Security Update from MAC breaks ssh -X

John Davidorff Pell johnpell at gmail.com
Tue Mar 20 11:30:18 EST 2007 

On Mar 19, 2007, at 4:26 PM, William Ahern wrote:
> On Tue, Mar 20, 2007 at 09:25:49AM +1100, Darren Tucker wrote:
>> This has been the default for years, I don't know why you're only  
>> seeing
>> problems now (unless Apple used to change the default in their  
>> packages
>> and now don't?)

The original poster is running Mac OS X 10.3.9. 10.3 is 3 years old.

> For one thing, Apple hasn't updated their version of OpenSSH for  
> years.
> Which patches they backport is anyone's guess. They certainly haven't
> backported control socket mastering.

Apple doesn't backport much of anything in the open source projects,  
they just update the the latest release. At the same time, Apple  
doesn't update *any* software in Mac OS X unless there are security  
flaws or other bug fixes. Mac OS X is a commercial operating system  
that cannot afford the release-early-and-fix-often mentality. It has  
to work (well enough) the first time, and not break later. (Yes, I  
know that this doesn't always happen. Its /supposed/ to work this way.)

> Likewise for OpenSSL. Basically, Apple ceased all Unix environment
> development the moment OS X shipped. Soon porting Unix apps to OS X  
> will be
> as fun as to Microsoft's POSIX interface.

That's just not true. With each major release of Mac OS X, Apple  
syncs with the FreeBSD userland. Almost all commands that were  
shipping with FreeBSD 5.0 are the versions in Tiger. In some cases,  
Tiger versions have been updated due to security fixes or just bug  
fixes, as I mentioned above. That's not all that old.

Specifically for OpenSSH. Apple updated to OpenSSH 3.8 (from 3.6) in  
a security update sometime after 10.4.6 (it might simply have been in  
10.4.7, I don't remember). The latest security update came up to  
OpenSSH 4.5.



The moral of the story: If you want Apple to update a working open  
source package in between major releases, then find and report [to  
Apple] a security flaw that is fixed in the version of the package  
that you want Apple to update to. ;-)



JP



--
"Human beings, who are almost unique in having the ability to learn  
from the experience of others, are also remarkable for their apparent  
disinclination to do so." -- Douglas Adams


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2520 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20070319/a26351c0/attachment.bin

More information about the openssh-unix-dev mailing list