|
July 2002 Security Update Fixes Apache, OpenSSH Vulnerabilities And More
|
Login/Create an Account
| Top
| 65 comments
|
Search Discussion
|
|
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
 |
|
|
|
|
by
Anonymous Coward
on Saturday June 29, @03:55AM (#371)
|
|
|
|
|
|
Most people use Macs as clients and have no idea about ssh. What they need is to hire someone to configure the firewall properly, not this.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For your sake, I hope you're just joking. If you for any moment even think that what OS you boot has anything to do with were your penis goes, then I can't wait until you shoot your eye out.
|
|
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Saturday June 29, @11:50PM (#455)
|
|
|
|
|
|
So you what would, in this case, be constructive criticism? It doesn't seem that there is any criticism that would ever be taken well.
|
|
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Saturday June 29, @01:47AM (#1589)
|
|
|
|
|
|
Now that's overkill -- just force-quit the installer whenever the reboot panel pops up...
|
|
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Saturday June 29, @09:52AM (#13206)
|
|
|
|
|
Cirticising Apple is one thing.
(Which I have no problem with)
What this comes off as is unconstruitve whining that they didn't release it in 1 hour.
After all read the post's subject line: "Took their time!". That at least says whine.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
That's what the moderation system is for (it's crap, but it bascially works) - just browse at +1 or +2 and you'll only see comments which have been modded up.
Ony browse at "0" if you really don't want to miss anything that might possibly be good.
The 'Trolls' are just that 'Trolls' - they don't care if your black, gay, jewish, muslim, a martian or a mac user as long as they can get a response from someone (anyone), just browse at +1 or +2 and you'll never have to see them again.-- Iain
|
|
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Saturday June 29, @01:57PM (#13230)
|
|
|
|
|
|
Now, this is getting ridiculous. I've never seen such stupidity. There are plenty of people who own Apples that aren't queer. Being a fag has nothing to do with buying an Apple. I'm sure there are millions of fags who own PCs.
Linux is a piece of fucking broken garbage that will never make it to the ordinary users desktop and doesn't even work 50% of the time and is currently being managed by 1 super nerd. So don't even try to tell me its better than windows and certainly cannot be better than the Mac OS.
If you don't like Apple--FINE--go play on a freeway. Since when do women like geeky nerds who are into Windows and Linux?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I'm sure other's have seen this, but I haven't seen it posted. I got a PGP signed message from Apple's product security list, detailing the Apache and OpenSSH vulnerabilities and the related updates from Apple, yesterday afternoon. Good to see Apple doing this as well. Contents of the message, with Apple's sig, pasted below.
From: Product Security
Date: Fri Jun 28, 2002 02:22:32 US/Mountain
To: security-announce@lists.apple.com
Subject: Security Update July 2002 is available
-----BEGIN PGP SIGNED MESSAGE-----
Security Update July 2002 is now available and includes the following
security enhancements for your system:
* Apache: Fixes CVE ID CAN-2002-0392 which allows remote attackers to
cause a denial of service and possibly execute arbitrary code.
Further details are available from:
http://www.cert.org/advisories/CA-2002-17.html
* OpenSSH: Fixes two vulnerabilities where a remote intruder may be
able to execute arbitrary code on the local system. Further details
are available from: http://www.cert.org/advisories/CA-2002-18.html
Further details are available via the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPRy0xiFlYNdE6F9oAQE5Egf8DhnGUkPF9R6ZkGdiGEBj2FhfsgDFO7uw
4Or8v/N9uLrHFi3Pph2B4s6cLk91IuobV/c8k665PiRBTdq/y4CEyKU4WjTQtyjr
ZQjCEsdHXP0KvsxkqBVHPUDl6WLt2k26N6queDt5Vda9C8QlLP1dFAKp7oWJUp2b
DpS58M9t53z4g5S+dT19MGOhAyBPhe3stWbuq1jKsNO1ap/RJOWITgEvPcuT7Fye
fGiXV7yrgPPmJ4YCv2/j0YCHccmnI/2jUxqiaeXqSpbB5JH8SsgSy/jk7WJBNb1I
x5pVQwLWo2GISqq0sFnnONmFKcXKcmrJUhUlgP8SyZir8YC7CJ0XWw==
=uqPa
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Yes, but we musn't forget that these are security vulnerabilities. I really hope that Apple won't screw up and erase some people's hard drives again, but the Apache hole has been around long enough for worms to start circulating. The OpenSSH vulnerability has the potential for a root compromise. What would be even more embarassing than having to restore my hard drive from a backup would be to have had a hacker retrieve the sensitive data and then wipe the drive.
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Friday June 28, @10:38PM (#13251)
|
|
|
|
|
|
Thank you oh king of the obvious.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I'll just mention that for people who need to be up-to-the-minute with these things, you may want to keep an eye on www.stepwise.com.
Scott Anguish usually has an article on building/updating programs like SSH at least a few days before Apple can post them.
-jcr
I work at Apple: adjust salinity accordingly.
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Friday June 28, @03:38PM (#34955)
|
|
|
|
|
I finally gave up waiting, installed OpenSSH with fink, and rebooted to check that the daemon starts properly.
Which is what OSX users should have done instead of complaining and waiting for Apple to fix it for them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This is a good thing. Last time there was a security issue we had to wait quite a while until Apple released a update with the security stuff. Right now it seems, like this update came out fairly quickly.
Scott Anguish is gonna be disappointed. He posted his own build-your-own OpenSSH 3.4 tutorial at stepwise.com, today.
Except this is better, non-geeks will be able to keep their stuff secure quickly now.
Would be nice if that Apache update came out sooner though.
Overall, this is good. Thanks Apple :)
-codeonezero[self initWithContentsOfURL:url];
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Does anyone know if this update addresses the
resolver bug, or whether Mac OS X was vulnerable
to the resolver bug to begin with?
I'll go look at the bom, but if anyone knows for
sure, please speak up.
|
|
|
|
|
|
|
|
|
|
|
|
|
According to the CERT announcement, it is.
Check out: this for more info
|
|
|
|
|
|
|
|
|
|
|
|
|
According to CERT, it's unknown if Mac OS X is vulnerable.
john
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
What do you mean "finally gave up waiting?" OpenSSH 3.4 has been out for like 48 hours. Apple has been incredibly fast. Apache folk had much more reason to fret and longer to wait.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you chose to install the AppleScript upgrade at the same time you WILL be required to reboot FYI,
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also keep in mind that the hardest part about porting OpenSSH to any platform is the authentication interface. FreeBSD's authentication is not abnormal and they've had a lot of practice. OS X's NetInfo is not brand new by any means but it's a pretty odd duck.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I can find no info on it in the man pages....
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Friday June 28, @05:25PM (#34977)
|
|
|
|
|
|
If you have done it once you can do it again with out new directions...
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Friday June 28, @05:26PM (#34979)
|
|
|
|
|
|
ssl support for apache...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I'm quoting this from user "kf97mopa " on versiontracker.com
"You don't have to restart just to update kernel extensions it's enough to do "sudo kextunload" the old and "sudo kextload" the new. Apple is unfortunately being lazy and rebooting instead in these cases. The only time you _have_ to reboot is when you update the kernel. "
So, to make it short, You still have to update the kernal extensions to get it to work right after you've downloaded it, however, a restart is the most novice way to do it.
|
|
|
|
|
|
|
|
|
|
|
|
|
I can understand that we all want Apple to issue updates instantly to fix security vulnerabilities. However, I think we're overlooking the fact that a) they have to wait on the patch to become available from whomever issues it, build the new binaries, regression test the hell out of them, and write documentation for them BEFORE THEY ARE RELEASED. This may take some time if steps 2 and 3 don't go off without a hitch. After all, if you paid 1000 bucks for a MacOS X Server license, had deployed it in a critical setting, and one of Apple's patches killed your setup, you'd be livid. Of course, I'd be pretty scratched if an Apple patch biffed up sshd or my httpd or whatnot on my laptop since I rely on them to do my job.
Just my 0.02...
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Friday June 28, @07:05PM (#34990)
|
|
|
|
|
|
First off this one did not require a reboot. Second off, the post by kf97mopa 1) is misrepresenting the issue, and 2) is way too simplistic. While it is fine to use kextload and kextunload if what you are doing is replacing kexts, provided you can trust that the user is not doing anything that calls those kexts (which is the tricky bit). What that does not take into account is that many (most) updaters that need to reboot are not requiring the reboot due to a kext replacement, but rather due to frameworks being replaced. Unloading those and reloading them is not nearly as simple since you need to kill all processes that are using them directly or indirectly. Do a 'ps -awwjx' sometime and look at what the parent ids of many of the system processes are and you will start to get a feel for how a reboot is the most sane answer.
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Monday July 01, @02:57AM (#35004)
|
|
|
|
|
|
Given that Apple wants to enter server market with Xserve etc., it is not good thing to let customers wait for important security updates.
If Red Hat does it within day and Apple takes it's time, Red Hat will eat Apple's lunch. This is how competition works.
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Monday July 01, @02:58AM (#35005)
|
|
|
|
|
|
what is your email address ?
Do you have an online resume ?
|
|
|
|
|
|
|
|
|
|
|
|
|
Really? I find junk like this it all the time on /.
So what would you propose? Junking the whole system and the let the message board owners dictate what they think is relevant?
Was passes for 'democracy' in, for example, the US and UK, does not always work. It allows for 'hate speech' and bad decision making by the public - Should we junk that do and let the *state* decide what's good and what's not?
The moderation system is about choice - you can choose at what threshold to browse, or you can ignore moderation points completely and view everything.
I do not wish to have your views, or anyone else imposed on me when I can have a choice.
-- Iain
|
|
|
|
|
|
|
|
|
|
by
Anonymous Coward
on Monday July 01, @09:39AM (#35013)
|
|
|
|
|
MacSlash is the only slash-type msg board I regularly read where there is a real danger of finding racism, bad language and other garbage.
You might want to choose a word other than "danger." Because, really, it's not going to kill you.
|
|
|
|
|
|
|
|
|
