[Opensim-users] OpenSimulator 0.8.1-rc2, 0.8.0.4 and 0.7.6.3 now available
Justin Clark-Casey
jjustincc at googlemail.com
Wed Mar 4 19:40:44 UTC 2015
As pre-announced on Monday, OpenSimulator 0.8.1-rc2 [1], 0.8.0.4 [2] and 0.7.6.3 [3] now available [4].
* OpenSimulator 0.7.6.3 and 0.8.0.4 are security releases. Thus, they contain only two functional changes compared to
previous point releases and no database migrations. The changes are
1. llHttpRequest() and osSetDynamicTextureURL*() script functions are now prevented by default from sending HTTP
requests to localhost addresses or other addresses on the simulator's LAN (e.g. 192.168.1.2, etc.). The list of
addresses conforms to that in [5].
If you need to allow scripts to make calls to such addresses, please add specific exceptions to [Network]
OutboundDisallowForUserScriptsExcept in OpenSim.ini. Details on the format of this are in OpenSim.ini.example.
I WOULD SAY THAT YOU SHOULD UPDATE ASAP if you run any installation where you do not trust all users that can execute
llHTTPRequest() (including those entering via Hypergrid).
The exception (and alternative) is if you have already configured llHTTPRequest()/osSetDynamicTextureURL*() to run
through a properly configured HTTP proxy using the existing [Startup] HttpProxy setting in OpenSim.ini.
2. Private services now forbid llHTTPRequest() calls. This is to prevent such calls by simulators that have not been
updated. If you run any grid where you cannot immediately update all simulators to one of these releases (e.g. an open
grid where private service calls are restricted by IP to known simulators) then YOU SHOULD UPDATE SERVICES ASAP.
* OpenSimulator 0.8.1-rc2 contains the above changes and further changes in master since rc1 up until 7e8bad05.
These issues have existed ever since llHTTPRequest() functionality was added in 2007! Thus, ALL RELEASES PRIOR TO 0.7.6
SHOULD BE CONSIDERED UNSAFE unless you trust all possible callers of llHTTPRequest()/osSetDynamicTextureURL*() or you
have an HTTP proxy configured for OpenSimulator. Ideally, one might go back and update much older releases but
resources are scarce and 0.7.5 is now more than 2 years old.
[1] http://opensimulator.org/wiki/0.8.1_Release
[2] http://opensimulator.org/wiki/0.8.0.4_Release
[3] http://opensimulator.org/wiki/0.7.6.3_Release
[4] http://opensimulator.org/wiki/Download
[5] http://en.wikipedia.org/wiki/Reserved_IP_addresses
--
Justin Clark-Casey (justincc)
OSVW Consulting
http://justincc.org
http://twitter.com/justincc
More information about the Opensim-users
mailing list