[Fed-Talk] Apple support for Mac OS X server 10.5 still needed?
[Fed-Talk] Apple support for Mac OS X server 10.5 still needed?
- Subject: [Fed-Talk] Apple support for Mac OS X server 10.5 still needed?
- From: "Marcus, Allan B" <email@hidden>
- Date: Mon, 17 May 2010 12:16:59 -0600
- Acceptlanguage: en-US
- Thread-topic: Apple support for Mac OS X server 10.5 still needed?
Hello,
It appears Apple is no longer fully supporting Mac OS X Server 10.5. In the "Security Update 2010-002 / Mac OS X v10.6.3" round of security patches, Apple included resolution of 5 MySQL CVEs in the 10.6.3 update but did not patch these CVEs in the Security Update 2010-002 for 10.5.8. As a result, MySQL on 10.5.8 server is running at an older, less secure version.
It appears only the following CVEs, all MySQL related, were not dealt with for both 10.5 and 10.6
CVE-2008-4456, CVE-2008-7247, CVE-2009-2446, CVE-2009-4019, CVE-2009-4030
My company has already been dinged for this by KPMG auditors. As I work the issue with AppleCare (which I cannot discuss due to the NDA), it occurs to me that others may be in the same boat. Running an insecure database is not a good idea. Obvious solutions are:
- Upgrade to 10.6 (lots of work for use to make our applications compatible)
- Build and install the latest MySQL myself (if I wanted to do that, I would be running Linux, although most linux distros have updated MySQL)
- Migrate off of Mac OS X Server (this is the path we are likely to take)
I purchased my Xserve just 18 months ago. I would expect that Apple would support the software for at least three years after purchase. Three years is actually very short in the enterprise world, but at least it's something.
How do you feel about this? What's reasonable for Apple to support? Is Mac OS X Server a viable server OS for the enterprise if Apple let's critical vulnerabilities go un-patched in the previous version of the OS?
To be quite frank, I'm trying to raise awareness of this issue, so I'm posting on multiple lists.
I just don't understand why Apple didn't fix this for 10.5.8.
---
Thanks,
Allan Marcus
505-667-5666
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden