Apple Releases Security Update 2004-01-26

ollie_ob writes "Apple's released an important security update for Mac OS X today. The update includes changes to the following important apps and services: Apache 1.3, Classic, Mail, Safari, Windows File Sharing. In addition, it includes the 2003-12-19 Security Update. It's available via Software Update." It's also available for Server.

10.3.3

[CodeBSD]

Shouldn't 10.3.3 be here soon?

Re:10.3.3

[Trillan]

I haven't heard any rumors, but I'd expect it in February.

Re:10.3.3

[rf600r]

Why? Seriously, why?

Re:10.3.3

[zpok]

That hot new auto-toast functionality. You can buy a latte upgrade set to boot.

I'm super happy with 10.3.2, but why not want more? Gimme gimme gimme!

Re:10.3.3

[Trillan]

No particular reason, only that it's my impression (and I could be wrong) that there was a 10.2.x update in February last year. 10.3.1 was definitely rushed out, so I'm sort of viewing 10.3.2 as at the same "maturity" level as 10.2.1. Just feels like we're due for an update soon.

I know it's not a really good reason... :)

Re:10.3.3

[Anonymous Coward]

This will be modded off topic, but they also just released a Airport/AE software update that includes a firmware support update for the AE base station that gives it WPA support.

Check your software update.

P.S. I dont feel like submitting it, so I'll post as AC.

Like does anyone care?

[AtariAmarok]

This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

I care to wait a day or so...

[lullabud]

Ever since the 10.3.2 update crashed my laptop I wait a day or two to see how things are going. That was the only crash I've ever had in Mac OS X though, and I had reloaded and (automatically) had all my settings back to the way they were before the crash, and had the system all patched up, even with the patch that crashed the system, within 35 minutes. This was amazing to me, considering all the hundreds of times I've spent reloading my own or other people's windows boxen and the frustration of importing all the previous settings (and never quite getting them ALL back). I'm not going to say OS X is the OS that does it all, but I will say that after using MS OSes since DOS 3.2 my new desktop OS of choice is OS X for reasons like that... Even so, I still do wait a day or so to patch because clearly things can, and do, go wrong some times.

Re:Like does anyone care?

[Photar]

Give everyone a chance to install it and test things first.

Re:Like does anyone care?

[caseih]

OS X in this regard is no better than Windows. It's an opaque operating system and dispite the list of changes that Apple provides, there's no real way to know if the patch is going to kill your system. For example, my local Apple rep warned me not to install the "12-19" security patch, as it will hose my AFP shares. Since this patch includes the 12-19 security patch, I doubt I'd install it without complete assurance from my apple rep. Furthermore, and update to the 10.3.2 service pack really borked my

Re:Like does anyone care?

[rf600r]

Your "Apple Rep"? Who exactly is this "Apple Rep," a VAR? ...some guy with and Apple polo shirt?

Re:Like does anyone care?

[caseih]

He's a special rep (sales and and tech) assigned to my University (and all the other universities in Utah). He's actually an Apple system engineer. He knows his stuff and has worked a lot with their OpenDirectory.

Opaque?

[kwerle]

OS X in this regard is no better than Windows. It's an opaque operating system and dispite the list of changes that Apple provides, there's no real way to know if the patch is going to kill your system.

Did you miss http://developer.apple.com/darwin/ [apple.com]?

Have fun with the kernel...

Re:Opaque?

[caseih]

The kernel is the least of it all. The kernel is fairly transparent to a developer who knows darwin inside and out. When it comes to the kernel, linux for me is more transparent simply because I understand it better. I'm sure I will understand darwin better over time. But that's not what I was talking about.

The Opaqueness is in how everything is put together. Sure you can study darwin to figure it out. But the fact is that it's unix, but it's not unix. It's not system V, it has a hybrid init mechanism. Apple has also brought together many open source components, which is good, but it has done them in such a way that I can't just take the virgin code from, say, Samba, and compile. I can, however, get the code from apple. But now instead of being able to go to all the internet resources for help with a Samba 3.0 problem, I have to go to apple instead, since they have customized these components very heavily and the Samba developers can't make any real statement on a problem because fo that. It's just frustrating when there are problems. That's all. As with all proprietary operating systems, you really do tie yourself down to one vender. It's a calculated risk, one I'm not yet comfortable with (coming from an exclusive linux server setup) yet. Apple's tech support is very good, though. And the problems I've experienced will be resolved.

Re:Opaque?

[kwerle]

I can't just take the virgin code from, say, Samba, and compile...

You sure about that? Have you tried it? I have not, but I bet it would just work.

OK, so I'm not just BSing, I've downloaded. I'm configuring. Worked. I'm makeing. So far, so good. I gotta post this before it times out. I'll followup with the results.

Re:Opaque?

[kwerle]

Failed due to a linking error after about 20 minutes of compiling. I'm not willing to continue messing with this, as I have no vested interest, but this is a known issue and the workaround is trivial:

http://mailman.mit.edu/pipermail/kerberos/2003-A ug ust/003627.html

It continues to be my belief that you COULD compile vanilla SAMBA out of the box with nearly no extra work.

Re:Opaque?

[caseih]

Of course Samba would work out of the box, but it would not work with OpenDirectory or the OpenLDAP schema that apple uses. Those require patches.

Re:Opaque?

[kwerle]

Please supply a reference to that information.

Re:Opaque?

[steeviant]

The Opaqueness is in how everything is put together. Sure you can study darwin to figure it out. But the fact is that it's unix, but it's not unix. It's not system V, it has a hybrid init mechanism. Apple has also brought together many open source components, which is good, but it has done them in such a way that I can't just take the virgin code from, say, Samba, and compile. I can, however, get the code from apple. But now instead of being able to go to all the internet resources for help with a Samba 3.0

Re:Like does anyone care?

[plsuh]

Apple normally posts details of security updates on it's Knowledge base at:

http://docs.info.apple.com/article.html?artnum=617 98 [apple.com]

The details of this one are not up yet, but should be soon. Give the guys a break -- they're only human and stuff takes a while to work its way through the system.

--Paul

Re:Like does anyone care?

[Photar]

Unless you need the patch don't patch it on important servers. Patch spares and dick around with them.

Re:Like does anyone care?

[caseih]

Very true. And I'm not going to patch my servers yet. The problem is that OS X hardware is a bit pricey and I simply don't have any spares. I can take any old piece of crap machine and put linux on to test patches, however.

I'm not blaming Apple here. They are doing a good job trying to break into the server market and they have an excellent product, which I am quite happy with.

Re:Like does anyone care?

[Maserati]

Ebay a Blue & White G3. They're cheap nowadays and run Panther fine. Use that as a test box.

Re:Like does anyone care?

[Photar]

Yeah, I understand though. I think the problem is in the fact that Apple had to make certain design decisions when trying to make their os palatable to the geeks and the users alike.

On one hand you have all the power and flexability of the *nixy goodness in the backend that the geeks love and on the front end you have the polished eye candy that the users love, but its all closed which pisses the geeks off.

Similarly, I think that is the same compramize that is going on with software update. They can't jus

Re:Like does anyone care?

[tgibbs]

I'm still installing Apple's updates the moment they come out. I've updated 2 Panthers and one Jaguar (on a beige G3) with this latest update with no problems. So far, I've only had one problem with an Apple update. 10.2.8 knocked out the ethernet connectivity of a dual G4 (out of about 8 machines I installed it on), but there was a non-Apple fix going around by the end of the day, and an official fix a few days later.

Re:Like does anyone care?

[thatguywhoiam]

This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

The inherent lickability of OS X remains unchanged - therefore this is one that can wait.

They put in another throbbing button or drawer though, man, I'm there.

Re:Like does anyone care?

[skinfitz]

This item's been sitting here a while, without even a FP troll. Is the Apple OS so secure that a security patch is not an immediate "get it now"?

Perhaps everyone who has installed it has crashed horribly and can't get online to warn us?

Seriously though - I think many /. OS X users wait to see who is going to chance the install first after the 10.2.8 fiasco.

So has anyone installed it on a jobbing Jaguar XServe yet? Is it safe for me to patch ours overnight?

Re:Like does anyone care?

[skinfitz]

lol - I was only joking in my parent post but I just installed it on my Powerbook and it crashed during reboot! I was like "OH CRAP!"

Fortunately a three fingered salute fixed it.

Don't think I'm going to risk it on the server remotely tonight however :)

As usual..

[ayersrj]

We're not sure what it does. But it installs fine and seems to work!

Re:As usual..

[Gogo Dodo]

Only because your post was moderated Insightful...

The Security Update changes are listed in this Tech Note [apple.com]. However, the newest one isn't listed just yet.

So we're still not sure what it does...

Re:As usual..

[joshmoh]

Nah, it's up now. Here's what it does:

http://docs.info.apple.com/article.html?artnum=256 52 [apple.com]

Sadly, most of the "Enhancements" sound more like "Bug Fixes." Heh.

Re:As usual..

[Gogo Dodo]

That's the 10.3.2 release notes, not the Security Update 2004-01-26.

According to Macintouch [macintouch.com], here are the fixes:

• AFP Server: Improves AFP over the 2003-12-19 security update.
• Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.
• Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.
• Classic: Fixes CAN-2004-0089 to improve the handling of environment variables.

Re:As usual..

[joshmoh]

Heh, you're right; 4 hours sleep can do wonders to how well one filters information :) Thanks for the real update info.

Apache 2.0?

[tuxedobob]

Anyone know if/when Apple will incorporate Apache 2.0? Or if there would be any use to doing so?

Re:Apache 2.0?

[onebuttonmouse]

You don't have to wait for Apple, there's a packaged version [versiontracker.com], runs alongside 1.3. I tried it for a bit, but I didn't find any advantages over 1.3 for my purposes (mostly just PHP).

Re:Apache 2.0?

[radicalskeptic]

According to this PDF from Apple [akamai.net], Mac OS X Server already carries both Apache 1.3 and 2.x. If you only have OS X client, you can also download a bundled Apache 2 package from Server Logistics here [serverlogistics.com], if you really want it. I tried it about a year ago, I remember it has a nice preferance pane with which you can change some settings, restart the server, and view and edit your httpd.conf (although it was a little buggy with saving the file, TextEdit had problems with the permissions)... It couldn't do anything that wasn't just as easy to do from the command line, though.

Re:Apache 2.0?

[tuxedobob]

Who's the dumbass mod who modded that offtopic? Apache was just updated. I'm asking about if Apache will be updated to 2.0. Hello?

In any case, thanks for the responses.

Re:just like MS

[Trillan]

The last security update was December 19th.

As for a monthly update... thanks, but I want new features (and especially security updates) as they become available.

Re:just like MS

[lullabud]

Looking at my updates, which actually don't go back too far because I reloaded my laptop, the last system update i did was Dec 20th... that's over a month. The only updates I've done between then and now were application updates, like iCal. That's definitely better than being on a monthly patch release schedule for critical OS bugs.

Re:just like MS

[Kalak]

I don't know weather to write this as troll, astroturfing or just ignorance. I rather update my box more frequently, if it fixes the bugs and security problems. My Fedora boxes run "yum update-check" nightly, my RedHat boxes run up2date nightly, my OS X boxes check software update daily, and I have no complaints when they find an update. I like having notices sent to my mail box, so I can check them all in one place. (you can do this with scripting the OS X command line softwareupdate).

I wish I could automate the checking for updates form Microsoft. Launching a web page and clicking through daily is no way to check for updates (and MS's security announcements are typically not sent when the updates are made available, but can be a day or two later).

MS's "monthly" policy scares me. There is more to an OS than uptime. I'd rather know my boxes are secure than know that it's been a while since I rebooted them (and I run a number Linux, OS X and Windows boxes).

Re:just like MS

[babbage]

I wish I could automate the checking for updates form Microsoft.

Err, you can. I believe the feature is built-in to WinXP, and may have been available as a standard part of Win2k. However, it's also available as a separate update for any version of Windows going back at least as far as Win98.

With the Windows auto-update option installed, the system will periodically check for available updates and, depending on your settings, automatically inform you of them, download first & inform you that updates

Re:just like MS

[Kalak]

A small icon in the bottom of the start bar (which is what the auto-update gives you using the settings you describe) is a far cry from an e-mail that lets me know from my workstation. I really have no desire to log in to each server to check this. Plus, the small icon doesn't show up when you log in to a Windows Server via RDP connection, and yes I am aware of Timbuktu, VNC, radmin, etc. RDP is how I'm connecting to one of my windows servers right now from home since work is snowed in (bandwith isn't li

Re:just like MS

[gumbi west]

I don't know weather to write this as troll, astroturfing or just ignorance

Nope, it was genuflecting pissed offness at Apple. I love Macintosh, I am a devoute Mac fan (all my home computers are macs and all my work computer that I buy are Macs, including the servers if at all possible) however, since I started using OS X I have noticed that I have to restart way more than when I was a RedHat user, though certainly less than when I was a MS user. However, in the last two months, I have installed 5 updates

Re:just like MS

[Kalak]

Or, if you know that it's say just Apache being updated. force quit the Software Update app, then restart Apache by hand. This is unix afterall. If it's not a core part of the OS, then you don't *need* a restart, but this is a consumer driven OS company (X Server is still based on the concept of a consumer server OS) they keep it simple with a reboot. If you know what to issue the kill command to, you're all set. I've avoided a number of reboots this way. Become Zen with your OS, no matter what it is.

10.2.8?

[antdude]

Do any of these fixes affect 10.2.8 or only for 10.3?

Re:10.2.8?

[Duke Thomas]

The update is available for both Panther [apple.com] (10.3.1 or later) and Jaguar [apple.com] (requires 10.2.8).

Re:10.2.8?

[Duke Thomas]

Er, my URLs are wrong, but nonetheless the update is available for Jaguar through software update. :)

Re:10.2.8?

[sonetsst]

As a matter of fact, not only is it available for 10.2.8 but also for 10.1.5, just check the download page under the OS X tab on apple.com.

If only we got that sort of backwards compatibility with windows...

Re:10.2.8?

[HSpirit]

I am not a Micro$oft/Windows apologist by any means, but Microsoft are still supporting Windows 2000 (which predates MacOS X 10.1 aka 'Puma'), and have even given a half-arsed commitment to provide security updates for a fully service-packed Windows NT4 (which probably predates MacOS 9.2, although I could be wrong on that count).

Groundhog Day

[PDubNYC]

I have installed it on 3 machines, and everything seems to work fine with one exception. Every time I install it and reboot, there it is in the Software Update list again. I even tried installing it a 2nd time on one machine, sure enough it was there again after reboot. Big Ben, Parliament, kids

Re:Groundhog Day

[SillyWilly]

I had that with one of the Java Updates, I just made it inactive in the end and it seems to have disappeared now.

Re:Groundhog Day

[Ilgaz]

IMHO run disk utility, repair permissions and try again.

If on 10.3 (panther) you can keep the download after install in case there is problem again.

Re:Groundhog Day

[Ilgaz]

"already tried that yesterday, no luck"

That makes me think its about time you do extensive disk check with disk utility or some other program.

Re:Groundhog Day

[johnt519]

I feel your pain. I updated 3 machines last night (Dual 2 G5, 15" iMac G4, iBook 800) and it's happening on all three. I'm running the update now on an iBook 500 (dual usb), so we'll see what happens there.

It was twenty years ago today...

[ptimmons]

Happy 20th Anniversary, Macintosh users. You get... a security fix.

Re:It was twenty years ago today...

[bennomatic]

So will my patch for AmigaOS be coming out some time in the next five years or so?

Airport Extreme update too!

[djupedal]

Fingers crossed...been waiting for months.

Details of update

[3gramsofcrack]

APPLE-SA-2004-01-26 Security Update 2004-01-26

Security Update 2004-01-26 is now available. It contains security enhancements for the following:

AFP Server: Improves AFP over the 2003-12-19 security update.

Apache 1.3: Fixes CAN-2003-0542, a buffer overflow in the mod_alias and mod_rewrite modules of the Apache webserver.

Apache 2: Fixes CAN-2003-0542 and CAN-2003-0789 by updating Apache 2.0.47 to 2.0.48. Installed only on Server systems.

Classic: Fixes CAN-2004-0089 to improve the handling of environmen