Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Apple

Apple Releases Security Update 2003-03-24 58

Posted by pudge from the lolly-lolly-lolly-get-your-security-related-update-here dept.
skeeter17 writes "Apple updates security again. According the description: 'Security Update 2002-03-24 addresses a Samba vulnerability which could allow unauthorized remote access to the host system. .... OpenSSL is also updated to address an issue in which RSA private keys can be compromised when communicating over LANs, Internet2/Abilene, and interprocess communication on local machine. ... It is recommended that all users install this Security Update.' Well! There you have it folks!" It is available via Software Update.
This discussion has been archived. No new comments can be posted.

Apple Releases Security Update 2003-03-24 More

Apple Releases Security Update 2003-03-24

Comments Filter:

  • Dance! (Score:4, Funny)

    by blackmonday ( 607916 ) on Monday March 24, 2003 @06:25PM (#5586601) Homepage
    ALERT: There is still known vulnerabilities with the Cha Cha Cha, the Cabbage Patch, and especially the Boogaloo. You've been warned.

  • Macs rock. ;) (Score:5, Interesting)

    by Justen ( 517232 ) on Monday March 24, 2003 @06:27PM (#5586615) Homepage Journal
    I think it is quite admirable that Apple is so dedicated to these security updates. Certainly there is one other operating system software company in the world that isn't as vigilant. *cough*

    I know at work, whenever an exploitation was discovered on the PC, the IT department would wait and wait. After several weeks, when problems started happening, they would issue an advisory, telling the people workarounds and what not to do and such until an update happened.

    They never did that for the marketing/communications Macs. The reasons are threefold:

    a.) there are fewer exploits in Mac OS X's old age (read: UNIX/FreeBSD/Darwin),

    b.) when there are holes, they are patched, almost always very, very promptly.

    c.) they were afraid of the Macs, anyway.

    I think the latter is the least substantial, but, nonetheless, still relevant.

    Anyway. I wanted to make a note of this. I don't see how there's much else that we can regularlly pony up in Software Update discussions...

    justen

    • Re:Macs rock. ;) (Score:4, Interesting)

      by gnuadam ( 612852 ) on Monday March 24, 2003 @10:08PM (#5588103) Journal

      Not to rag too much on apple, but they're still slower to release fixes than open source. Both fink and my gentoo linux box are usually patched the same week (and often the same day) that I hear about the problem.

      Gentoo is getting a reputation for releasing fixes before slashdot announces, as the smug 1337 gentoo users like to point out.

      Does that make me one of them now, too?

      I'm not meaning to say that apple is doing a poor job, by any means. I'm just wanting to point out that apple is not the only organization that takes security seriously, and that there are others that beat apple out the door with security fixes.

      • OpenSource does not have a major disadvantage that Apple does: Apple has to test the security update to make sure it doesn't break anything and prepare the distribution for release (which geeks normally take care of on their own in the OSS community).

      • Re:Macs rock. ;) (Score:5, Informative)

        by WatertonMan ( 550706 ) on Tuesday March 25, 2003 @03:43AM (#5589540)
        You can still recompile most of the Apple utilities that have these patches. Indeed if you are using Apache on a production machine using OSX you are probably better off compiling the code so that you *know* exactly what is going on. For most machines that is less significant.

        Put an other way, you're right, but your confusing Apple's software with the code. Most of the services on OSX are open source and to say that "they are slower to release fixes than open source" rather misses the forest for the trees. (Or vice versa) What Apple does is provide a quick, easy update for regular users who don't want to deal with the complexities of compiling their open source programs. As such Apple reacts very timely and does a lot of checking.

        So to differentiate Apple's security and open source's security is a false dichotomy.

  • They're doin' better than Microsoft (Score:3, Insightful)

    by nycroft ( 653728 ) on Monday March 24, 2003 @07:18PM (#5587043) Homepage
    Since OS X 10.2.4 came out, I think this is only the second security update. However, for XP there have been countless updates. The Service Pack One update from a few months back was 120MB! They must've had quite a bit of holes to need a upgrade that big.

    It seems that almost every week, my IT deartment is running around trying to install security updates on our computers. It's a good thing I only use my PC for e-mail (not for long, since MS Exchange will soon work with Entourage). I use my Mac for real work.

  • Someone tell me... (Score:1)

    by Anonymous Coward
    Why did they release a patch for this so quick, but they haven't fixed the 1969/70 bug? Seriously Apple, I have not turned on this feature ever (you have to turn it on since it is off by default).
    • because that has already been fixed and is in the 10.2.5 update which will be released within a few weeks.
    • Security Patches and Bug Fixes are of different priority. Exaggeratedly put, a (hypothetical) issue that can put the whole internet down (through a worm that spreads over multiple platforms) is a much bigger threat than a bug that doesn't read your system clock from the NVRAM properly.

      A workaround for your problem, if you have an always-on internet connection, btw, is to just turn network time syncing on.

  • Date issues? (Score:2, Interesting)

    by NeuralNet03 ( 650974 )
    Huh. Seems in Software Update, it's titled 2003-3-24, but in the description, it's *2002*-3-24.
    Weren't they a year off last time, too?

  • OpenSSL again? (Score:4, Interesting)

    by tbmaddux ( 145207 ) on Monday March 24, 2003 @09:41PM (#5587958) Homepage Journal
    I thought that Security Update 2003-03-03 [apple.com] was supposed to patch OpenSSL: "This update also includes a newer version of OpenSSL that provides improved data confidentiality by addressing a recently-discovered security issue." At the time (03-03-2003) I assumed they were talking about this bug. [slashdot.org] Plus, the "important information" section of today's patch [apple.com] has the same language about sendmail and OpenSSL.

    I'm confused! Anyone know what OpenSSL bugs are patched, specifically, by each security update?

    • Plus, the "important information" section of today's patch [apple.com] has the same language about sendmail and OpenSSL.

      Hmm, interesting... my guess is that's just some overzealous copy and paste from the previous security update.

      Now, as for which OpenSSL bug this is for... my /usr/lib/libssl.* and /usr/lib/libcrypto.* are still dated 03/03. Here's a list of the files included in the update:

      ./usr/bin/make_printerdef Tue Mar 18 18:40:38 2003
      ./usr/bin/make_smbcodepage Tue Mar 18 18:40:40 2003
      ./usr/bin/m

    • Answering my own question, according to Apple Security Updates [apple.com] the 2003-03-24 update fixes CAN-2003-0147, and the 2003-03-03 update fixes CAN-2003-0078.

  • Restart required, though. (Score:4, Funny)

    by Alex Thorpe ( 575736 ) <alphax@mac . c om> on Tuesday March 25, 2003 @12:27AM (#5588849) Homepage
    There went my two weeks of uptime... ;-)

    • A low uptime can mean two things:

      1: The system crashes quite often.
      2: The system is patched quite often.

      Ever since realising that, I have a new view on uptime boasting...
      • 3: The user shuts it down every night to conserve energy?
        4: The computer is located in a California 'Rolling Black-Out' zone (snnnuck)
      • I think my previous restart was due to the new version of Java, though I was having some serious freezing problems in Diablo II for a while. I'm not completely certain why they stopped, but I did switch from Meteorologist to WeatherPop about that time...

    • Two weeks? My PowerBook G3/333 Lombard is up to about 38 days. Mostly in sleep mode, obviously. Still, I last booted 3 states ago, and I bet I have over 100 hours of interactive use. I've had a few apps quit on me (Explorer, Chimera, maybe a few others), but the OS is rock solid. I've removed and added my WiFi card about 3 times, operated on planes and in cars, run the battery down to less than 10%, and I have updated multiple pieces of software. It includes hours of heavy iPhoto use, too.

      Not bad for a 199
  • You have to run OS X 10.2.4 to get this patch. Does this mean that 10.2.3 is secure from this bug, or do I need to hook up to my mom's school's T1 line to be up to date? 10.2.3 has been running very, very smoothly with little or no problems (mainly due to 3rd party programs/drivers).
  • uh. if anyone out there hypothetically has safari v67 and has just installed the security update i would be very interested to know if safari v67 would work following the update...? thanks.
  • The only time my OS X machines crash is when I'm connected to windows shares. Isn't that neat?

    I just hate how the security patches kill my uptime. 5 days 18:04 since I last rebooted on my iBook, and I think that was the last security patch, too.
  • The security fix causes the Apache webserver to crash when a secure connection is requested. The Apache SSL library was updated, but there is a memory addressing error manifesting itself in the "ssl_var_lookup_ssl_cert" function. This causes a segmentation fault and crashes that instance of the Apache server.

    I'd be interested in hearing from anyone else having similar difficulties.
    • Recompile apache -- that fixes it. Don't ask my how/why.
      • Hmmmm . . . I think you are in error when you use the word recompile; you are assuming that I compiled Apache in the first place. No, I'm just using the stock Apache server that comes with OS-X.
        • I am having the same problem. I am using the stock Apache server too. Very annoying. I have found no solutions yet and I am not about to compile a new version of apache.

          Any solutions out there?
          • Yes, there is a solution out there. Basically you need to restore the previous version of libssl.so This will get your webserver up and running again, but it will still have the RSA keysnoop vulnerability. So use at your own risk!

            You can find the old libssl.so at two places:

            http://ganter.dyndns.org/misc/apple_ssl.php [dyndns.org]
            http://www.zippy6.net/misc/ [zippy6.net]

            You have Thomas Ganter to thank for this solution. It was first published on the Apple discussion site, and I mirrored it on my webserver (just to keep G
  • I just wish they would have released OS X with a mail server (Apple Mail) that wasn't open to relaying by default.

Slashdot Top Deals

Software production is assumed to be a line function, but it is run like a staff function. -- Paul Licker

Close