[Opensim-dev] Fwd: [sldev] Security Update to SL Viewers and source code

Teravus Ovares teravus at gmail.com
Fri Sep 26 22:41:05 UTC 2008 

Hey,

After this was posted, some people voiced concerns that this might
cause problems with use connecting to OpenSimulator.

I went online with a proxy and didn't find anything obvious that would
be problematic for use on OpenSimulator in the security release of the
viewer.

Best Regards

Teravus


On 9/26/08, Dahlia Trimble <dahliatrimble at gmail.com> wrote:
> Thought this would be of interest to the opensim community
> -d
>
>
> ---------- Forwarded message ----------
> From: Ramzi <ramzi at lindenlab.com>
> Date: Fri, Sep 26, 2008 at 1:11 PM
> Subject: [sldev] Security Update to SL Viewers and source code
> To: sldev at lists.secondlife.com
>
>
> Hi SLDEVelopers,
>
> I wanted to mention directly to the SLDEV list that Linden Lab released a
> security update to the official and Release Candidate viewers to address a
> potential security issue. Updated source code is available at:
> http://wiki.secondlife.com/wiki/Source_downloads
>
> The full text of the announcement to Second Life Residents is on the Status
> Page of secondlifegrid.net,
> and repeated here below for your convenience.
>
> Kind regards,
> Ramzi Linden
>
>
>
> http://status.secondlifegrid.net/2008/09/26/post256/
>
> *Security Update to Second Life viewers: 26 Sept 2008*
>
> Linden Lab has released an optional update to the Second Life viewers today
> to address a potential security issue. Recently an audit identified a
> possible vulnerability. If a malicious user were able to obtain the IP
> address and port of a Resident's viewer, then the malicious user could forge
> data packets to the Resident's computer. This could be done in a way to
> cause the viewer to return enough information about its session to allow the
> attacker to initiate various server-side operations as if they were the
> Resident, including L$ transactions.
>
> In the case of L$ transactions, this action would be visible to you: if this
> were to occur, the viewer would report the transaction after it occurred in
> the normal blue dialog box. Also, you are always able to inspect the
> transaction log to see recent transactions. This would allow you to notice
> and report these actions for violating the Second Life Terms of Service.
>
> This type of malicious action would constitute a violation of the Terms of
> Service, and would be against the law in some locations. At this time we
> have no evidence that this vulnerability was ever exploited.
>
> To eliminate this vulnerability, we have now updated the Second Life servers
> to transmit the messages over an encrypted channel (HTTPS). Now that the
> server upgrade is complete, we are releasing updated viewers that only
> accept these messages when transmitted over an encrypted channel. Once you
> have downloaded the update, if a malicious third party were to attempt to
> send messages over the old channel (UDP), they would be ignored.
>
> Again, we have no indication to date that this security issue has ever been
> exploited or is being exploited currently. However, we strongly encourage
> Second Life Residents to update to the latest viewer with the security
> patches in place. The viewers are:
>
> * Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on July
> 24th)
> * Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and
> includes additional bug fixes as part of the usual release candidate cycle)
>
> Older viewers (such as the 1.19 series) are not being required to upgrade to
> version 1.20.16, but we encourage Residents to update if possible to take
> advantage of the latest bug and security fixes.
>
> The updated source code for these new 1.20 and 1.21 RC viewers is being made
> available via the usual open source channels.
>
> For discussion about the issue, please visit the Second Life Forum:
> http://forums.secondlife.com/forumdisplay.php?f=350
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/SLDev
> Please read the policies before posting to keep unmoderated posting
> privileges
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>

More information about the Opensim-dev mailing list