Security Update July 2002

Discussion in 'MacRumors News Discussion (archive)' started by arn, Jun 28, 2002.

  1. arn
    macrumors god


    Staff Member

    Apr 9, 2001
    Available in your Software Update:

    Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system.
  2. macrumors 6502a

    Dec 15, 2001
    um.. Windows?

    What's with all these software updates? It's worst than Windows!

    Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?
  3. macrumors 65816


    Jan 19, 2002
    No restart required...

    SW update prolly runs an apachectl graceful, so hopefully it warns OSX server users that apache will be restarted.

    One thing to remember about the unixy bits of the OS, almost everything on the unix side can be updated without a restart.

    Even kernel extensions can be loaded and unloaded without a restart.

    I would estimate that in the future, anything but a Jaguar size revision will be restart free.
  4. macrumors newbie

    Apr 24, 2002
    Portland, OR -> Louisville, KY
    Re: um.. Windows?

    Even if there was a restart required, I am glad to see these updates. These were serious known security issues, and leaving them unpached was a big deal. Noone is forcing anyone to upgrade.
  5. macrumors 68020


    Sep 18, 2001
    Denver, CO
    Re: um.. Windows?

    This is not exactly Apple's fault. The security problems this addresses are applicable to Apache and OpenSSH installations across all platforms, and I'm very appreciative to Apple for rolling out the fixes as quickly as they did. I would be annoyed if I had to wait a month to get the official fix. Don't want to reboot? Don't do the update. As long as security isn't a concern to you, you can wait and install it whenever.
  6. macrumors 6502a

    Apr 29, 2002
    Re: um.. Windows?

    I hate the wait-till-we-decide-it's-time policy! If something is broken, it should be repaired. Period.
  7. macrumors 6502

    Jun 5, 2002
    Thank god!!!!!
  8. macrumors 65816

    Jan 22, 2002
    yeah!!!! openssh update so quickly..hell ya apple!!

    the new php isnt included though is it? oh well this still rocks
  9. macrumors 601


    Oct 4, 2001
    Natick, MA
    Re: um.. Windows?

    Bite your tongue OFF you rat bastage... Apple found a problem, and implimented a proper fix for it. Unlike m$ that releases a 'critical update' more often then some people change their shorts on this site (you know who you are, mr 3rd day on the same pair of boxers ;)).

    Most of the updates Apple is putting out are to make software better, or the OS to run smoother. How many security updates have they released for the OS in the past year?? Can you remember any?? The last one I recall was for IE, not OS X.

    If you don't like Apple, or OS X, or the Mac OS in general, then don't use it. Don't b*tch about them releasing the updates as they need to. Especially since you don't hear too many people b*tching about the tons of critical updates m$ puts out for their OS's. :p
  10. macrumors 68020


    Oct 28, 2001
    Greensboro, NC
    at least it was fixed. when you see m$ "fixing" their gaping holes, its only because someone hacked their own site or because they have decided it is financially in their good interest to do so. for example, the javascript hack in ie6 was reported to m$ months before they fixed it. they only did so when the reporter decided he was tired of being ignored and went public.

    with opensource, they fix it right and fast. what more can you ask?
  11. macrumors regular

    May 7, 2002
    Columbus, OH
    I am a new Mac user so....

    bare with me... what is the big deal about having to reboot in OS X? It takes like 2 minutes max (at least on my machine) compared to the 10-15 min wait I have work using windows 2000.

    I am glad Apple puts out these fixes, especially if they are a security fix.
  12. macrumors regular

    Feb 25, 2002
    What's great about that update is you don't have to restart. Also, is this security issue even an issue if you're not running a web server?
  13. macrumors 6502a

    Nov 25, 2001
    Champaign, IL, USA
    Re: um.. Windows?

    Dude, no -- it's not... trust me. Microsoft on average release a security update once every week. They've hardly ever added functionability or speeded up their products via Windows update, it's just for patching all those bugs
  14. macrumors 6502a

    Jun 29, 2002
    Eastern seaboard
    Re: Re: um.. Windows?

    Why do you use this as a plus? Any service or software daemon, not w/ to the kernel or core libraries will not require a reboot. The real advantage is Apple isn't changing their EULA in these updates (at least i don't think so)

    Apple should have released a beta patch for servers. (The beta woudn't be unstable)
  15. macrumors 6502a


    May 7, 2001
  16. macrumors newbie

    May 8, 2002
    Adelaide, Australia
    The following story was in today's Register:

    MS security patch EULA gives Billg admin privileges on your box
    By Thomas C Greene in Washington

    Apple should feature this in their "switch" campaign...

    "Apple. Our software updates don't 0w|\| you!"
  17. macrumors regular

    Jul 1, 2002
    San Francisco, CA
    Actually more than just the web server...

    In terms of external security vulnerability, it is more than just running a web server. If Allow remote login is turned on in your Sharing System Preferences in Application tab, you are also vulnerable (through ssh).

    Both this and Apache SSL (Web Sharing turned on) are off in a default install of MacOS X.

    There might be some other 3rd party programs dependent on this library that might also be vulnerable (secure tunnel programs, VPN? and the like) with nice eye-candy Mac GUIs, so this fix is necessary for those too.

    The time was pretty impressive. I saw the security announcement for Linux only a day or two before Apple's servers showed the patch in Mac OS X. (The library is actually ported from BSD to Linux, but I'd think the patch came out simultaneously for both.) That's not a bad turnaround for compiling, testing, and bundling a package that you are going to release to millions of computer end users worldwide.

    The updater might have to issue more than an "apache graceful[/b" since graceful only rehashes the httpd.conf file--I'm not sure Apache will reload all its extensions on a rehash (assuming mod_ssl is dynamically loaded in Apple's Apache compile). (Besides, there might have been a fix in the Apache source itself, since mod_ssl patches the source in order to compile).

    An alternate algorithm would just check to see if apache is in the process table and, if so, do an "apache restart[/b" which would cause a less than a second interruption of service (session data might be lost in your web app, for instance). Given that auto-restarting is a major feature in IIS on Windows 2000 or newer, I think we're being a bit spoiled here if we expect our Apache to be running continuously without restart for as long as we leave our Macs on. Just in case, you might want to turn Web Sharing off and on.

Share This Page