|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] This guy cracks me up.
From: Rhys Kidd (rhyskidd
gmail.com)
Date: Sat Sep 02 2006 - 22:22:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"to generate publicity at the expense of the Mac's renowned reputation for
security" - John Gruber
Renowned reputation?? Let's take the Apple Security Update for 27 June 2006,
http://docs.info.apple.com/article.html?artnum=303973.
The OpenLDAP ( Apple rebrands this OpenDirectory, their core user management
framework ) bug they report was fixed in the OpenLDAP source code on 31st
December __2004__. When a company is getting hit by bugs reported over a
year and a half ago, and fixed in 2004, it says a lot about their code
review department. Sure it's not exploitable, but the version of OpenLDAP in
the www.opensource.apple.com/ tree is that old.
Unfortunately, Apple doesn't commit their security patch fixes into their
OpenSource offerings, so we'll have to wait for OS X 10.8 to see if they
update the entire OpenLDAP version, or simply apply a one off fix to that
file.
Compare:
[1]
http://www.opensource.apple.com/darwinsource/10.4.7.ppc/OpenLDAP-69.0.2/Open
LDAP/CHANGES
[2] http://www.openldap.org/software/release/changes.html
Apple has to make some concerted steps towards ensuring the software they
import from the OpenSource world is secure, and I'd doubt their in-house
software is any better.
- - Rhys
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
iD8DBQFE+kpX7oK/a/NHBvIRAgFYAJ4uFCS5m/Q5Omog0aU11wFn5w0UwwCeIobv
iXyzsLtN4IuxzCeuMP8HMmM=
=c1oC
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]