Replies

Sweeeeeeet! Remote exploits ... yummmmy....

Apache
CVE-ID: CAN-2005-1344
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact: The htdigest program contains a buffer overflow, which if used improperly in a CGI application, could allow a remote system compromise
Description: The htdigest program could be used in a CGI application to manage user access controls to a web server. htdigest contains a buffer overflow. This update fixes the buffer overflow in htdigest. Apple does not provide any CGI applications that use the htdigest program. Credit to JxT of SNOsoft for reporting this issue.

It's nice to close the vulnerability before there are any apps that could use it. Of course it makes one wonder what Jxt of SNOsoft is coding that required the use of htdigest that allowed him to find this hole.

Not plural; singular. Only one of the issues seems to refer to a "remote exploit" and that was for a service that is not even provided with a OSX installation. The vulnerability seems to be in Apache... and may affect other Apache Unix installations as well.

Wrong. Several patches have been made to prevent remote exploitation. Search for "remote" and read about them. Whether Apache is distributed with OS X is irrelevant. The fact of the matter is that, if you're running a web server with OS X, you're most likely going to be running Apache. So, fish down to the bottom of the barrel for more lame excuses.

It's nice to close the vulnerability before there are any apps that could use it.

Uh, sorry but that was a clueless comment.

The vulnerability isn't closed until ALL machines have been patched. Not all Apache servers have been or will be updated. Some never will be. Some will be hacked before the owner ever has a chance to update them.
Apple doesn't provide the only applications that can use htdigest. Anybody writing CGI apps can use it.