PDA

View Full Version : Security Update July 2002


arn
Jun 28, 2002, 04:34 PM
Available in your Software Update:

Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system.

dricci
Jun 28, 2002, 04:39 PM
What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?

Nipsy
Jun 28, 2002, 04:57 PM
No restart required...

SW update prolly runs an apachectl graceful, so hopefully it warns OSX server users that apache will be restarted.

One thing to remember about the unixy bits of the OS, almost everything on the unix side can be updated without a restart.

Even kernel extensions can be loaded and unloaded without a restart.

I would estimate that in the future, anything but a Jaguar size revision will be restart free.

Spelunk
Jun 28, 2002, 05:29 PM
Originally posted by dricci
What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?

Even if there was a restart required, I am glad to see these updates. These were serious known security issues, and leaving them unpached was a big deal. Noone is forcing anyone to upgrade.

Gelfin
Jun 28, 2002, 06:10 PM
Originally posted by dricci
What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?

This is not exactly Apple's fault. The security problems this addresses are applicable to Apache and OpenSSH installations across all platforms, and I'm very appreciative to Apple for rolling out the fixes as quickly as they did. I would be annoyed if I had to wait a month to get the official fix. Don't want to reboot? Don't do the update. As long as security isn't a concern to you, you can wait and install it whenever.

backspinner
Jun 28, 2002, 06:13 PM
Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?

I hate the wait-till-we-decide-it's-time policy! If something is broken, it should be repaired. Period.

DavPeanut
Jun 28, 2002, 06:19 PM
Originally posted by Nipsy
No restart required...
Thank god!!!!!

Choppaface
Jun 28, 2002, 06:53 PM
yeah!!!! openssh update so quickly..hell ya apple!!

the new php isnt included though is it? oh well this still rocks

AlphaTech
Jun 28, 2002, 07:01 PM
Originally posted by dricci
What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?

Bite your tongue OFF you rat bastage... Apple found a problem, and implimented a proper fix for it. Unlike m$ that releases a 'critical update' more often then some people change their shorts on this site (you know who you are, mr 3rd day on the same pair of boxers ;)).

Most of the updates Apple is putting out are to make software better, or the OS to run smoother. How many security updates have they released for the OS in the past year?? Can you remember any?? The last one I recall was for IE, not OS X.

If you don't like Apple, or OS X, or the Mac OS in general, then don't use it. Don't b*tch about them releasing the updates as they need to. Especially since you don't hear too many people b*tching about the tons of critical updates m$ puts out for their OS's. :p

sparkleytone
Jun 28, 2002, 08:05 PM
at least it was fixed. when you see m$ "fixing" their gaping holes, its only because someone hacked their own site or because they have decided it is financially in their good interest to do so. for example, the javascript hack in ie6 was reported to m$ months before they fixed it. they only did so when the reporter decided he was tired of being ignored and went public.

with opensource, they fix it right and fast. what more can you ask?

whawho
Jun 28, 2002, 08:05 PM
bare with me... what is the big deal about having to reboot in OS X? It takes like 2 minutes max (at least on my machine) compared to the 10-15 min wait I have work using windows 2000.

I am glad Apple puts out these fixes, especially if they are a security fix.

nero007
Jun 28, 2002, 10:18 PM
What's great about that update is you don't have to restart. Also, is this security issue even an issue if you're not running a web server?

j763
Jun 28, 2002, 11:39 PM
Originally posted by dricci
What's with all these software updates? It's worst than Windows!


Dude, no -- it's not... trust me. Microsoft on average release a security update once every week. They've hardly ever added functionability or speeded up their products via Windows update, it's just for patching all those bugs

Ibjr
Jun 29, 2002, 10:38 AM
Originally posted by Spelunk


Even if there was a restart required, I am glad to see these updates. These were serious known security issues, and leaving them unpached was a big deal. Noone is forcing anyone to upgrade.

Why do you use this as a plus? Any service or software daemon, not w/ to the kernel or core libraries will not require a reboot. The real advantage is Apple isn't changing their EULA in these updates (at least i don't think so)

Apple should have released a beta patch for servers. (The beta woudn't be unstable)

buffsldr
Jun 30, 2002, 01:04 AM
http://story.news.yahoo.com/news?tmpl=story&u=/zd/20020629/tc_zd/940601


info about an apache worm that hits freebsd

MR Lurker
Jun 30, 2002, 11:14 PM
The following story was in today's Register:

MS security patch EULA gives Billg admin privileges on your box
By Thomas C Greene in Washington

http://www.theregister.co.uk/content/4/25956.html

Apple should feature this in their "switch" campaign...

"Apple. Our software updates don't 0w|\| you!"

tychay
Jul 1, 2002, 02:46 PM
Originally posted by nero007
What's great about that update is you don't have to restart. Also, is this security issue even an issue if you're not running a web server?

In terms of external security vulnerability, it is more than just running a web server. If Allow remote login is turned on in your Sharing System Preferences in Application tab, you are also vulnerable (through ssh).

Both this and Apache SSL (Web Sharing turned on) are off in a default install of MacOS X.

There might be some other 3rd party programs dependent on this library that might also be vulnerable (secure tunnel programs, VPN? and the like) with nice eye-candy Mac GUIs, so this fix is necessary for those too.

The time was pretty impressive. I saw the security announcement for Linux only a day or two before Apple's servers showed the patch in Mac OS X. (The library is actually ported from BSD to Linux, but I'd think the patch came out simultaneously for both.) That's not a bad turnaround for compiling, testing, and bundling a package that you are going to release to millions of computer end users worldwide.

The updater might have to issue more than an "apache [b]graceful[/b" since graceful only rehashes the httpd.conf file--I'm not sure Apache will reload all its extensions on a rehash (assuming mod_ssl is dynamically loaded in Apple's Apache compile). (Besides, there might have been a fix in the Apache source itself, since mod_ssl patches the source in order to compile).

An alternate algorithm would just check to see if apache is in the process table and, if so, do an "apache [b]restart[/b" which would cause a less than a second interruption of service (session data might be lost in your web app, for instance). Given that auto-restarting is a major feature in IIS on Windows 2000 or newer, I think we're being a bit spoiled here if we expect our Apache to be running continuously without restart for as long as we leave our Macs on. Just in case, you might want to turn Web Sharing off and on.