Skip to content

WTF Update?

Since afp548’s extended knowledge base articles haven’t gotten any updating in almost 3 years, I thought I would automate a way to generate ones that are a little bit more informative than what Apple provides us. So, with little fanfare, I would like to present: wtfUpdate.py

Usage is: wtfUpdate.py pathtopackage.pkg pathtooutput.html

It is a simple (as in kludged together in the last day during my spare time) script that expands the flat packages Apple now uses to distribute OS and Security updates, uses BeautifulSoup to pull out the description, then copies out the contents on the Scripts directory for each subpackage, and then finally generates an expandable list based on the output of lsbom (using List Expander, whose website appears to be redirecting horribly wrong right now).

Here is the output for:

Leopard 2009-001 Security Update

Leopard Server 2009-001 Security Update

10.5.6 Combo Update (beware, html is 4.8mb)

Most of this was just an experiment to see how hard it would be to provide the above information in a knowledge base article. While sysadmins and installers may know how to use lsbom / pkgutil –payload-files to see what the installer package touches when it updates, it means you actually have to keep the package around for reference, or use Pacifist, or in general stay up on these things. For a general user, if they had a chance to see such information before applying an update, they may notice that Perl is being touched, and to possibly wait or test on another system before installing, so it doesn’t break their modified installation.

The output could be cleaned up, and the nested list code will need some work, but as a proof of concept, I would have to say it is pretty nice. It may possibly break on your system, and I wasn’t exactly trying all that hard to make it robust, but it does generate parse-able html for safari and firefox for the specific 10.5 flat package format Apple is using to distribute their security updates and os updates (metapackages, 10.4 standard packages/bundles do not work).

Security Update Out

More information here.

To clarify: I was ranting about the lack of transparency regarding a very big issue that everyone else appeared to have been pretty public about. I don’t know how they went about writing the update, but if they were waiting for the entire update, instead of issuing a single Bind patch to be in sync with everyone else, then that would explain the delay.

For something on the scale of the bind exploit, I would have hoped they issued a separate update for it.

Apple Dragging their feet with DNS hijack fix

 

[updated- see bottom of post]

Apple has still yet to acknowledge a timeline for when they will be providing a patch for BIND for OS X Server. This is currently leaving admins having to patch bind themselves (only to have it clobbered in the next apple update) or not even know that there is a problem or how to fix it. The only response I have seen so far has been from another admin who posted to the macos-x-admin mailinglist the a summary of the response he received from Apple in regards to the timeliness of their security patches (in regards to this dns issue). My summary of his is below:

They are currently working out the issues (with some installations of 10.4/5) and will have an update soon™.

It would be worse to break this functionality than to rush out a ‘fix’, especially since we have received no report of any actual exploit against our installed base.

Continue reading ›

Tagged , , ,