They are currently offering the packages only over a plain HTTP download with no signatures for verification. Since sophisticated spearphishing attacks are a concern for my organization, I will unfortunately have to recommend my users wait for the download to show up in Software Update. Honestly, I'm not sure I'd recommend anyone outside of Apple's network download these.
On 10/01/2014 09:48 AM, Steve Yuroff wrote: > For whatever reason Apple chose, the bash update is not applied via > Software Update- you're seeing known behavior. It's only getting > updated if you apply the package from your link below. > > Those of us who manage many macs are importing the package to our > management tools and deploying it like any other package. > > > > From: "Edward Ned Harvey (lopser)" <[email protected] > <mailto:[email protected]>> > Date: Wednesday, October 1, 2014 at 11:33 AM > To: LOPSA Technical Discussions <[email protected] <mailto:[email protected]>> > Subject: [lopsa-tech] Has anyone bothered to test vulnerability before & > after updating bash? > > On each machine that I update, I first run the "env=blahblah" test, > see that it's vulnerable, and then update, and then repeat the test > to confirm it's no longer vulnerable. > > > > The patch on mac seems to not work. All the other systems - linux - > after updating are fine. But vulnerability persists after applying > all OSX updates. In Software Updates, I click "Update" and it says > "Checking for updates..." and then "No updates available." I > confirm "Command Line Tools" was updated yesterday. I've even > rebooted since then. > > > > The vulnerable version of bash on mac is 3.2.51, and patched is > 3.2.53. I confirmed after fully updating via Software Update and > rebooting, I'm still at 3.2.51. > > > > After manually applying the update from > http://support.apple.com/kb/DL1769, the vulnerability goes away, and > I'm at 3.2.53. > > > > So far I've only observed this on one mac. But I'm getting my hands > on more systems to test more. > > > > > > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
