[Opensim-dev] Fwd: [sldev] Security Update to SL Viewers and source code

Justin Clark-Casey jjustincc at googlemail.com
Sat Sep 27 10:37:44 UTC 2008 

Teravus, does this apply to both the 1.20 and 1.21 updates?

I'm surprised that they are taking more than the minimum necessary action in a security update (in that they are pushing 
messages such as EnableSimulator over CAPS instead of UDP as well as currency messages - which is what I'm guessing is 
happening).

Teravus Ovares wrote:
> After further testing, it appears that several messages for basic
> simulator function are now required to be sent over EventQueueGet such
> as, the EnableSimulator packet
> 
> On 9/26/08, Teravus Ovares <teravus at gmail.com> wrote:
>> Hey,
>>
>> After this was posted, some people voiced concerns that this might
>> cause problems with use connecting to OpenSimulator.
>>
>> I went online with a proxy and didn't find anything obvious that would
>> be problematic for use on OpenSimulator in the security release of the
>> viewer.
>>
>> Best Regards
>>
>> Teravus
>>
>>
>> On 9/26/08, Dahlia Trimble <dahliatrimble at gmail.com> wrote:
>>> Thought this would be of interest to the opensim community
>>> -d
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: Ramzi <ramzi at lindenlab.com>
>>> Date: Fri, Sep 26, 2008 at 1:11 PM
>>> Subject: [sldev] Security Update to SL Viewers and source code
>>> To: sldev at lists.secondlife.com
>>>
>>>
>>> Hi SLDEVelopers,
>>>
>>> I wanted to mention directly to the SLDEV list that Linden Lab released a
>>> security update to the official and Release Candidate viewers to address a
>>> potential security issue. Updated source code is available at:
>>> http://wiki.secondlife.com/wiki/Source_downloads
>>>
>>> The full text of the announcement to Second Life Residents is on the Status
>>> Page of secondlifegrid.net,
>>> and repeated here below for your convenience.
>>>
>>> Kind regards,
>>> Ramzi Linden
>>>
>>>
>>>
>>> http://status.secondlifegrid.net/2008/09/26/post256/
>>>
>>> *Security Update to Second Life viewers: 26 Sept 2008*
>>>
>>> Linden Lab has released an optional update to the Second Life viewers today
>>> to address a potential security issue. Recently an audit identified a
>>> possible vulnerability. If a malicious user were able to obtain the IP
>>> address and port of a Resident's viewer, then the malicious user could forge
>>> data packets to the Resident's computer. This could be done in a way to
>>> cause the viewer to return enough information about its session to allow the
>>> attacker to initiate various server-side operations as if they were the
>>> Resident, including L$ transactions.
>>>
>>> In the case of L$ transactions, this action would be visible to you: if this
>>> were to occur, the viewer would report the transaction after it occurred in
>>> the normal blue dialog box. Also, you are always able to inspect the
>>> transaction log to see recent transactions. This would allow you to notice
>>> and report these actions for violating the Second Life Terms of Service.
>>>
>>> This type of malicious action would constitute a violation of the Terms of
>>> Service, and would be against the law in some locations. At this time we
>>> have no evidence that this vulnerability was ever exploited.
>>>
>>> To eliminate this vulnerability, we have now updated the Second Life servers
>>> to transmit the messages over an encrypted channel (HTTPS). Now that the
>>> server upgrade is complete, we are releasing updated viewers that only
>>> accept these messages when transmitted over an encrypted channel. Once you
>>> have downloaded the update, if a malicious third party were to attempt to
>>> send messages over the old channel (UDP), they would be ignored.
>>>
>>> Again, we have no indication to date that this security issue has ever been
>>> exploited or is being exploited currently. However, we strongly encourage
>>> Second Life Residents to update to the latest viewer with the security
>>> patches in place. The viewers are:
>>>
>>> * Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on July
>>> 24th)
>>> * Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and
>>> includes additional bug fixes as part of the usual release candidate cycle)
>>>
>>> Older viewers (such as the 1.19 series) are not being required to upgrade to
>>> version 1.20.16, but we encourage Residents to update if possible to take
>>> advantage of the latest bug and security fixes.
>>>
>>> The updated source code for these new 1.20 and 1.21 RC viewers is being made
>>> available via the usual open source channels.
>>>
>>> For discussion about the issue, please visit the Second Life Forum:
>>> http://forums.secondlife.com/forumdisplay.php?f=350
>>>
>>> _______________________________________________
>>> Policies and (un)subscribe information available here:
>>> http://wiki.secondlife.com/wiki/SLDev
>>> Please read the policies before posting to keep unmoderated posting
>>> privileges
>>>
>>>
>>> _______________________________________________
>>> Opensim-dev mailing list
>>> Opensim-dev at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>>
>>>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
> 


-- 
justincc
Justin Clark-Casey
http://justincc.wordpress.com

More information about the Opensim-dev mailing list