-i is install
-l is list (so you can see what needs to be updated).

Is that just in Panther? Otherwise it's unnecessary. No argument generates a list, and any arguments get installed.

SiliconAddict
Nov 20, 2003, 12:08 PM
Originally posted by celaurie
At least Apple fix their problems before the world exploits them... be thankful for small mercies! Comparing Panth and a 'doze OS just doesn't cut it...

cel, in defence!


You know that Blaster worm that decimated windows back in September or was that late August? Anyways. The patch for that was released in July. Microsoft generally does release timely patches. It’s just that no one bothers to applies them. (With good reason because I've had some of these patches break systems. ) *coughs*10.2.8*coughs*

I'm not defending MS. I'm not persecuting MS. I'm just stating what is.

SiliconAddict
Nov 20, 2003, 12:11 PM
Originally posted by iPC
It takes a while to get these things up and running. :rolleyes:

:D You have just given the reason I've handed out to everyone who has said "Ick...why do you want a Mac"

I deal with Windows 2K machines day in day out at work. I deal with their quirks at home. I want to stop tweaking a machine and start using it. I've got a bloody white paper 6 pages long on how to tweak XP to secure the system. You shouldn't have to go through 6 pages of tweaks to make a system functional!
Wait. I'm preaching to the converted. Never mind. :D

GeeYouEye
Nov 20, 2003, 12:25 PM
Here's interesting... funny, I thought you were giving Apple until the 26...:rolleyes:

http://www.securitytracker.com/alerts/2003/Nov/1008239.html

By the way, for some reason, it doesn't work on my iBook. Bit more thorough testing anyone?

stcanard
Nov 20, 2003, 01:21 PM
Originally posted by GeeYouEye
Is that just in Panther? Otherwise it's unnecessary. No argument generates a list, and any arguments get installed.

I don't actually know :-) Coming from an rpm background I just automatically used '-i'

It probably does work without anything...

Rower_CPU
Nov 20, 2003, 01:24 PM
So, someone needs to have physical access to your machine and be able to get to Terminal.app within 10-20 seconds of waking from standby to do this, if I'm reading it right.

I'll try it on my laptop at home and see. I have a feeling that Panther's password on waking from standby is going to make this a moot point.

X86BSD
Nov 20, 2003, 01:29 PM
Originally posted by GeeYouEye
Here's interesting... funny, I thought you were giving Apple until the 26...:rolleyes:

http://www.securitytracker.com/alerts/2003/Nov/1008239.html

By the way, for some reason, it doesn't work on my iBook. Bit more thorough testing anyone?

Apple does have till the 26th. That is a known problem with sudo really. Not terminal.app. The problem i speak of is not the above.

SiliconAddict
Nov 20, 2003, 01:56 PM
Originally posted by GeeYouEye
Here's interesting... funny, I thought you were giving Apple until the 26...:rolleyes:

http://www.securitytracker.com/alerts/2003/Nov/1008239.html

By the way, for some reason, it doesn't work on my iBook. Bit more thorough testing anyone?

There's something to be said about priorities. The exploit that you posted a link too requires a local presence. I think this would be considered low on the totem pole vs. an exploit that can be accomplished remotely. You can bet Apple is compiling a list of exploits and most likely triaging them in a LOW - MEDIUM - CRITICAL scheme.

MasterMac
Nov 20, 2003, 02:05 PM
Originally posted by SiliconAddict
:D You have just given the reason I've handed out to everyone who has said "Ick...why do you want a Mac"

I deal with Windows 2K machines day in day out at work. I deal with their quirks at home. I want to stop tweaking a machine and start using it. I've got a bloody white paper 6 pages long on how to tweak XP to secure the system. You shouldn't have to go through 6 pages of tweaks to make a system functional!
Wait. I'm preaching to the converted. Never mind. :D

If you have that 6 page paper on your computer now, could you possibly send it to me? I'm interested in reading over it ;)

PM me if you're able to send it so I can give you my email address :)

Wyrm
Nov 21, 2003, 01:43 AM
Originally posted by SiliconAddict
:D You have just given the reason I've handed out to everyone who has said "Ick...why do you want a Mac"

I deal with Windows 2K machines day in day out at work. I deal with their quirks at home. I want to stop tweaking a machine and start using it. I've got a bloody white paper 6 pages long on how to tweak XP to secure the system. You shouldn't have to go through 6 pages of tweaks to make a system functional!
Wait. I'm preaching to the converted. Never mind. :D

Either that or you are describing "hell".. :D

-Wyrm

crees!
Nov 21, 2003, 01:52 AM
Originally posted by X86BSD
The problem i speak of is not the above.

Then what is all high and mighty.

encro
Nov 22, 2003, 12:49 AM
The update details if your curious:

Security Update 2003-11-19 for Mac OS X 10.3:

* OpenSSLzlib: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
* zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.


Security Update 2003-11-19 for Mac OS X 10.2.8:

* gm4: Fixes CAN-2001-1411. A format string vulnerability in the gm4 utility. No setuid root programs relied on gm4 and this fix is a preventive measure against a possible future exploit.
* groff: Fixes VU#399883 where the groff component pic contained a format-string vulnerability.
* Mail w/CRAM-MD5 authentication: Fixes CAN-2003-0881. The Mac OS X Mail application will no longer fall back to plain text login when an account is configured to use MD5 Challenge Response.
* OpenSSL: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
* Personal File Sharing: Fixes CAN-2003-0878. When Personal File Sharing is enabled, the slpd daemon can no longer create a root-owned file in the /tmp directory to gain elevated privileges.
* QuickTime for Java: Fixes CAN-2003-0871. A potential vulnerability that could allow unauthorized access to a system.
* zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.

Lz0
Nov 23, 2003, 10:06 PM
Does anyone know where can I get this as a stand alone file? (Yes I did a search on Apple but to no avail).

I like to keep a copy of each update to update family boxes on modems ect.

Counterfit
Nov 23, 2003, 11:38 PM
In panther's software update, you can choose to install and keep package. Then distribute as you will.

Lz0
Nov 24, 2003, 12:06 AM
So you can!

Thanks

Ambrose Chapel
Nov 27, 2003, 10:59 AM
originally posted by X86BSD
My friend has been sitting on a remote root issue that affects all versions of OS X for months. Apple has *finally* agreed it will get addressed in a future patch. I Love OS X and Apple but come on, they need a serious blow to the head with a blunt object to get them to take a bug serious and do something about it. They finally agreed to patch it after many emails back and forth and finally a pretty curt "fix the issue or im releasing it into the wild without you having time to fix it." email. So let's not all fawn over Apple's "speedy" patch timing.

guess he was talking about this:
http://www.carrel.org/dhcp-vuln.html


Why did you release this when you did?
This was an exploitable remote root vulnerability. After Apple reneged on the Nov. 3rd release date I gave them 2-3 weeks. After the 2-3 weeks were up, I asked for the status and they said "December". Meanwhile, users are left exposed and independent rediscovery seemed fairly likely. And maybe by someone less scrupulous than myself. I felt I was being strung along and that the issue may never get properly addressed so I set a hard deadline at that point. They didn't meet it, and I issued my advisory.