Security Update July 2002

arn

macrumors god
Original poster
Staff member
Apr 9, 2001
14,499
1,783
Available in your Software Update:

Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system.
 

dricci

macrumors 6502a
Dec 15, 2001
537
0
um.. Windows?

What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?
 

Nipsy

macrumors 65816
Jan 19, 2002
1,009
0
No restart required...

SW update prolly runs an apachectl graceful, so hopefully it warns OSX server users that apache will be restarted.

One thing to remember about the unixy bits of the OS, almost everything on the unix side can be updated without a restart.

Even kernel extensions can be loaded and unloaded without a restart.

I would estimate that in the future, anything but a Jaguar size revision will be restart free.
 

Spelunk

macrumors newbie
Re: um.. Windows?

Originally posted by dricci
What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?
Even if there was a restart required, I am glad to see these updates. These were serious known security issues, and leaving them unpached was a big deal. Noone is forcing anyone to upgrade.
 

Gelfin

macrumors 68020
Sep 18, 2001
2,166
4
Denver, CO
Re: um.. Windows?

Originally posted by dricci
What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?
This is not exactly Apple's fault. The security problems this addresses are applicable to Apache and OpenSSH installations across all platforms, and I'm very appreciative to Apple for rolling out the fixes as quickly as they did. I would be annoyed if I had to wait a month to get the official fix. Don't want to reboot? Don't do the update. As long as security isn't a concern to you, you can wait and install it whenever.
 

backspinner

macrumors 6502a
Apr 29, 2002
547
0
Eindhoven
Re: um.. Windows?

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?
I hate the wait-till-we-decide-it's-time policy! If something is broken, it should be repaired. Period.
 

Choppaface

macrumors 65816
Jan 22, 2002
1,187
0
SFBA
yeah!!!! openssh update so quickly..hell ya apple!!

the new php isnt included though is it? oh well this still rocks
 

AlphaTech

macrumors 601
Oct 4, 2001
4,556
0
Natick, MA
Re: um.. Windows?

Originally posted by dricci
What's with all these software updates? It's worst than Windows!

Can't they just do a monthly update Package where every update for that month is in a package and installed instead of bombarding us with these software updates and forcing us to restart?
Bite your tongue OFF you rat bastage... Apple found a problem, and implimented a proper fix for it. Unlike m$ that releases a 'critical update' more often then some people change their shorts on this site (you know who you are, mr 3rd day on the same pair of boxers ;)).

Most of the updates Apple is putting out are to make software better, or the OS to run smoother. How many security updates have they released for the OS in the past year?? Can you remember any?? The last one I recall was for IE, not OS X.

If you don't like Apple, or OS X, or the Mac OS in general, then don't use it. Don't b*tch about them releasing the updates as they need to. Especially since you don't hear too many people b*tching about the tons of critical updates m$ puts out for their OS's. :p
 

sparkleytone

macrumors 68020
Oct 28, 2001
2,307
0
Greensboro, NC
at least it was fixed. when you see m$ "fixing" their gaping holes, its only because someone hacked their own site or because they have decided it is financially in their good interest to do so. for example, the javascript hack in ie6 was reported to m$ months before they fixed it. they only did so when the reporter decided he was tired of being ignored and went public.

with opensource, they fix it right and fast. what more can you ask?
 

whawho

macrumors regular
May 7, 2002
134
0
Columbus, OH
I am a new Mac user so....

bare with me... what is the big deal about having to reboot in OS X? It takes like 2 minutes max (at least on my machine) compared to the 10-15 min wait I have work using windows 2000.

I am glad Apple puts out these fixes, especially if they are a security fix.
 

nero007

macrumors regular
Feb 25, 2002
109
0
What's great about that update is you don't have to restart. Also, is this security issue even an issue if you're not running a web server?
 

j763

macrumors 6502a
Nov 25, 2001
660
0
Champaign, IL, USA
Re: um.. Windows?

Originally posted by dricci
What's with all these software updates? It's worst than Windows!
Dude, no -- it's not... trust me. Microsoft on average release a security update once every week. They've hardly ever added functionability or speeded up their products via Windows update, it's just for patching all those bugs
 

Ibjr

macrumors 6502a
Jun 29, 2002
513
21
Eastern seaboard
Re: Re: um.. Windows?

Originally posted by Spelunk


Even if there was a restart required, I am glad to see these updates. These were serious known security issues, and leaving them unpached was a big deal. Noone is forcing anyone to upgrade.
Why do you use this as a plus? Any service or software daemon, not w/ to the kernel or core libraries will not require a reboot. The real advantage is Apple isn't changing their EULA in these updates (at least i don't think so)

Apple should have released a beta patch for servers. (The beta woudn't be unstable)
 

tychay

macrumors regular
Jul 1, 2002
219
29
San Francisco, CA
Actually more than just the web server...

Originally posted by nero007
What's great about that update is you don't have to restart. Also, is this security issue even an issue if you're not running a web server?
In terms of external security vulnerability, it is more than just running a web server. If Allow remote login is turned on in your Sharing System Preferences in Application tab, you are also vulnerable (through ssh).

Both this and Apache SSL (Web Sharing turned on) are off in a default install of MacOS X.

There might be some other 3rd party programs dependent on this library that might also be vulnerable (secure tunnel programs, VPN? and the like) with nice eye-candy Mac GUIs, so this fix is necessary for those too.

The time was pretty impressive. I saw the security announcement for Linux only a day or two before Apple's servers showed the patch in Mac OS X. (The library is actually ported from BSD to Linux, but I'd think the patch came out simultaneously for both.) That's not a bad turnaround for compiling, testing, and bundling a package that you are going to release to millions of computer end users worldwide.

The updater might have to issue more than an "apache graceful[/b" since graceful only rehashes the httpd.conf file--I'm not sure Apache will reload all its extensions on a rehash (assuming mod_ssl is dynamically loaded in Apple's Apache compile). (Besides, there might have been a fix in the Apache source itself, since mod_ssl patches the source in order to compile).

An alternate algorithm would just check to see if apache is in the process table and, if so, do an "apache restart[/b" which would cause a less than a second interruption of service (session data might be lost in your web app, for instance). Given that auto-restarting is a major feature in IIS on Windows 2000 or newer, I think we're being a bit spoiled here if we expect our Apache to be running continuously without restart for as long as we leave our Macs on. Just in case, you might want to turn Web Sharing off and on.