ssh version 5.6p1 is old, should be OpenSSH 6.0: April 22, 2012

Anybody that would do that would violate their non-disclosure agreement with Apple.

As rsync 3.x is GPL v3, I would doubt that it will ever be bundled with an Apple OS until the GPL people stop trying to control the hardware that it is bundled with. That would apply to anything with a GPL v3 license. But, that was all explained in the links you posted.

OpenSSH uses the BSD License, so it might be updated, but don't know for sure.

Being that you can just download and compile the source, you can load whatever version you want.

At first, I wanted to reply, "who cares", because as long as the functionality is okay, then there isn't always a need to update the software.

But with the whole Flashback debacle, I'm not so sure anymore I really trust the automatic update system. The thing is, I'm not really sure how to avoid it. Apple includes 3rd-party software such as OpenSSH, but doesn't keep it up-to-date, like you mentioned.

And I'm a bit wary about that. I've already subscribed to the Apple security mailing list, but that wouldn't have helped me in the Flashback case. Is anyone aware of an outside OS-X only security mailing list?

Why should it be openssh 6.0? Newer versions usually add features though they may at times may include security fixes. And with that said, does the security fix need to be applied to a particular operating system? My advice: Take a step back and relax. Apple dropped the ball on this whole Flashback issue but there does not exist any user interface that is 100% secure.

dgerman wrote:

Barney-15E, Thank you for you reply. The issue here is not the ability of updating software included with Apple's distribution, rather the need for every individual user to perform (literally) untold updates for each of their systems lest they encounter problems that have already been resolved.

Most users don't know about or use rsync, ssh, or the myriad of programs in the unix background. If you need them, it is pretty simple to google the name and find the distributions. Installing them may not be that simple, but for the most part, if you know what they are and why you need them, you likely know how to install them.

So, there isn't much of a need for anyone to maintain a list of versions as you seek. If you think it is important and others would find it useful, why don't you create it and maintain it?

Just use MacPorts that's what I use and like 99% of any Linux/Unix software you need can be installed using that.

There is also HomeBrew and other alternatives.

Mark Jalbert wrote:

Why should it be openssh 6.0? Newer versions usually add features though they may at times may include security fixes. And with that said, does the security fix need to be applied to a particular operating system? My advice: Take a step back and relax.

That's what I first did as well, but after Flashback, I feel I need to stay involved. The OS vendor for my servers, RedHat, runs a security mailing list, and it's very quick with updates. With Apple, there's a security-related list but it's lagging a lot -- 3rd party sources are much quicker.

The most recent issue is now the plain text logging of passwords when you're running FileVault 1 under Lion:

http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-pas swords-in-clear-text/11963

So dgerman's suggestion that there should be a unified way to update software, is an excellent one. But after fixing this, they should also run a tight ship with informing people. In the meantime, I'll rely on outside sources.

So dgerman's suggestion that there should be a unified way to update software, is an excellent one.

That has been a long standing gripe amoung those that rely upon the CLI and it isn't going to change. New versions normally occur with the roll out of a major os version . Patches to the current version of a binary on your operating system may happen.

So, if you want the latest and greatest then your options are to install a third party package management system such as fink or MacPorts, or roll your own. Whatever you do, do not replace any libraries or binaries supplied by the operating system.

Apple proprietary sofware is another story.