Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Security Apple

Apple Releases Security Update 2004-01-26 69

ollie_ob writes "Apple's released an important security update for Mac OS X today. The update includes changes to the following important apps and services: Apache 1.3, Classic, Mail, Safari, Windows File Sharing. In addition, it includes the 2003-12-19 Security Update. It's available via Software Update." It's also available for Server.
This discussion has been archived. No new comments can be posted.

Apple Releases Security Update 2004-01-26

Comments Filter:
  • 10.3.3 (Score:1, Offtopic)

    by CodeBSD ( 631966 )
    Shouldn't 10.3.3 be here soon?
    • Re:10.3.3 (Score:3, Informative)

      by Trillan ( 597339 )

      I haven't heard any rumors, but I'd expect it in February.

      • Re:10.3.3 (Score:2, Insightful)

        by rf600r ( 236081 )
        Why? Seriously, why?
        • That hot new auto-toast functionality. You can buy a latte upgrade set to boot.

          I'm super happy with 10.3.2, but why not want more? Gimme gimme gimme!
        • No particular reason, only that it's my impression (and I could be wrong) that there was a 10.2.x update in February last year. 10.3.1 was definitely rushed out, so I'm sort of viewing 10.3.2 as at the same "maturity" level as 10.2.1. Just feels like we're due for an update soon.

          I know it's not a really good reason... :)

    • Re:10.3.3 (Score:2, Informative)

      by Anonymous Coward
      This will be modded off topic, but they also just released a Airport/AE software update that includes a firmware support update for the AE base station that gives it WPA support.

      Check your software update.

      P.S. I dont feel like submitting it, so I'll post as AC.

  • by AtariAmarok ( 451306 ) on Monday January 26, 2004 @05:54PM (#8093667)
    This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?
    • by lullabud ( 679893 ) on Monday January 26, 2004 @06:44PM (#8094156)
      Ever since the 10.3.2 update crashed my laptop I wait a day or two to see how things are going. That was the only crash I've ever had in Mac OS X though, and I had reloaded and (automatically) had all my settings back to the way they were before the crash, and had the system all patched up, even with the patch that crashed the system, within 35 minutes. This was amazing to me, considering all the hundreds of times I've spent reloading my own or other people's windows boxen and the frustration of importing all the previous settings (and never quite getting them ALL back). I'm not going to say OS X is the OS that does it all, but I will say that after using MS OSes since DOS 3.2 my new desktop OS of choice is OS X for reasons like that... Even so, I still do wait a day or so to patch because clearly things can, and do, go wrong some times.
    • by Photar ( 5491 ) <photar@phoBALDWINtar.net minus author> on Monday January 26, 2004 @06:53PM (#8094275) Homepage
      Give everyone a chance to install it and test things first.
      • OS X in this regard is no better than Windows. It's an opaque operating system and dispite the list of changes that Apple provides, there's no real way to know if the patch is going to kill your system. For example, my local Apple rep warned me not to install the "12-19" security patch, as it will hose my AFP shares. Since this patch includes the 12-19 security patch, I doubt I'd install it without complete assurance from my apple rep. Furthermore, and update to the 10.3.2 service pack really borked my
        • Your "Apple Rep"? Who exactly is this "Apple Rep," a VAR? ...some guy with and Apple polo shirt?
          • He's a special rep (sales and and tech) assigned to my University (and all the other universities in Utah). He's actually an Apple system engineer. He knows his stuff and has worked a lot with their OpenDirectory.
        • Opaque? (Score:4, Insightful)

          by kwerle ( 39371 ) <kurt@CircleW.org> on Monday January 26, 2004 @09:14PM (#8095887) Homepage Journal
          OS X in this regard is no better than Windows. It's an opaque operating system and dispite the list of changes that Apple provides, there's no real way to know if the patch is going to kill your system.

          Did you miss http://developer.apple.com/darwin/ [apple.com]?

          Have fun with the kernel...
          • Re:Opaque? (Score:4, Interesting)

            by caseih ( 160668 ) on Monday January 26, 2004 @11:05PM (#8096706)
            The kernel is the least of it all. The kernel is fairly transparent to a developer who knows darwin inside and out. When it comes to the kernel, linux for me is more transparent simply because I understand it better. I'm sure I will understand darwin better over time. But that's not what I was talking about.

            The Opaqueness is in how everything is put together. Sure you can study darwin to figure it out. But the fact is that it's unix, but it's not unix. It's not system V, it has a hybrid init mechanism. Apple has also brought together many open source components, which is good, but it has done them in such a way that I can't just take the virgin code from, say, Samba, and compile. I can, however, get the code from apple. But now instead of being able to go to all the internet resources for help with a Samba 3.0 problem, I have to go to apple instead, since they have customized these components very heavily and the Samba developers can't make any real statement on a problem because fo that. It's just frustrating when there are problems. That's all. As with all proprietary operating systems, you really do tie yourself down to one vender. It's a calculated risk, one I'm not yet comfortable with (coming from an exclusive linux server setup) yet. Apple's tech support is very good, though. And the problems I've experienced will be resolved.
            • I can't just take the virgin code from, say, Samba, and compile...

              You sure about that? Have you tried it? I have not, but I bet it would just work.

              OK, so I'm not just BSing, I've downloaded. I'm configuring. Worked. I'm makeing. So far, so good. I gotta post this before it times out. I'll followup with the results.
              • Failed due to a linking error after about 20 minutes of compiling. I'm not willing to continue messing with this, as I have no vested interest, but this is a known issue and the workaround is trivial:

                http://mailman.mit.edu/pipermail/kerberos/2003-A ug ust/003627.html

                It continues to be my belief that you COULD compile vanilla SAMBA out of the box with nearly no extra work.
            • The Opaqueness is in how everything is put together. Sure you can study darwin to figure it out. But the fact is that it's unix, but it's not unix. It's not system V, it has a hybrid init mechanism. Apple has also brought together many open source components, which is good, but it has done them in such a way that I can't just take the virgin code from, say, Samba, and compile. I can, however, get the code from apple. But now instead of being able to go to all the internet resources for help with a Samba 3.0
        • by plsuh ( 129598 ) <plsuh@@@goodeast...com> on Monday January 26, 2004 @10:01PM (#8096282) Homepage
          Apple normally posts details of security updates on it's Knowledge base at:

          http://docs.info.apple.com/article.html?artnum=617 98 [apple.com]

          The details of this one are not up yet, but should be soon. Give the guys a break -- they're only human and stuff takes a while to work its way through the system.

          --Paul
        • Unless you need the patch don't patch it on important servers. Patch spares and dick around with them.
          • Very true. And I'm not going to patch my servers yet. The problem is that OS X hardware is a bit pricey and I simply don't have any spares. I can take any old piece of crap machine and put linux on to test patches, however.

            I'm not blaming Apple here. They are doing a good job trying to break into the server market and they have an excellent product, which I am quite happy with.
            • Ebay a Blue & White G3. They're cheap nowadays and run Panther fine. Use that as a test box.
            • Yeah, I understand though. I think the problem is in the fact that Apple had to make certain design decisions when trying to make their os palatable to the geeks and the users alike.

              On one hand you have all the power and flexability of the *nixy goodness in the backend that the geeks love and on the front end you have the polished eye candy that the users love, but its all closed which pisses the geeks off.

              Similarly, I think that is the same compramize that is going on with software update. They can't jus
        • I'm still installing Apple's updates the moment they come out. I've updated 2 Panthers and one Jaguar (on a beige G3) with this latest update with no problems. So far, I've only had one problem with an Apple update. 10.2.8 knocked out the ethernet connectivity of a dual G4 (out of about 8 machines I installed it on), but there was a non-Apple fix going around by the end of the day, and an official fix a few days later.
    • by thatguywhoiam ( 524290 ) on Monday January 26, 2004 @07:17PM (#8094524)
      This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

      The inherent lickability of OS X remains unchanged - therefore this is one that can wait.

      They put in another throbbing button or drawer though, man, I'm there.

    • This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

      Perhaps everyone who has installed it has crashed horribly and can't get online to warn us?

      Seriously though - I think many /. OS X users wait to see who is going to chance the install first after the 10.2.8 fiasco.

      So has anyone installed it on a jobbing Jaguar XServe yet? Is it safe for me to patch ours overnight?
      • lol - I was only joking in my parent post but I just installed it on my Powerbook and it crashed during reboot! I was like "OH CRAP!"

        Fortunately a three fingered salute fixed it.

        Don't think I'm going to risk it on the server remotely tonight however :)
  • As usual.. (Score:5, Funny)

    by ayersrj ( 701333 ) on Monday January 26, 2004 @05:55PM (#8093674)
    We're not sure what it does. But it installs fine and seems to work!
    • Only because your post was moderated Insightful...

      The Security Update changes are listed in this Tech Note [apple.com]. However, the newest one isn't listed just yet.

      So we're still not sure what it does...

      • Re:As usual.. (Score:2, Informative)

        by joshmoh ( 708871 )
        Nah, it's up now. Here's what it does:

        http://docs.info.apple.com/article.html?artnum=256 52 [apple.com]

        Sadly, most of the "Enhancements" sound more like "Bug Fixes." Heh.
        • Re:As usual.. (Score:3, Informative)

          by Gogo Dodo ( 129808 )
          That's the 10.3.2 release notes, not the Security Update 2004-01-26.

          According to Macintouch [macintouch.com], here are the fixes:

          • AFP Server: Improves AFP over the 2003-12-19 security update.
          • Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.
          • Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.
          • Classic: Fixes CAN-2004-0089 to improve the handling of environment variables.
  • Apache 2.0? (Score:1, Interesting)

    by tuxedobob ( 582913 )
    Anyone know if/when Apple will incorporate Apache 2.0? Or if there would be any use to doing so?
    • Re:Apache 2.0? (Score:3, Informative)

      You don't have to wait for Apple, there's a packaged version [versiontracker.com], runs alongside 1.3. I tried it for a bit, but I didn't find any advantages over 1.3 for my purposes (mostly just PHP).
    • Re:Apache 2.0? (Score:5, Informative)

      by radicalskeptic ( 644346 ) <x@gCOFFEEmail.com minus caffeine> on Monday January 26, 2004 @06:22PM (#8093930)
      According to this PDF from Apple [akamai.net], Mac OS X Server already carries both Apache 1.3 and 2.x. If you only have OS X client, you can also download a bundled Apache 2 package from Server Logistics here [serverlogistics.com], if you really want it. I tried it about a year ago, I remember it has a nice preferance pane with which you can change some settings, restart the server, and view and edit your httpd.conf (although it was a little buggy with saving the file, TextEdit had problems with the permissions)... It couldn't do anything that wasn't just as easy to do from the command line, though.
    • Re:Apache 2.0? (Score:2, Insightful)

      by tuxedobob ( 582913 )
      Who's the dumbass mod who modded that offtopic? Apache was just updated. I'm asking about if Apache will be updated to 2.0. Hello?

      In any case, thanks for the responses.
  • 10.2.8? (Score:3, Interesting)

    by antdude ( 79039 ) on Monday January 26, 2004 @08:17PM (#8095274) Homepage Journal
    Do any of these fixes affect 10.2.8 or only for 10.3?
    • The update is available for both Panther [apple.com] (10.3.1 or later) and Jaguar [apple.com] (requires 10.2.8).
    • Re:10.2.8? (Score:5, Informative)

      by sonetsst ( 598483 ) <blank&mailinator,net> on Monday January 26, 2004 @09:19PM (#8095932)
      As a matter of fact, not only is it available for 10.2.8 but also for 10.1.5, just check the download page under the OS X tab on apple.com.

      If only we got that sort of backwards compatibility with windows...
      • I am not a Micro$oft/Windows apologist by any means, but Microsoft are still supporting Windows 2000 (which predates MacOS X 10.1 aka 'Puma'), and have even given a half-arsed commitment to provide security updates for a fully service-packed Windows NT4 (which probably predates MacOS 9.2, although I could be wrong on that count).

  • Groundhog Day (Score:3, Informative)

    by PDubNYC ( 650812 ) on Monday January 26, 2004 @08:33PM (#8095407)
    I have installed it on 3 machines, and everything seems to work fine with one exception. Every time I install it and reboot, there it is in the Software Update list again. I even tried installing it a 2nd time on one machine, sure enough it was there again after reboot. Big Ben, Parliament, kids
    • Re:Groundhog Day (Score:2, Informative)

      by SillyWilly ( 692755 )
      I had that with one of the Java Updates, I just made it inactive in the end and it seems to have disappeared now.
    • Re:Groundhog Day (Score:2, Informative)

      by Ilgaz ( 86384 )
      IMHO run disk utility, repair permissions and try again.

      If on 10.3 (panther) you can keep the download after install in case there is problem again.
    • I feel your pain. I updated 3 machines last night (Dual 2 G5, 15" iMac G4, iBook 800) and it's happening on all three. I'm running the update now on an iBook 500 (dual usb), so we'll see what happens there.
  • by ptimmons ( 235569 ) on Monday January 26, 2004 @10:07PM (#8096326) Homepage
    Happy 20th Anniversary, Macintosh users. You get... a security fix.
  • by djupedal ( 584558 ) on Monday January 26, 2004 @10:31PM (#8096489)
    Fingers crossed...been waiting for months.
  • APPLE-SA-2004-01-26 Security Update 2004-01-26

    Security Update 2004-01-26 is now available. It contains security enhancements for the following:

    AFP Server: Improves AFP over the 2003-12-19 security update.

    Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.

    Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.

    Classic: Fixes CAN-2004-0089 to improve the handling of environmen

Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.

Working...