OS X Security Update: Apache, SSL and SSH 227
payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
Problem seen - addressed (Score:3, Insightful)
How it should be. OS X.
blakespot
Re:Problem seen - addressed (Score:1, Flamebait)
Don't get me wrong, I'm not anti-Apple in any way, but they don't exactly deserve kudos for this. Its their job to fix known issues, so they do it, as does Microsoft, as do many Open Source contributors (who do get a bit more kudos since usually they have no commercial obligation to do so).
Re:Problem seen - addressed (Score:1)
It means that you can get more help in bug testing and fixing.
But you are also giving crackers info they need to break into sites, possibly causing loss of ca$h to some people.
Perhaps next time a bug like this comes up they say, we know there is a bug, and we will fix it.
Medevo
Re:Problem seen - addressed (Score:1)
What is it like to compile vanilla UNIX apps under OSX? I used to run NeXTStep and most of the things compiled fine.
Re:Problem seen - addressed (Score:2, Informative)
- Do any of you OSX folks download the Apache source and do your own compile?
Not from Apple. Only Darwin is Open Source. But there is Fink (see SourceForge) which provides all the GNU GNoods you're used to.- Does OSX still ship with a development environment?
Not with the latest machines (this year), but the developer tools are freely downloadable (after registering and having your flesh branded with the Apple logo.....just seeing if you're paying attention....).Re:Problem seen - addressed (Score:5, Informative)
Apple still *does* ship the compilers. On the newer machines go to
I don't know why they don't install it with the base OS, but at least they put the installer on the disk for you!
--NBVB
Re:Problem seen - addressed (Score:1, Insightful)
Re:Problem seen - addressed (Score:2, Informative)
Apple's Apache modules are also open sourced. Anyone could have built a fully functional Apache for Mac OS X. Just check Apple's developers site [apple.com] and you'll see they have plenty of code open sourced.
Re:Problem seen - addressed (Score:3, Interesting)
[ This is not a troll, nor flame, just opinion ]
The apache vulnerability was known 6/17 (aka 11 days ago). The exploits were circulating by 6/20 (aka 8 days ago).
The openssh vulnerability is more recent, so I won't hassle with that, but not producing an update until a week after exploits are already circulating is dangerous at the very least. Yes, they produced an update. No, it wasn't fast enough.
Re:Problem seen - addressed (Score:1)
Re:Problem seen - addressed (Score:5, Insightful)
YEAH! Those boneheads prolly wasted time testing and crap like that.
Re:Problem seen - addressed (Score:1, Funny)
Re: Apple responsed in a reasonably timely fashion (Score:2)
Like most other administrators I have to work with, it sounds like they are simply exhibit big ego's and little professionalisim (though I would not wish to jump to conclusions, it's most likely in my experience).
Apart from upgrading the SSH and Apache binaries yourself (I know I was too lazy and waited for Apple because I knew one was coming out) you could simply have disabled thoses services - after all they are disabled by default on Mac OS X.
Lastly, in response the origional poster, Apple's response was slower than I would have liked (as the OpenSSH one was disclosed to vendors like Apple ~10 days before it was announced) but timely and the fix was very elegant and appears to be bug free (clean install all round, no reboot required, etc).
Re: Apple responsed in a reasonably timely fashion (Score:2)
Disabling the services is exactly what I did. I used the SSH workaround and I disabled Apache. Now I can reenable it. Oh, and this particular machine is outside the firewall.
My Linux box is so customised that I can't install Apache with RPM. I don't even have the drive space to compile httpd.
Yeah.. I mean.. (Score:2)
I mean, if you want to rely on a vendor supplied package based on an open project, of COURSE there is going to be a lag.
Re:Problem seen - addressed (Score:5, Informative)
For what it's worth, Apple has responded more promptly to the Apache vulnerability than have other commercial Unix vendors. I do security work for my employer (a research institution with dozens of independent Web servers). We have all manner of systems running Apache -- but mostly Red Hat, Sun, and SGI. Guess which one of those three is the only one to have an officially supported patch out -- and which two I'm telling people they need to compile the new version from source?
No, Apple didn't have the patch out as quickly as Red Hat or Debian. Nevertheless, it is interesting to note that the open-source distributors patched quickest, the closed-source vendors (Sun and SGI) haven't patched yet -- and halfway-open Apple is right in the middle. For a company with precious little experience on the server side of things, Apple has done quite nicely.
Re:Problem seen - addressed (Score:2)
Alex
Re:Problem seen - addressed (Score:1)
Re:Mac running webservers? (Score:4, Informative)
Pages under the hierachy
Re:Mac running webservers? (Score:2, Informative)
Ruins custom PHP installs (Score:5, Informative)
Re:Ruins custom PHP installs (Score:2)
Re:Ruins custom PHP installs (Score:1)
Didn't ruin my installation (Score:5, Informative)
Whew (Score:5, Funny)
Re:Whew (Score:1)
Re:Whew (Score:2)
They all three can be fast and exhillarating but the quality of the experience/or lack thereof is in no way a good exchange for the risks involved.
Re:Whew (Score:5, Funny)
You must have been neutered, right? To make that comparison?
Wow man, you must have big balls to admit in a public forum that you've been neutered. Wait, strike that...
Re:Whew (Score:2, Flamebait)
It looks like I'm gonna have to install from tarball or even [shudder] source.
Thanks a lot, Red Hat. You suck.
Quick and easy (Score:4, Insightful)
FYI, no reboot needed (Score:4, Interesting)
Nicely enough, this does not require a reboot to get working. Downloads and killed off the old sshd (and one would assume Apache if I had a web server on my laptop!).
Re:FYI, no reboot needed (Score:2, Funny)
Why should it?
Upgrading Apache and OpenSSH (and most other apps, even daemons/services) doesn't even require a reboot on Win2000/XP. Welcome to the future!
Re:FYI, no reboot needed (Score:5, Insightful)
No, welcome to the past. Updating ANY daemon, service or software not directly related to the kernel or core libraries does not require reboot. Where the hell have you been?
It's quite sad when the words 'update' or 'patch' are considered synonymous with 'reboot.'
Re:FYI, no reboot needed (Score:2)
If i remember correctly, on Solaris -- there is a way to install Solaris 9 over 8 without ever rebooting. This probabbly requires some jumping through the hoops to get working -- but i have heard evidence that it does works; I am not too sure if you have to come dow the ladder on run-levels during this; i would assume that you stay in 5 because otherwise it would be kinda pointless. if anybody knows for sure please feel free to correct me.
imagine that, 0 downtime even for OS upgrade. how is *that* for "welcome to the future?"
Re:FYI, no reboot needed (Score:3, Funny)
Apple tends to err on the side of caution with their Software Update scripts, usually forcing a reboot.
I don't mind myself, not being one of those people who equates uptime with anatomical endowment.
Re:FYI, no reboot needed (Score:1, Funny)
Uptime+Karma^2=Anatomical Endowment
People these days...
Re:FYI, no reboot needed (Score:1)
Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't. Or half a dozen other past updates that shouldn't require a reboot, but did. I would say "I hope this is a good sign for the future", but somehow I susspect it just happend to work out this way rather then be a plan.
Re:FYI, no reboot needed (Score:5, Informative)
iTunes updates usually also update the core CD/DVD burning libraries as well as the kernel extensions that support the drives. This is why iTunes requires a reboot. The original poster did say '...as long as the kernel or core libraries aren't updated'.
Re:FYI, no reboot needed (Score:1)
I like to think I was answering the underlying question "why should any update require me to go save all the places my web browser is on, save up drafts fo email I'm writing, remember all the stuff I was in the middle of...and reboot". (of corse it would be nice if my web browser and other apps could just be told to "re-open the way you are now!")
Even upgrading a shared library shouldn't really require a reboot. Install the one with the newer version number, if the old one has the same major delete it. If anything is currently running that was using it, it will be kept around until they all exit. The only real problem is if they talk to an external device that needs locking, and the locking method changed. Even then one could use something like fstat to find the apps running it and request that those apps and only those apps be closed before the install completes.
Sure, it's work...and nothing else tries as hard as it could...but it could really be done. One could get to the point where only a kernel change needs a reboot. Then we can work on the hard stuff :-)
Re:FYI, no reboot needed (Score:1)
Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't.
in fact iTunes has a startup item called iTuneshelper, and since you upgrade its parent app, a reboot is required in order to enable it, at start-up...
Required a reboot for me - Was it applescript? (Score:1)
Re:Required a reboot for me - Was it applescript? (Score:1)
Re:Required a reboot for me - Was it applescript? (Score:2)
Re:FYI, no reboot needed (Score:2)
No need to welcome me to the future - I'm using a machine that ships with SSH and Apache whcih are updated through the OS update mechanism, so I'm already there (parked next to the long term residents who've been using apt for ages!)
Let's hope Apple gets quicker.... (Score:3, Insightful)
I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.
I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.
Re:Let's hope Apple gets quicker.... (Score:2, Insightful)
Regardless, I can now confirm that there are exploits circulating in the wild for both of these vulnerabilities. I have, in my inbox, a copy of an apache worm that specifically targets freebsd 4.5 releases running apache 1.3.20, 1.3.22, and 1.3.24. Also, one of the IDS systems caught a version of the openssh 3.3 exploit wednesday morning.
Apple is quick, but still too slow, as many of these systems could have already been compromised.
Re:Let's hope Apple gets quicker.... (Score:5, Interesting)
Have I missed a bug along the way somewhere? I do remember doing a manual apache upgrade at one point but don't recall that being a remote root bug.
Re:Let's hope Apple gets quicker.... (Score:1)
Re:Let's hope Apple gets quicker.... (Score:3, Informative)
It was was 'gain root access' via NetInfo hack (details here: http://www.securiteam.com/securitynews/6T00O0K2UW
Bascially all you needed to do to expoit this was:
a) Run an application (e.g. Terminal)
b) Run NetInfo Manager (in
c) Run the 1st application (e.g. Terminal) but this time start it from the "Apple->Recent Items->" menu and it will run as setuid root.
In the case of the Terminal application, this gave you a root prompt.
:-(
Re:Let's hope Apple gets quicker.... (Score:2)
it's not very difficult to find an OS with no running services that has not had a (you mean remote perhaps?) exploit in over a year.
True, but it makes you wonder why OpenBSD which was designed for security had anything open in the default install.... By default all remote access options in an OS should be off. Strangely Windows, OpenBSD, most linux distros (clearly not the build-it-yourself type), all come with at least SSH turned on by default.
Re:Let's hope Apple gets quicker.... (Score:2)
Re:Let's hope Apple gets quicker.... (Score:2, Informative)
Good point, but if you think about it, how many of those users (who wouldn't ever want to touch a command line) are running OpenSSH and Apache? A very small group, I'm sure. Those who are running one or both of those services are (usually) at least aware of a command line and how to upgrade without Software Update. Software Update is for those who don't know or care to learn how to use the shell - again, a minority.
Re:Let's hope Apple gets quicker.... (Score:2)
Re:Let's hope Apple gets quicker.... (Score:2)
On the other side of the coin, I've been doing UNIX software development for a decade, and I waited for the Apple updates rather that compiling my own. I turned off SSH until that one was fixed, but left Apache to fend for itself (the box is firewalled and NAT'd so I wasn't too worried).
Re:Let's hope Apple gets quicker.... (Score:2)
It does say what those two checkboxes do right under the checkbox in question. Of course, anyone who turns these things on without knowing what they are doing is a fool.
Beyond that, I note that you mention (among other people) turning them on rather than turning them off. Could it be? No, Apple didn't set these things off by default, did they? On a desktop operating system? What the hell kind of security practice is that?
A good one.
Apple is plenty quick.
Re:Let's hope Apple gets quicker.... (Score:5, Insightful)
Jeez, cut them a break man. I just heard of this vulnerability a couple of days ago myself, and was surprised to see an update to remedy this issue so quickly. Because of their commitment to quality in their products, I am sure Apple wanted to QA this thing first before releasing something buggy on their customers.
You have to admit that Apple has been FAR more responsive to their customers with a variety of issues than has M$ and even a bunch of Linux distros.
Re:Let's hope Apple gets quicker.... (Score:2)
Well, considering Bill now looks like an insane, evil, power-hungry, totalitarian dictator of a businessman, I guess the puppy thing wouldn't be so bad. Unless he piddled on the carpet. Nothing worse than house-training a Chief Software Architect. Of course, looking at this picture [microsoft.com], he already has a problem with getting on the couch and digging in the trash.
Nice troll, btw.
Re:Let's hope Apple gets quicker.... (Score:1)
Well pretty much the fact that Bill's in charge means Steve never will be, so your hatred is pretty stupid, no? Take your stupidity elsewhere,
Re:Let's hope Apple gets quicker.... (Score:4, Funny)
We have to have *something* to do when we're not rebooting after crashing, reinstalling the entire system thanks to yet another virus attack, or beating back the EULA police.. That's the kind of substance I can do without, thank you very much.
Boy, the trolls sure do come out of the woodwork on Apple stories, don't they?
RTCW (Score:5, Informative)
Re:RTCW (Score:1)
Got it (Score:1)
And it was sure nice to get an update that didn't require a restart! What's up with all the restarts required, anyway? This is Unix...I'm not used to restarting all the time (except kernel upgrades; but those are rare for me)
Use Versiontracker ;) (Score:1)
RtCW failing is related to RtCW upgrade 1.33 (Score:4, Informative)
There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.
These instructions are highligted at the bottom of this URL on Aspyr's site [aspyr.com]
What is going on? (Score:4, Insightful)
Apple releases massive security update and they are lauded for their focus on protecting their users.
Red Hat releases security updates and no one mentions them at all.
Re:What is going on? (Score:3, Insightful)
Second, Apple took way too long to release the Apache update. Red Hat had a fix available the next day...Apple's fix is well over a week after the fact.
See, Red Hat got mentioned!
Sigh... (Score:2)
Re:What is going on? (Score:1)
MS has been doing this for years and still can't get a patch out right away. And when they do, it needs 3 subsequent release to get it right.
-s
Re:metrics contradict slashdot truisms (Score:3, Informative)
Well, simple really:
- 1. You're not telling the truth. The link and count you gave was for all patches against Red Hat 7.2 since its release, not "alone in 2002" -- and includes enhancements as well as security patches. Microsoft doesn't hand out enhancements to its software as patches -- it charges for them as new releases.
- 2. Red Hat has more software. The amount of functionality Red Hat ships dwarfs that available in Windows. The diversity of software shipped on two or three CDs of Red Hat dwarfs that in a comparable amount of OS and application distribution from Microsoft. Microsoft has a few large "integrated" applications, whereas Red Hat has many smaller, intercompatible ones.
- 3. Red Hat doesn't delay and hide. Microsoft has a practice of delaying patches and releasing several in one bundled "service pack" -- whereas Red Hat releases one patch per problem, promptly. That inflates the counts on Red Hat's side, but improves the actual security -- and actions count more than words, or numbers.
- 4. Red Hat actually releases fixes! Microsoft's software has at least 18 publicly known, exploitable, unpatched vulnerabilities [jscript.dk] -- and that's just in one product, Internet Explorer. Show me a comparable list for any current version of any open-source product or distribution.
Sorry, Bill -- you lose this round. Red Hat is far from the best of Linux distributors [debian.org] or open-source operating systems [openbsd.org] in its security record, but it's far and away above your little offering. Maybe you should spend less time plotting ways to subvert democracy, destroy the public domain, and harm your customers -- and more time checking your code?Update does not address privilege separation issue (Score:4, Informative)
Re:Update does not address privilege separation is (Score:3, Informative)
Scott Anguish has an article [stepwise.com] on stepwise.com [stepwise.com] that shows you how to build OpenSSH yourself. He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
I don't know if Apple configures their update similarly, but I'll bet they do.
Re:Update does not address privilege separation is (Score:2, Informative)
He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
If you run every non-privileged service (http, anon ftp, ntp, nntp, etc.) and partial service (ssh, mail, etc.) as the same non-privileged user, it defeats a lot of the purpose of the non-privilegedness. Even with chrooting, a process running as a non-root user can affect other processes that belong to the same user (e.g. send them signals). This is why vendors and sysadmins who know what they're doing create a different user for each service.
mod_ssl 2.8.9 has a security hole (Score:4, Informative)
Just in time (Score:4, Informative)
Re:Just in time (Score:2, Informative)
Do Apple's make good webservers? (Score:1, Interesting)
Linux and FreeBSD have been available for PPC for a while now, meaning that people could be running Macs as webservers. Although a very tiny percentage of the server population runs Mac webservers, these are mostly running enthusiast's webpages. The bottom line is, most serious webserving applications use Linux or FreeBSD or (gasp) IIS on PC's. (Also multi-CPU Unix servers, etc.)
My question is... why the small portion of webservers running on Apple? Is it because:
1) Apple computers represent a small portion of the computer market
2) Apple users generally run web servers
3) Apple computers suck at running web servers
4) Network admins don't like Apples
5) Some combination of the above
I'd be interesting in hearing some people's comments.
Cheers!
Re:Do Apple's make good webservers? (Score:1)
2) Apple users generally DON'T run web servers
I didn't want to unintentionally insult anyone out there!
No real hardware options I guess (Score:1)
Linux and BSD is pretty popular especially as 'free' webservers. You have a spare box (or get a new one cheap), hook it up with the lastes UNIX OS of your choice and run Apache. Cheap and stable.
For more serious shops they what things Apple is only getting around to now. And still why use Apple hardware for webservers if you can run almost the same webserver on a box from your usual dealer. That's why Mac shops use Apple hardware for webservers. It's confortable to use the same dealer for everything.
Re:Do Apple's make good webservers? (Score:1, Informative)
It always comes down to the right tool for the right job. If you run a Mac shop, why run a PC webserver? Apache for MacOS X is not the first webserver to run on a Mac. Macs have served pages for many years, and with fewer exploits (if any).
In fact I have a Beige G3 Desktop right next to my Sun SPARCstation, and my Proliant W2KAS, the G3 is running MacOS X w/Apache hosting my website--Why? 'Cause it can.
Re:Do Apple's make good webservers? (Score:5, Insightful)
Re:Do Apple's make good webservers? (Score:3, Informative)
I don't know how to do this in pure Darwin, but I assume you can since all power management is handled by Darwin.
Re:Do Apple's make good webservers? (Score:4, Insightful)
If you walk out into traffic, you'll get run over. If you hit yourself on the head with a hammer, you'll get a concussion. If you install Apache over top of the copy that Apple provides, then when (not if) they update their install, yours will be overwritten. In each case, the answer is simple: don't fscking do that!
Good lord people, think! This isn't rocket science. It's simple. If you ask for problems, you'll get them.
Geezus.. we hate MS for 3 patches, but boy :) (Score:2)
can't we all just get a bong?
Oh this is going to be fun. (Score:2, Informative)
2. ???
3. Profit!
Apple's response time (Score:1, Insightful)
Cheers,
-JD-
Minor New Features (Score:3, Interesting)
Re:Minor New Features (Score:2)
rotatelogs in X Server (Score:2)
I'm not sure when rotatelogs got added to regular Mac OS X. My mistake. I've only been working with Apache on X Server.
Re:Does this fix the apache hole? (Score:4, Interesting)
Re:Does this fix the apache hole? (Score:2)
Well, Apache 1.3.26 is included in the update, and as far as I thought, Apache 1.3.26 was an update specifically to fix that hole. But I could be wrong.
Re:Does this fix the apache hole? (Score:1, Redundant)
Re:Hypocrites QWZX (Score:1, Insightful)
Sometimes we don't all want to feel like developers. It's good to be a user every now and then.
Re:Good to see... (Score:1)
Re:Good to see... (Score:4, Insightful)
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months. Most mac users would rather not have Software Update launch and pester them every week.
I see you under that bridge (Score:2, Insightful)
I don't think that they care whether it's MacOS or not. It's Apache or it's SSH -- they're familiar enough with those.
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months.
You're trolling, right? You must be trolling. You really think that Apple should leave big, known, gaping holes unpatched for months on end? Check it, man, a week wasn't fast enough for a number of posters in this forum... if Apple let 3 months go by they'd be crucified, even if not a single mac was 'sploited
Most mac users would rather not have Software Update launch and pester them every week.
I don't know. I feel a frisson of excitement when SU has something new for me. Usually it means that something that was broken will soon be less broken, or better yet, there will be new functionality for me to enjoy. Granted the latest AirPort update was a major bust, but I'm all in favor of their rolling out the lastest bugfixes as soon as they've been thoroughly tested.
Re:Good to see... (Score:4, Insightful)
2. Apple needed to test the patch.
3. Apple needed to build the updater.
Those who were willing to have been able to apply the patches to their machines for a week. How many machines running OpenSSH and Apache have been patched (no, not just OS X - all machines that run those)?
Apple has made its update available and easily installable. Within 1-2 weeks, over 80% of MacOS X systems are likely to be patched. Somehow I doubt that any other OS will be able to claim those numbers within a month of the bugs being found.
Of course, the majority of those systems aren't *running* Apache and OpenSSH, but other people have pointed that out.
Not quite the same (Score:3, Insightful)
Apple - on the other hand - uses all the standard UNIX stuff. And what is applauded is that they are so quick in getting these updates out (pretty quick this time considering the OpenSSH patch was only made public yesterday - I think it was). They haven't been this fast the last couple of times major holes was discovered in one of the components they use.
Re:Notice (Score:3, Insightful)
I would guess that it is becuase MS's holes are created by themselves, whereas Apple's are from 3rd party software. I don't remember (and I could very well be wrong here) any vulnerabilities that Apple introduced into their OS. Also, Apple is still pretty new to the open software arena, so I would guess that they are still adapting to the quick rate of patch releases in the open source field.
Not that I think they should get a pass for the week delay. Just a few ideas.
Re:Bye Apple (Score:3, Interesting)
Apple has been shipping ATI hardware acceleration in OS X since 10.0. 10.1.5 added support for some of the ancient ATI cards. 10.2 adds hardware accelerated scrolling support for ATI and NVidia cards, in addition to Quartz Extreme for Radeon/GeForce cards (it's not a VRAM issue as much as it is support for textures that aren't a power of two in a dimension).
-jon
Re:ARGH one day too late (Score:2, Insightful)
However, some people like to do it the hard way ;)
Also, you can`t really blame Apple that someone rooted your box. You turned SSH on in the first place, and it`s your job to make sure that you have the latest patch or stop the service if it`s vulnerable. And who knows, maybe someone just guessed your easy password? There`s never a guarantee against that...