Security Update 2013-001

Am on Snow Leopard.

Software update, whcih has offreed a constant stream of JAVA updates of
late is now offering Security Update 2013-001 and points to:

http://support.apple.com/kb/HT1222

For more information. But that page contains no mention of this security
update.

Is there a way to find out what it is about ?

Is there a way for me to unoack it from wherever it has been downloaded
and examine its contents ?

Reason: since Snow Leopard is no longer expected to get upgrades, I have
aready begun to upgrade components on my server with more recent
versions of middleware. If this sexurity update affects, those I want to
know before I run it.

 

Sure it does, in the second item listed -

OS X Mountain Lion v10.8.3 and Security Update 2013-001
http://support.apple.com/kb/HT5672

You could also subscribe to Apple's Product Security
(security-announce) mailing list and get the info that
way.

Billy Y..

 

Download:
For Mac OS X v10.6.8
The download file is named: SecUpd2013-001.dmg
Its SHA-1 digest is: dc52d0f7d2db6080c57c7b9252a4d85c5e178450

(http://support.apple.com/downloads/)

Open the file and the .pkg. When you see the installation menu press
CMD-I (show files).

SK.

 

The second item at http://support.apple.com/kb/HT1222 I see:
Java for OS X 2013-001 and Java for Mac OS X v10.6 Update 13

It points to: http://support.apple.com/kb/HT5666
Doesnt say "Security Update" for me.



But Software Update says "Security Update" without any mention of Java.

Out of curiosity, of the many Java updates I have been getting lately,
none required a reboot. But this one does ?

This is getting to be a bit ridiculous with Java updates all the time.
Also surprised that it would show this update supposedly released Feb 19
only today for me, even though I seem pretty sure to have received Java
updates since then.

 

The HT1222 page is usually updated a day or two after the update becomes
available. It may vary between people depending on how fast changes
propagate to your local node of the Akamai distributed server network.

The security fixes are listed in Apple's security announcment e-mail,
which I got within about an hour of the update being released. Those
notes will eventually appear in HT1222.

The copy of HT1222 I see now does have a link to this page, which has
full details:

http://support.apple.com/kb/HT5672

If you want to get more prompt notification of what security fixes are
in Apple's updates, go to http://lists.apple.com, locate the
"Security-announce" list, and subscribe to it.

This might have been the last security update for 10.6.8, or there might
be one more. It depends on whether Apple does any more minor updates or
security updates for 10.8 before 10.9 is released, and even then, there
might still be one more batch of security updates for Snow Leopard.

A final security update around two or three months from now would give
Snow Leopard about the same support timeframe for security updates as
Leopard and Tiger got.

Alternatively, Apple might keep doing security updates a little while
after 10.9, until Snow Leopard's usage drops to a small enough
proportion of the installed base that Apple thinks it can get away with
no longer supplying security updates.

It appears that Apple has stopped fixing security issues in Safari 5.x
on Snow Leopard and Windows, which is surprising.

Components Apple list as having updated on 10.6.8 Server: Apache
(speficially mod_hfs_apple), International Components for Unicode,
ImageIO, Jabber server, PDFKit, Podcast Producer Server (specifically
its copy of Ruby on Rails), PostgreSQL, QuickTime, Ruby on Rails,
disallowed some SSL certificates from a particular CA, Software Update,
Malware removal tool.

 

That won't tell you much about what changed in just the latest security
update, because it includes everything updated in all prior security
updates back to 10.6.8. You'd have to compare it with the previous
security update if you wanted to know just what changed in this update.

On the other hand, installing this security update would probably try to
patch or replace all the files listed, even if they weren't changed from
the previous security update. If JF Mezei has been replacing
Apple-supplied open source components of Mac OS X Server with separate
builds, any security update may interfere with them.

It is probably better to disable Apple's version of the component and
install a separately built one in a different location, perhaps via
something like MacPorts or Fink which can manage packages. Depending on
the component, you may lose the ability to configure it via Server
Admin/Preferences.

 

OK, this was updated to have 2 entries from March 14th, and one is:

OS X Mountain Lion v10.8.3 and Security Update 2013-001

Sor of interesting that Apple releases a new version of Mountain Lion
which is essentially a Security Update AND a Security Update.

Couldn't it have been Security Update 2013-001 that applied to
everything from 10.6.8 to 10.8.2 ?

Since you live a day ahead of us I guess you get the updated content a
day before us


Looks like Apple has made a number of fixes. Just wish it could be
installed now, and kick in at next reboot instead of forcing reboot now.

 

10.8.3 includes a lot more changes than just security updates.

How long have you been using Mac OS X? (Though I suppose if you are
still running Snow Leopard as your latest OS, you might have started to
forget these details.)

As far back as I recall, the pattern is:

- Apple releases a new minor version of the latest OS. It includes
security fixes, general bug fixes and sometimes minor new features or
tweaks to existing features.

- At the same time they release a security update for the previous major
version of OS X.

- Now that they are doing annual releases of major versions, they
usually also release a security update for the second previous major
version of OS X.

- There are also security updates for the server editions of the
supported major versions. (This now only applies to 10.7 and earlier,
since the Server component is distributed and updated independently for
10.8 and presumably future OS X versions.)

Some of the security fixes apply to all the versions and variants, so
are included in all the updates. Other security fixes only apply to some
versions or variants, so they are included in the appropriate updates
(the security update usually has a note if that particular security fix
is not applicable to later versions).

The description page linked from HT1222 (or the e-mail from
Security-announce) only lists the security changes. It doesn't describe
the other changes in the latest minor version of OS X (the other changes
Apple feel worthy of note are described in a different page, which is
linked from the manual download page, and is also displayed by Software
Update or App Store.

On occasion, Apple releases a pure security update for the latest OS
(between minor versions), and it often has variants for the still
supported earlier OS versions (and server variants).

No, because the security update patches or replaces the specific version
of the original files which are present in each major OS version, which
may not be the same. Each variant of the security update checks that it
is being installed on the correct specific major/minor version and
client/server variant of the OS.

Hardly. I sometimes have to wait several hours before I can see updated
pages at Apple.

 

I had gotten used to Snow Leopard not gettting any updates except for
iTunes. One tends to forget the processes quickly.

Then, all of a sudden, a month or two ago, I started to get frequent
Java updates (lost track of how many) but those didn't require a reboot
(nor restarting browser) so you install them right away and no need to
plan a reboot for when it is convenient.

 

Salut JF

<http://support.apple.com/kb/HT1222>

the 1st item in the security updates table shows "Safari 6.0.3" to me
The 2nd item "OS X Maountain Lion v10.8.3 and Security Update 2013-001"
The 3rd item "Java for OS X 2013-002 and Java for MacOSX v.10.6 Update
13"

The first two are dated 14 Mar 2013.

The item with "Security Update 2013-001" in the link title is the one
that you are interested in, on whatever position it stands on the page
_you_ are looking at, and it should be dated 2013_03_14 ;-)

Cheers
Andreas

 

The page was updated after I posted the original message. At the time I
got the software update notice, the web page had a 2013-001 java related
security update dated february 19th. This was the second item on the
list. But this was because the list had not yet been updated for me.

Today, it shows it as you (and David Empson) mentioned.

 

The version of Xcode which came down once 10.8.3 was installed
specifically mentioned updates for the 10.8.3 SDK, so I assume that
10.8.3 brought extra features as well as security updates.