[Opensim-dev] Fwd: [sldev] Security Update to SL Viewers and source code

Teravus Ovares teravus at gmail.com
Sat Sep 27 03:31:48 UTC 2008 

After further testing, it appears that several messages for basic
simulator function are now required to be sent over EventQueueGet such
as, the EnableSimulator packet

On 9/26/08, Teravus Ovares <teravus at gmail.com> wrote:
> Hey,
>
> After this was posted, some people voiced concerns that this might
> cause problems with use connecting to OpenSimulator.
>
> I went online with a proxy and didn't find anything obvious that would
> be problematic for use on OpenSimulator in the security release of the
> viewer.
>
> Best Regards
>
> Teravus
>
>
> On 9/26/08, Dahlia Trimble <dahliatrimble at gmail.com> wrote:
> > Thought this would be of interest to the opensim community
> > -d
> >
> >
> > ---------- Forwarded message ----------
> > From: Ramzi <ramzi at lindenlab.com>
> > Date: Fri, Sep 26, 2008 at 1:11 PM
> > Subject: [sldev] Security Update to SL Viewers and source code
> > To: sldev at lists.secondlife.com
> >
> >
> > Hi SLDEVelopers,
> >
> > I wanted to mention directly to the SLDEV list that Linden Lab released a
> > security update to the official and Release Candidate viewers to address a
> > potential security issue. Updated source code is available at:
> > http://wiki.secondlife.com/wiki/Source_downloads
> >
> > The full text of the announcement to Second Life Residents is on the Status
> > Page of secondlifegrid.net,
> > and repeated here below for your convenience.
> >
> > Kind regards,
> > Ramzi Linden
> >
> >
> >
> > http://status.secondlifegrid.net/2008/09/26/post256/
> >
> > *Security Update to Second Life viewers: 26 Sept 2008*
> >
> > Linden Lab has released an optional update to the Second Life viewers today
> > to address a potential security issue. Recently an audit identified a
> > possible vulnerability. If a malicious user were able to obtain the IP
> > address and port of a Resident's viewer, then the malicious user could forge
> > data packets to the Resident's computer. This could be done in a way to
> > cause the viewer to return enough information about its session to allow the
> > attacker to initiate various server-side operations as if they were the
> > Resident, including L$ transactions.
> >
> > In the case of L$ transactions, this action would be visible to you: if this
> > were to occur, the viewer would report the transaction after it occurred in
> > the normal blue dialog box. Also, you are always able to inspect the
> > transaction log to see recent transactions. This would allow you to notice
> > and report these actions for violating the Second Life Terms of Service.
> >
> > This type of malicious action would constitute a violation of the Terms of
> > Service, and would be against the law in some locations. At this time we
> > have no evidence that this vulnerability was ever exploited.
> >
> > To eliminate this vulnerability, we have now updated the Second Life servers
> > to transmit the messages over an encrypted channel (HTTPS). Now that the
> > server upgrade is complete, we are releasing updated viewers that only
> > accept these messages when transmitted over an encrypted channel. Once you
> > have downloaded the update, if a malicious third party were to attempt to
> > send messages over the old channel (UDP), they would be ignored.
> >
> > Again, we have no indication to date that this security issue has ever been
> > exploited or is being exploited currently. However, we strongly encourage
> > Second Life Residents to update to the latest viewer with the security
> > patches in place. The viewers are:
> >
> > * Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on July
> > 24th)
> > * Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and
> > includes additional bug fixes as part of the usual release candidate cycle)
> >
> > Older viewers (such as the 1.19 series) are not being required to upgrade to
> > version 1.20.16, but we encourage Residents to update if possible to take
> > advantage of the latest bug and security fixes.
> >
> > The updated source code for these new 1.20 and 1.21 RC viewers is being made
> > available via the usual open source channels.
> >
> > For discussion about the issue, please visit the Second Life Forum:
> > http://forums.secondlife.com/forumdisplay.php?f=350
> >
> > _______________________________________________
> > Policies and (un)subscribe information available here:
> > http://wiki.secondlife.com/wiki/SLDev
> > Please read the policies before posting to keep unmoderated posting
> > privileges
> >
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at lists.berlios.de
> > https://lists.berlios.de/mailman/listinfo/opensim-dev
> >
> >
>

More information about the Opensim-dev mailing list