Apache / Security Updates

[Beepcake]

I've had a search around, but I can't find a definitive answer.. does Apple keep the open source stuff such as Apache patched with security updates using the normal software update system, or do I need to handle it some other way?

 

[GraemeUK]

Well, I don't know about Apache but X11 is not the most up to date version with the latest security fixes. X11 version available online is several versions ahead. Not sure if this is the same policy for Apache?

 

[Beepcake]

Not too fussed about it being the latest version, just don't want it to be like swiss cheese

I wanted to put a DNS server on there too, just for internal use, but it looks like a bit of a manual process.. starting to think I should reinstall with Leopard Server

 

[BillytheImpaler]

Apple's (mooched) OSS stuff is often left without patching for long, long, long times. Don't rely on them to keep your web server secure.

 

[Beepcake]

Hmm.. I wonder if that's the same for Leopard Server, as it's primary functions are running on OSS. Perhaps their binaries are far enough removed to not require as many patches.. but that's a bit of a long shot

 

[BillytheImpaler]

Since Leopard is the newest the bugs and such in it will be youngest. As time goes on the unpatched vulnerabilities and such will just get older until either they patch them, which is unlikely, or they ask you to upgrade to Snow Leopard.

If it's not facing the outside world, i.e. intranet-only, then it's probably not as big a deal. If it is a big deal you might want to just install Xcode and maintain your own patches based on stable releases of Apache. It's not too tough.

 

[Sic]

apache's really easy to install/keep updated if you've got the developer tools installed. PHP, on the other hand, can be a pain in the ass

 

[Beepcake]

Since Leopard is the newest the bugs and such in it will be youngest. As time goes on the unpatched vulnerabilities and such will just get older until either they patch them, which is unlikely, or they ask you to upgrade to Snow Leopard.

If it's not facing the outside world, i.e. intranet-only, then it's probably not as big a deal. If it is a big deal you might want to just install Xcode and maintain your own patches based on stable releases of Apache. It's not too tough.

I'm perfectly comfortable with nix development if I have to keep things up to date myself, but I find it really hard to believe that Apple wouldn't patch security problems. There are still plenty of Tiger servers around on the internet, I don't see why anyone would really bother with OS X server if they have to manually compile new releases.. even most linux distros have a nice easy way to upgrade security releases.

 

[Beepcake]

Actually, I've just been reading through the software update logs, and they do patch major vulnerabilities in Apache:

http://support.apple.com/kb/HT1897

They might not keep it bang up to date (not bothered about that), as long as they patch any major holes I'm happy