[Opensim-dev] Fwd: [sldev] Security Update to SL Viewers and source code
Dahlia Trimble
dahliatrimble at gmail.com
Fri Sep 26 20:21:39 UTC 2008
Thought this would be of interest to the opensim community-d
---------- Forwarded message ----------
From: Ramzi <ramzi at lindenlab.com>
Date: Fri, Sep 26, 2008 at 1:11 PM
Subject: [sldev] Security Update to SL Viewers and source code
To: sldev at lists.secondlife.com
Hi SLDEVelopers,
I wanted to mention directly to the SLDEV list that Linden Lab released a
security update to the official and Release Candidate viewers to address a
potential security issue. Updated source code is available at:
http://wiki.secondlife.com/wiki/Source_downloads
The full text of the announcement to Second Life Residents is on the Status
Page of secondlifegrid.net,
and repeated here below for your convenience.
Kind regards,
Ramzi Linden
http://status.secondlifegrid.net/2008/09/26/post256/
*Security Update to Second Life viewers: 26 Sept 2008*
Linden Lab has released an optional update to the Second Life viewers today
to address a potential security issue. Recently an audit identified a
possible vulnerability. If a malicious user were able to obtain the IP
address and port of a Resident's viewer, then the malicious user could forge
data packets to the Resident's computer. This could be done in a way to
cause the viewer to return enough information about its session to allow the
attacker to initiate various server-side operations as if they were the
Resident, including L$ transactions.
In the case of L$ transactions, this action would be visible to you: if this
were to occur, the viewer would report the transaction after it occurred in
the normal blue dialog box. Also, you are always able to inspect the
transaction log to see recent transactions. This would allow you to notice
and report these actions for violating the Second Life Terms of Service.
This type of malicious action would constitute a violation of the Terms of
Service, and would be against the law in some locations. At this time we
have no evidence that this vulnerability was ever exploited.
To eliminate this vulnerability, we have now updated the Second Life servers
to transmit the messages over an encrypted channel (HTTPS). Now that the
server upgrade is complete, we are releasing updated viewers that only
accept these messages when transmitted over an encrypted channel. Once you
have downloaded the update, if a malicious third party were to attempt to
send messages over the old channel (UDP), they would be ignored.
Again, we have no indication to date that this security issue has ever been
exploited or is being exploited currently. However, we strongly encourage
Second Life Residents to update to the latest viewer with the security
patches in place. The viewers are:
* Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on July
24th)
* Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and
includes additional bug fixes as part of the usual release candidate cycle)
Older viewers (such as the 1.19 series) are not being required to upgrade to
version 1.20.16, but we encourage Residents to update if possible to take
advantage of the latest bug and security fixes.
The updated source code for these new 1.20 and 1.21 RC viewers is being made
available via the usual open source channels.
For discussion about the issue, please visit the Second Life Forum:
http://forums.secondlife.com/forumdisplay.php?f=350
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/SLDev
Please read the policies before posting to keep unmoderated posting
privileges
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20080926/13407474/attachment-0001.html>
More information about the Opensim-dev
mailing list