Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses Apple

OS X Security Update: Apache, SSL and SSH 227

payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
This discussion has been archived. No new comments can be posted.

OS X Security Update: Apache, SSL and SSH

Comments Filter:
  • by blakespot ( 213991 ) on Friday June 28, 2002 @04:05PM (#3788959) Homepage
    Apache makes the vulnerability known, and Apple's right there with an OS patch bringing the new version into the fold.

    How it should be. OS X.

    blakespot
    • I think you meant to say ISS stupidly makes the vulnerability known before notifying Apache, Apache scrambles to put in a fix. Apple puts out a fix since everyone else is and they'd look like a tool to be the only ones without patched Apache and OpenSSH.

      Don't get me wrong, I'm not anti-Apple in any way, but they don't exactly deserve kudos for this. Its their job to fix known issues, so they do it, as does Microsoft, as do many Open Source contributors (who do get a bit more kudos since usually they have no commercial obligation to do so).

    • The throwing the bug out to the public idea is very interesting one.

      It means that you can get more help in bug testing and fixing.

      But you are also giving crackers info they need to break into sites, possibly causing loss of ca$h to some people.

      Perhaps next time a bug like this comes up they say, we know there is a bug, and we will fix it.

      Medevo
    • Do any of you OSX folks download the Apache source and do your own compile? Does OSX still ship with a development environment?

      What is it like to compile vanilla UNIX apps under OSX? I used to run NeXTStep and most of the things compiled fine.

        • Do any of you OSX folks download the Apache source and do your own compile?
        Not from Apple. Only Darwin is Open Source. But there is Fink (see SourceForge) which provides all the GNU GNoods you're used to.
        • Does OSX still ship with a development environment?
        Not with the latest machines (this year), but the developer tools are freely downloadable (after registering and having your flesh branded with the Apple logo.....just seeing if you're paying attention....).
        • by nbvb ( 32836 ) on Friday June 28, 2002 @04:38PM (#3789152) Journal
          NOT TRUE.

          Apple still *does* ship the compilers. On the newer machines go to /Applications/Utilities/Installers and install the "Developer Tools.pkg" file. That will do it :-)

          I don't know why they don't install it with the base OS, but at least they put the installer on the disk for you!

          --NBVB
          • by Anonymous Coward
            According to some guys at Apple, they were worried that lazy developers would rely on end users to drop down into Terminal and run perl scripts and such to do installations if they allowed them to assume that every OSX user would have developer tools.
        • Do any of you OSX folks download the Apache source and do your own compile?
          Not from Apple. Only Darwin is Open Source. But there is Fink (see SourceForge) which provides all the GNU GNoods you're used to.

          Apple's Apache modules are also open sourced. Anyone could have built a fully functional Apache for Mac OS X. Just check Apple's developers site [apple.com] and you'll see they have plenty of code open sourced.


    • [ This is not a troll, nor flame, just opinion ]

      The apache vulnerability was known 6/17 (aka 11 days ago). The exploits were circulating by 6/20 (aka 8 days ago).

      The openssh vulnerability is more recent, so I won't hassle with that, but not producing an update until a week after exploits are already circulating is dangerous at the very least. Yes, they produced an update. No, it wasn't fast enough.
      • I totally agree. They took their sweet time with this one. At least now my sysadmin will let me back on the network now!
        • by Anonymous Coward on Friday June 28, 2002 @05:05PM (#3789307)
          I totally agree. They took their sweet time with this one.


          YEAH! Those boneheads prolly wasted time testing and crap like that.

        • by Anonymous Coward
          /etc/init.d/apache stop ... 10 days later ... /etc/init.d/apache start
        • There is no good reason for your sysadmin not to let you on the network - they are being overbearing and unprofessional. If they were professional and genuinely worried they would have blocked incoming ports to your host at the switch (or at worst - the gateway).

          Like most other administrators I have to work with, it sounds like they are simply exhibit big ego's and little professionalisim (though I would not wish to jump to conclusions, it's most likely in my experience).

          Apart from upgrading the SSH and Apache binaries yourself (I know I was too lazy and waited for Apple because I knew one was coming out) you could simply have disabled thoses services - after all they are disabled by default on Mac OS X.

          Lastly, in response the origional poster, Apple's response was slower than I would have liked (as the OpenSSH one was disclosed to vendors like Apple ~10 days before it was announced) but timely and the fix was very elegant and appears to be bug free (clean install all round, no reboot required, etc).

          • HAHA -- well, I see that I left the smiley out. Seeing as I am the admin, I can now let my machine back on the network running httpd and ssh. :)

            Disabling the services is exactly what I did. I used the SSH workaround and I disabled Apache. Now I can reenable it. Oh, and this particular machine is outside the firewall.

            My Linux box is so customised that I can't install Apache with RPM. I don't even have the drive space to compile httpd. :( Time for a rebuild on that one -- and a new hard drive. In the meantime, its web server is down -- which is unfortunate because that's my primary web server. :(
      • it's not like this is open source or anything. IT's not like the users could get patches themselves from apache and install them.

        I mean, if you want to rely on a vendor supplied package based on an open project, of COURSE there is going to be a lag.

      • by Frater 219 ( 1455 ) on Friday June 28, 2002 @08:08PM (#3790199) Journal
        Yes, they produced an update. No, it wasn't fast enough.

        For what it's worth, Apple has responded more promptly to the Apache vulnerability than have other commercial Unix vendors. I do security work for my employer (a research institution with dozens of independent Web servers). We have all manner of systems running Apache -- but mostly Red Hat, Sun, and SGI. Guess which one of those three is the only one to have an officially supported patch out -- and which two I'm telling people they need to compile the new version from source?

        No, Apple didn't have the patch out as quickly as Red Hat or Debian. Nevertheless, it is interesting to note that the open-source distributors patched quickest, the closed-source vendors (Sun and SGI) haven't patched yet -- and halfway-open Apple is right in the middle. For a company with precious little experience on the server side of things, Apple has done quite nicely.

      • According to posts on bugtraq, exploits have been circulating in the black hat community since mid April.

        Alex
    • Well my Apache server has been patched for more than a week. All that time an exploit has been out in the wild....
  • by arson1 ( 527855 ) on Friday June 28, 2002 @04:05PM (#3788960) Homepage
    be prepared to reinstall PHP if you had a customized verison. This updates writes over it.
  • Whew (Score:5, Funny)

    by sheepab ( 461960 ) on Friday June 28, 2002 @04:07PM (#3788978) Homepage
    RedHat just came out with their updated RPMS also. Last time that SSH came out with a security vulnerability (the same time the zlib one hit) I WAS HACKED! Do you know how bad you feel after you've been hacked? Its like being neutered.
    • Does it feel like infected with the Code Red worm? Stupid Windows 2000 box.....
      • Nope that's more like getting herpes... 9 out of ten get it and there's not much to do about it but treat the symptoms. To stay herpes/windows worm free you have to stay away from potentiall infected entities. That means no unprotected sex, no hookers and no Windows.

        They all three can be fast and exhillarating but the quality of the experience/or lack thereof is in no way a good exchange for the risks involved.

    • Re:Whew (Score:5, Funny)

      by MisterBlister ( 539957 ) on Friday June 28, 2002 @04:14PM (#3789021) Homepage
      Do you know how bad you feel after you've been hacked? Its like being neutered.

      You must have been neutered, right? To make that comparison?

      Wow man, you must have big balls to admit in a public forum that you've been neutered. Wait, strike that...

    • Re:Whew (Score:2, Flamebait)

      by MsGeek ( 162936 )
      No, Red Hat didn't come out with a RPM for OpenSSH 3.4p...it's their hacked 3.1p.

      It looks like I'm gonna have to install from tarball or even [shudder] source.

      Thanks a lot, Red Hat. You suck.
  • Quick and easy (Score:4, Insightful)

    by znu ( 31198 ) <znu.public@gmail.com> on Friday June 28, 2002 @04:07PM (#3788981)
    Two minute install, no reboot required. Nice.
  • by stripes ( 3681 ) on Friday June 28, 2002 @04:08PM (#3788986) Homepage Journal

    Nicely enough, this does not require a reboot to get working. Downloads and killed off the old sshd (and one would assume Apache if I had a web server on my laptop!).

    • Nicely enough, this does not require a reboot to get working.

      Why should it?

      Upgrading Apache and OpenSSH (and most other apps, even daemons/services) doesn't even require a reboot on Win2000/XP. Welcome to the future!

      • by uncleFester ( 29998 ) on Friday June 28, 2002 @04:29PM (#3789099) Homepage Journal
        Upgrading Apache and OpenSSH (and most other apps, even daemons/services) doesn't even require a reboot on Win2000/XP. Welcome to the future!

        No, welcome to the past. Updating ANY daemon, service or software not directly related to the kernel or core libraries does not require reboot. Where the hell have you been?

        It's quite sad when the words 'update' or 'patch' are considered synonymous with 'reboot.'
        • Updating ANY daemon, service or software not directly related to the kernel or core libraries does not require reboot. Where the hell have you been?

          If i remember correctly, on Solaris -- there is a way to install Solaris 9 over 8 without ever rebooting. This probabbly requires some jumping through the hoops to get working -- but i have heard evidence that it does works; I am not too sure if you have to come dow the ladder on run-levels during this; i would assume that you stay in 5 because otherwise it would be kinda pointless. if anybody knows for sure please feel free to correct me.

          imagine that, 0 downtime even for OS upgrade. how is *that* for "welcome to the future?"

      • He's probably referring to the OS X Networking Update last week that some people bitched about because it forced a reboot. That one required a reboot because it replaced the network stack, not just a few daemons.



        Apple tends to err on the side of caution with their Software Update scripts, usually forcing a reboot.
        I don't mind myself, not being one of those people who equates uptime with anatomical endowment.

      • Why should it?

        Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't. Or half a dozen other past updates that shouldn't require a reboot, but did. I would say "I hope this is a good sign for the future", but somehow I susspect it just happend to work out this way rather then be a plan.

        • by scorpioX ( 96322 ) on Friday June 28, 2002 @04:40PM (#3789159)
          Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't.

          iTunes updates usually also update the core CD/DVD burning libraries as well as the kernel extensions that support the drives. This is why iTunes requires a reboot. The original poster did say '...as long as the kernel or core libraries aren't updated'.
          • iTunes updates usually also update the core CD/DVD burning libraries as well as the kernel extensions that support the drives. This is why iTunes requires a reboot. The original poster did say '...as long as the kernel or core libraries aren't updated'.

            I like to think I was answering the underlying question "why should any update require me to go save all the places my web browser is on, save up drafts fo email I'm writing, remember all the stuff I was in the middle of...and reboot". (of corse it would be nice if my web browser and other apps could just be told to "re-open the way you are now!")

            Even upgrading a shared library shouldn't really require a reboot. Install the one with the newer version number, if the old one has the same major delete it. If anything is currently running that was using it, it will be kept around until they all exit. The only real problem is if they talk to an external device that needs locking, and the locking method changed. Even then one could use something like fstat to find the apps running it and request that those apps and only those apps be closed before the install completes.

            Sure, it's work...and nothing else tries as hard as it could...but it could really be done. One could get to the point where only a kernel change needs a reboot. Then we can work on the hard stuff :-)

        • Just like updating iTunes (an MP3 player) shouldn't need a reboot...except iTunes did require the reboot, and ssh didn't.

          in fact iTunes has a startup item called iTuneshelper, and since you upgrade its parent app, a reboot is required in order to enable it, at start-up...

      • Interestingly enough, for me it did require a reboot. Perhaps because I chose to install the Applescript upgrade at the same time.
      • It shouldn't, the note about not requiring a reboot referred to the last few updates (10.1.5, JavaScript, networking) that all required a reboot for one reason or another. It's just nice to finally see a normal update taht doesn't require a reboot (I don't think many have so far).

        No need to welcome me to the future - I'm using a machine that ships with SSH and Apache whcih are updated through the OS update mechanism, so I'm already there (parked next to the long term residents who've been using apt for ages!)
  • by hoya ( 164460 ) on Friday June 28, 2002 @04:12PM (#3789011)
    I am happy to see that Apple is doing the right thing. I just hope their next update comes a little bit quicker after a vulnerability is announced.

    I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.

    I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.

    • The apache updates should have been days (if not a week) ago. The openssh update is recent, but there was such a fuss over the method chosen to announce it that most people updated already anyway.

      Regardless, I can now confirm that there are exploits circulating in the wild for both of these vulnerabilities. I have, in my inbox, a copy of an apache worm that specifically targets freebsd 4.5 releases running apache 1.3.20, 1.3.22, and 1.3.24. Also, one of the IDS systems caught a version of the openssh 3.3 exploit wednesday morning.

      Apple is quick, but still too slow, as many of these systems could have already been compromised.
    • by TheAJofOZ ( 215260 ) <adrian.symphonious@net> on Friday June 28, 2002 @04:36PM (#3789143) Homepage Journal
      Ironically though, since SSH and Apache are both off in the default install, does that mean that OS X takes over the title of "Never had an exploit in the default install"? It's been out a year now so that's actually a reasonably impressive claim.

      Have I missed a bug along the way somewhere? I do remember doing a manual apache upgrade at one point but don't recall that being a remote root bug.
      • Well considering Apple did a pretty good job of closing down Mac OS X in the default install. I'd say yes. Nothing is really open to possible exploitation unless the user chooses to open it.
      • Sadly Apple has had a (local) exploit in the default install of Mac OS X (10.0 through 10.1).

        It was was 'gain root access' via NetInfo hack (details here: http://www.securiteam.com/securitynews/6T00O0K2UW. html [securiteam.com]).

        Bascially all you needed to do to expoit this was:
        a) Run an application (e.g. Terminal)
        b) Run NetInfo Manager (in /Applications/Utilites/) and leave it running as the foreground Application.
        c) Run the 1st application (e.g. Terminal) but this time start it from the "Apple->Recent Items->" menu and it will run as setuid root.

        In the case of the Terminal application, this gave you a root prompt.

        :-(

    • I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software

      Good point, but if you think about it, how many of those users (who wouldn't ever want to touch a command line) are running OpenSSH and Apache? A very small group, I'm sure. Those who are running one or both of those services are (usually) at least aware of a command line and how to upgrade without Software Update. Software Update is for those who don't know or care to learn how to use the shell - again, a minority.
      • Don't count on it, since there's a single button to turn them on in the control panel :)
      • You haven't actually USED OSX have you? Turning on SSH and Apache is as simple as clicking a checkbox. They're not even called that in the interface. Apache is called "Web Sharing" and SSH is called "Remote Login". People very well might turn these on without knowing the implication.

        On the other side of the coin, I've been doing UNIX software development for a decade, and I waited for the Apple updates rather that compiling my own. I turned off SSH until that one was fixed, but left Apache to fend for itself (the box is firewalled and NAT'd so I wasn't too worried).
        • People very well might turn these on without knowing the implication.

          It does say what those two checkboxes do right under the checkbox in question. Of course, anyone who turns these things on without knowing what they are doing is a fool.

          Beyond that, I note that you mention (among other people) turning them on rather than turning them off. Could it be? No, Apple didn't set these things off by default, did they? On a desktop operating system? What the hell kind of security practice is that?

          A good one.

          Apple is plenty quick.

    • by BWJones ( 18351 ) on Friday June 28, 2002 @04:59PM (#3789267) Homepage Journal
      I am happy to see that Apple is doing the right thing. I just hope their next update comes a little bit quicker after a vulnerability is announced.

      Jeez, cut them a break man. I just heard of this vulnerability a couple of days ago myself, and was surprised to see an update to remedy this issue so quickly. Because of their commitment to quality in their products, I am sure Apple wanted to QA this thing first before releasing something buggy on their customers.

      You have to admit that Apple has been FAR more responsive to their customers with a variety of issues than has M$ and even a bunch of Linux distros.

  • RTCW (Score:5, Informative)

    by cyphersoft ( 569488 ) on Friday June 28, 2002 @04:16PM (#3789029)
    Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.
  • Thanks for posting this - I just installed the AirPort update and wouldn't have tried again for a week or so.

    And it was sure nice to get an update that didn't require a restart! What's up with all the restarts required, anyway? This is Unix...I'm not used to restarting all the time (except kernel upgrades; but those are rare for me)

  • by redwoodtree ( 136298 ) on Friday June 28, 2002 @04:38PM (#3789154)
    10.1.5 has nothing to do with RtCW failing. Recently the 1.33 version of return to castle wolfenstein was released for linux and PC. When this happened many multi-player server started to require 1.33 (pure servers) in order to play.

    There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.

    These instructions are highligted at the bottom of this URL on Aspyr's site [aspyr.com]
  • What is going on? (Score:4, Insightful)

    by jonnythan ( 79727 ) on Friday June 28, 2002 @04:42PM (#3789177)
    Wow, when Microsoft issues security update they are lambasted for putting out an insecure operating system.

    Apple releases massive security update and they are lauded for their focus on protecting their users.

    Red Hat releases security updates and no one mentions them at all.
    • by beagle ( 99378 )
      Well, first, the problems fixed here are not the fault of Apple -- they are security holes in popular third-party tools. Contrast that to Microsoft's own security holes in their own code.

      Second, Apple took way too long to release the Apache update. Red Hat had a fix available the next day...Apple's fix is well over a week after the fact.

      See, Red Hat got mentioned! ;)
    • I guess your new to this whole computer security thing. If you don't understand the difference between how MS and redhat have reacted to security problems for the past 6 years, then I am not going to explain it to you.
    • Count how many (and how serious) the security fixes are that Microsoft puts out per month compared to RedHat and Apple. Then look at the speed at which each put them out. Apple was slow on this one, but they're just getting used to having to send patches out so fast.

      MS has been doing this for years and still can't get a patch out right away. And when they do, it needs 3 subsequent release to get it right.

      -s
  • by Alex Reynolds ( 102024 ) on Friday June 28, 2002 @04:46PM (#3789192) Homepage
    While OpenSSH 3.4p1 fixes the bug that lead to offering a priv-sep version in 3.3p1, the July Security Update does not modify the Netinfo tables to add a sshd user and group, along with the other configuration steps listed in README.privsep. It is suggested that Apple engineers may address privilege separation in Jaguar or an update to Jaguar.
    • Scott Anguish has an article [stepwise.com] on stepwise.com [stepwise.com] that shows you how to build OpenSSH yourself. He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.

      I don't know if Apple configures their update similarly, but I'll bet they do.

      • He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.

        If you run every non-privileged service (http, anon ftp, ntp, nntp, etc.) and partial service (ssh, mail, etc.) as the same non-privileged user, it defeats a lot of the purpose of the non-privilegedness. Even with chrooting, a process running as a non-root user can affect other processes that belong to the same user (e.g. send them signals). This is why vendors and sysadmins who know what they're doing create a different user for each service.

  • by chrysalis ( 50680 ) on Friday June 28, 2002 @04:51PM (#3789223) Homepage
    The version they should upgrade to is 2.8.10, that fixes a buffer overlow that can be triggered through .htaccess files.

  • Just in time (Score:4, Informative)

    by paco verde ( 561678 ) on Friday June 28, 2002 @05:09PM (#3789323) Homepage
    Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0 [securityfocus.com]
    • Re:Just in time (Score:2, Informative)

      by Lord Kenja ( 45995 )
      No. Not really. There is no binary compatibility with the worm (99% sure it's an Intel worm). So it won't infect Mac OS X boxes. But none the less it's a good thing they keep up-to-date with the open source components they use.
  • I haven't seen this topic really ever brought up...

    Linux and FreeBSD have been available for PPC for a while now, meaning that people could be running Macs as webservers. Although a very tiny percentage of the server population runs Mac webservers, these are mostly running enthusiast's webpages. The bottom line is, most serious webserving applications use Linux or FreeBSD or (gasp) IIS on PC's. (Also multi-CPU Unix servers, etc.)

    My question is... why the small portion of webservers running on Apple? Is it because:
    1) Apple computers represent a small portion of the computer market
    2) Apple users generally run web servers
    3) Apple computers suck at running web servers
    4) Network admins don't like Apples
    5) Some combination of the above

    I'd be interesting in hearing some people's comments.

    Cheers!
    • Sorry... I meant:

      2) Apple users generally DON'T run web servers

      I didn't want to unintentionally insult anyone out there! :)
    • Well. Until recently there where no real hardware options for servers made by Apple. The XServe changes that. But at a price a lot of people that runs some random Linux webserver would never pay anyway.

      Linux and BSD is pretty popular especially as 'free' webservers. You have a spare box (or get a new one cheap), hook it up with the lastes UNIX OS of your choice and run Apache. Cheap and stable.

      For more serious shops they what things Apple is only getting around to now. And still why use Apple hardware for webservers if you can run almost the same webserver on a box from your usual dealer. That's why Mac shops use Apple hardware for webservers. It's confortable to use the same dealer for everything.
    • by Anonymous Coward
      OpenBSD and NetBSD are ported to PPC. FreeBSD is on x86 & Alpha only. (There might be a port for PPC and Sparc being worked on, but it's not a -RELEASE).

      It always comes down to the right tool for the right job. If you run a Mac shop, why run a PC webserver? Apache for MacOS X is not the first webserver to run on a Mac. Macs have served pages for many years, and with fewer exploits (if any).

      In fact I have a Beige G3 Desktop right next to my Sun SPARCstation, and my Proliant W2KAS, the G3 is running MacOS X w/Apache hosting my website--Why? 'Cause it can.
    • by GutBomb ( 541585 ) on Friday June 28, 2002 @05:58PM (#3789574) Homepage
      typically the reason apache is enabled on many macos machines is for web development. up until now, it was a bit difficult to get ssi and php and other server side stuff working while developing on a mac. now that apache and osx can work together, the combination is used much more often.
  • I know.. i know.. a unix/linux site. But interesting indeed how Microsoft got BASHED for releasing 3 VERY easy to install patches that aren't really exploited at this point, and EVERY unix that uses the apache, ssl, ssh combination previous to the listed versions is needing a repair as well.

    can't we all just get a bong?
  • 1. Repost every post from the previous MS security release thread here changing MS to Apple/Unix/Linux and vice versa.
    2. ???
    3. Profit!

  • by Anonymous Coward
    I'd like to somewhat lessen the blows that I see against apple for it's not-so-quick release of the apache vulnerability patch. I think they should have released it faster, but at the same time I can see why they gave themselves some time to test it, and when the openssh vuln was revealed, some time to incorporate that into the same patch. There was no exploit released for OS X or anything on PPC arch that I could see. It just wasn't targeted. The worm that is out is for BSD, but it's x86 shellcode, so again, OS X is not affected. I think the worm is only FreeBSD as well. But anyway, what I'm saying is that they probably could have released it faster, but there wasn't really anything at risk unless you were being specifically targeted by someone other than a script kiddie who actually knew what he/she was doing.

    Cheers,
    -JD-
  • Minor New Features (Score:3, Interesting)

    by sakusha ( 441986 ) on Friday June 28, 2002 @08:58PM (#3790390)
    While looking at the Apache setup in MacOS X, I decided to set up log analysis, and discovered that this security update implements Apache's rotatelogs. A minor upgrade, but a nice improvement that shows Apple is serious about their server platform. The (fairly) speedy response to ththe OpenSSH and Apache security holes also shows Apple is taking pains to do it right.
    • rotatelogs was there before the security update. It's one of few Apache things you can tweak with the GUI.
      • I got confused with Mac OS X Server. rotatelogs was in Mac OS X Server before the July Security Update. You could turn it on and off with the Server Admin GUI.

        I'm not sure when rotatelogs got added to regular Mac OS X. My mistake. I've only been working with Apache on X Server.

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann

Working...