| Sunday, June 30, 2002 |
20:57 - SSHazam
http://docs.info.apple.com/article.html?artnum=120131
|
(top)  |
So it seems that while I was out, Apple released a security patch for the recently publicized SSH security hole, not two days after the fix was committed by the OpenSSH maintainers. Apple's patch comprises new versions of OpenSSH, OpenSSL, and Apache.
According to MacInTouch, the update still has a problem in the SSL components-- something that was addressed in a later update at CERT. (This whole SSH upgrade thing has been a major fiasco-- no fewer than three revisions of the OpenSSH patch were released for FreeBSD and other platforms, over the course of those two days, before they finally got it right.) Apple has evidently chosen to plug the most egregious hole first, and address the remaining bits in another update which we should expect within a few days. The same goes for the resolver vulnerability that has also been uncovered.
The crux of this, though, is that this is the incident and response that we were all waiting for that would prove Apple's commitment to being an earnest member of the UNIX vendor community. Previous security holes have had responses from Apple within a week or two-- about on par with companies like Sun and HP, but not competitive with what Linux and FreeBSD and Windows admins tend to want. (Windows patches are sometimes very timely, and sometimes lag by months.) People have had their eye on Apple to see how they would react to the "next big hole"-- it would be a make-or-break for the company in many server admins' eyes.
And considering the speed with which they've released this fix, I think they've laid down a pretty respectable line in the sand. Kudos to 'em.
|
|
