Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Apple

Apple Posts Security Update for OpenSSL Vulnerability 47

mattvd writes "Apple has posted Security Update 2002-08-02. According to the release notes it 'includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system: Apache v1.3.26, OpenSSH v3.4p1, OpenSSL v0.9.6e, SunRPC, mod_ssl v2.8.10.' As usual, Apple has mirrored the MD5 checksum for the update at a secure server."
This discussion has been archived. No new comments can be posted.

Apple Posts Security Update for OpenSSL Vulnerability

Comments Filter:
  • Details (Score:4, Informative)

    by mattvd ( 44096 ) on Saturday August 03, 2002 @10:01AM (#4004456) Homepage Journal

    From: Product Security
    Date: Fri Aug 02, 2002 05:45:34 PM US/Central
    To: security-announce@lists.apple.com
    Subject: Security Update 2002-08-02 for OpenSSL, Sun RPC, mod_ssl

    -----BEGIN PGP SIGNED MESSAGE-----

    Security Update 2002-08-02 is now available. It contains fixes for recent
    vulnerabilities in:

    OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657,
    CAN-2002-0655, and CAN-2002-0659. Details are available via:
    http://www.cert.org/advisories/CA-2002-23.html

    mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in the
    mod_ssl Apache module. Details are available via:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0653

    Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder.
    Details are available via:
    http://bvlive01.iss.net/issEn/delivery/xforce/aler tdetail.jsp?oid=20823

    Affected systems: Mac OS X client and Mac OS X Server

    Note: Mac OS X client is configured by default to have these services turned
    off, and is only vulnerable if the user has enabled network services which rely
    on the affected components. It is still recommended for Mac OS X client users
    to apply this security update to their system.

    System requirements: Mac OS X 10.1.5

    Security Update 2002-08-02 may be obtained from:

    * Software Update pane in System Preferences

    * Apple's Software Downloads web site:
    http://docs.info.apple.com/article.html?artnum=120 139

    SSL server:
    https://depot.info.apple.com/security/129403bc5e18 4e3b7367.html

    To help verify the integrity of Security Update 2002-08-02 from the
    Software Downloads web site:

    The download file is titled: SecurityUpd2002-08-02.dmg
    Its SHA-1 digest is: 54f6eebe0398181db8f1129403bc5e184e3b7367

    Information will also be posted to the Apple Product Security web site:
    http://www.apple.com/support/security/secur ity_upd ates.html

    This message is signed with Apple's Product Security PGP key, and
    details are available at:
    http://www.apple.com/support/security/securit y_pgp .html

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.3

    iQEVAwUBPUsLOiFlYNdE6F9oAQGAigf+JV+lazuko1g4oZSN FT d2puXCtOGQ0M8c
    2cZ/BdaEBA8jLGrPkhWuvmMwpN9z6G9chn N8s9EXiavcBG5e/e jtTo3ZHoOGP7bg
    789zLQLK2JTB75nc0fNyx2CdfHlEIM00v8 c2jXySLlnqF+kzwq VnjUL7i2O97Fk5
    tWXLc2dWK2Nf2SUk0/yLgfjceZKEPCPXTp uKYuah/w9NwzL+Ls bPcfXA/H1f4ngc
    vRPc2sn2HYu9IJw/BrMEsDlS8IWHf6ozXd Z9qaVCVRrZlsd9gS SmB2Jba4be/MRX
    FauTTepMF9+JfCkx+2wtpwWhBcXoJnjwIZ XOXwbbRjqXHmzzgu 8D/Q==
    =fdGO
    -----END PGP SIGNATURE-----
  • by iomud ( 241310 ) on Saturday August 03, 2002 @10:14AM (#4004489) Homepage Journal
    Why does this update require a reboot?
    • my only guess : paranoia. The weird idea that rebooting flushes out the bad bits left of an eventual breakin...
    • Re:My only question. (Score:2, Interesting)

      by foonie ( 585679 )
      Just a guess... maybe the average user doesn't know how to restart their Apache web server?
      • Re:My only question. (Score:5, Informative)

        by dunderwo ( 172863 ) on Saturday August 03, 2002 @11:43AM (#4004742) Homepage

        Uhh...that doesn't stop the installer from running apachectl graceful, or what have you. Besides, restarting Apache means opening Sharing preferences, clicking "Stop" and then clicking "Start" under Web Sharing...not especially obscure.

        Well, regardless, the reboot is probably just a paranoid gesture...since there's no way of knowing for sure what other running daemons rely on the updated binaries. A reboot removes doubt, and apparently they don't like doubt. At least it doesn't quit all of your apps during the install....

    • If you don't think it requires a reboot just force-quit the installer when it's finished.
    • Re:My only question. (Score:2, Informative)

      by mkoz ( 323688 )
      It makes changes to "System Libraries".
    • Because you could be running any number of demons that were linked to these libraries.
      apache
      sshd
      stunnel

      To name 3 that I'm running. Note that Apple only knows about 2 of these. Rebooting is the right thing to do in this case.
      • Why not just restart them? I just think if apple is to be serious about unix they should also be serious about some of the more compelling factors of it's use ie stability, reliability. I do understand though that for the average user it's probably the easier route to take.
        • How are they supposed to know which ones to restart?

          Or you're suggesting that I simply restart the ones I need to - how do I know the ones to restart?

          You'll note another post I made, FreeBSD suggests you recompile the whole system (before rebooting). I don't know where SUN's update page is for this one, but I bet they recommend a restart, too.

          The bottom line is: if you feel confident restarting some demons and leaving the rest, Apple isn't stopping you. The truth is, this was a VERY BIG fix to some of the core OS functionality - authentication, after all!

          Bottom line: if YOU are serious about stability and reliability, you have a set of failover servers, anyway. Reboot them sequentially. Heck, you probably do that already, don't you?
  • Slashdot Material? (Score:1, Interesting)

    by DingoFox ( 33726 )
    Are tiny Apple security updates really Slashdot material?

    *clicks ignore next to pudge*
    • by marklark ( 39287 )
      I think they make good APPLE.slashdot.org material. If it's really hot, then it gets moved over to the main page. Not a problem.
    • Are tiny Apple security updates really Slashdot material?


      YES! :)

      Well, apple.slashdot material.

      I mean, first thing I did after reading the ... story, was checked my software update.
    • Are tiny Apple security updates really Slashdot material?

      The Apple update is not the most interesting part of this article. The most interesting part is what they DO NOT make you do. I'm beginning to really doubt my OS choice for a server. From the FreeBSD update on the same issues:
      ###
      Subject: FreeBSD Security Advisory FreeBSD-SA-02:33.openssl [REVISED] ...
      ===
      FreeBSD-SA-02:33.openssl Security Advisory The FreeBSD Project

      Topic: openssl contains multiple vulnerabilities
      ...

      2) To patch your present system:
      The following patch has been verified to apply to FreeBSD 4.4, 4.5, and 4.6 systems.
      ...
      c) Recompile the operating system as described in
      http://www.freebsd.org/doc/handbook/makeworld.html [freebsd.org].
      ###

      Recompile THE WHOLE DAMN OS.

      To fix your OSX Server... Grab the update from apple and reboot.

      I've switched for my desktop - time to think about the server, too.
  • by BitGeek ( 19506 ) on Saturday August 03, 2002 @08:27PM (#4006331) Homepage


    Seems apple is doing a patch for security once a month.

    Its really nice that they are automatically detected, and you are asked if you want to apply them.

    But is once a month too frequently? Many have their update set to check every day, so the day they release the patch, hundreds of thousands will download it all at once.

    On the downside a vulnerability could be known about for up to a month before the patch is released...

    But on the upside, these regular updates, and how they are automatically distributed, seems far better than other systems I've used.

    • Security updates can never be too frequent. I for one am very impressed that apple is on the ball. As far as bandwidth goes it cannot be worse than all the quicktime movie trailers that get streamed from apple.

To the landlord belongs the doorknobs.

Working...