<div dir="ltr">Thought this would be of interest to the opensim community<div>-d<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Ramzi</b> <span dir="ltr"><<a href="mailto:ramzi@lindenlab.com">ramzi@lindenlab.com</a>></span><br>
Date: Fri, Sep 26, 2008 at 1:11 PM<br>Subject: [sldev] Security Update to SL Viewers and source code<br>To: <a href="mailto:sldev@lists.secondlife.com">sldev@lists.secondlife.com</a><br><br><br>Hi SLDEVelopers,<br>
<br>
I wanted to mention directly to the SLDEV list that Linden Lab released a security update to the official and Release Candidate viewers to address a potential security issue. Updated source code is available at:<br>
<a href="http://wiki.secondlife.com/wiki/Source_downloads" target="_blank">http://wiki.secondlife.com/wiki/Source_downloads</a><br>
<br>
The full text of the announcement to Second Life Residents is on the Status Page of <a href="http://secondlifegrid.net" target="_blank">secondlifegrid.net</a>,<br>
and repeated here below for your convenience.<br>
<br>
Kind regards,<br>
Ramzi Linden<br>
<br>
<br>
<br>
<a href="http://status.secondlifegrid.net/2008/09/26/post256/" target="_blank">http://status.secondlifegrid.net/2008/09/26/post256/</a><br>
<br>
*Security Update to Second Life viewers: 26 Sept 2008*<br>
<br>
Linden Lab has released an optional update to the Second Life viewers today to address a potential security issue. Recently an audit identified a possible vulnerability. If a malicious user were able to obtain the IP address and port of a Resident's viewer, then the malicious user could forge data packets to the Resident's computer. This could be done in a way to cause the viewer to return enough information about its session to allow the attacker to initiate various server-side operations as if they were the Resident, including L$ transactions.<br>
<br>
In the case of L$ transactions, this action would be visible to you: if this were to occur, the viewer would report the transaction after it occurred in the normal blue dialog box. Also, you are always able to inspect the transaction log to see recent transactions. This would allow you to notice and report these actions for violating the Second Life Terms of Service.<br>
<br>
This type of malicious action would constitute a violation of the Terms of Service, and would be against the law in some locations. At this time we have no evidence that this vulnerability was ever exploited.<br>
<br>
To eliminate this vulnerability, we have now updated the Second Life servers to transmit the messages over an encrypted channel (HTTPS). Now that the server upgrade is complete, we are releasing updated viewers that only accept these messages when transmitted over an encrypted channel. Once you have downloaded the update, if a malicious third party were to attempt to send messages over the old channel (UDP), they would be ignored.<br>
<br>
Again, we have no indication to date that this security issue has ever been exploited or is being exploited currently. However, we strongly encourage Second Life Residents to update to the latest viewer with the security patches in place. The viewers are:<br>
<br>
* Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on July 24th)<br>
* Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and includes additional bug fixes as part of the usual release candidate cycle)<br>
<br>
Older viewers (such as the 1.19 series) are not being required to upgrade to version 1.20.16, but we encourage Residents to update if possible to take advantage of the latest bug and security fixes.<br>
<br>
The updated source code for these new 1.20 and 1.21 RC viewers is being made available via the usual open source channels.<br>
<br>
For discussion about the issue, please visit the Second Life Forum: <a href="http://forums.secondlife.com/forumdisplay.php?f=350" target="_blank">http://forums.secondlife.com/forumdisplay.php?f=350</a><br>
<br>
_______________________________________________<br>
Policies and (un)subscribe information available here:<br>
<a href="http://wiki.secondlife.com/wiki/SLDev" target="_blank">http://wiki.secondlife.com/wiki/SLDev</a><br>
Please read the policies before posting to keep unmoderated posting privileges<br>
</div><br></div></div>