[prev in list] [next in list] [prev in thread] [next in thread]
List: opensim-dev
Subject: [Opensim-dev] Fwd: [sldev] Security Update to SL Viewers and source code
From: jjustincc () googlemail ! com (Justin Clark-Casey)
Date: 2008-09-27 10:37:44
Message-ID: 48DE0CF8.8050404 () googlemail ! com
[Download RAW message or body]
Teravus, does this apply to both the 1.20 and 1.21 updates?
I'm surprised that they are taking more than the minimum necessary action in a \
security update (in that they are pushing messages such as EnableSimulator over CAPS \
instead of UDP as well as currency messages - which is what I'm guessing is \
happening).
Teravus Ovares wrote:
> After further testing, it appears that several messages for basic
> simulator function are now required to be sent over EventQueueGet such
> as, the EnableSimulator packet
>
> On 9/26/08, Teravus Ovares <teravus at gmail.com> wrote:
> > Hey,
> >
> > After this was posted, some people voiced concerns that this might
> > cause problems with use connecting to OpenSimulator.
> >
> > I went online with a proxy and didn't find anything obvious that would
> > be problematic for use on OpenSimulator in the security release of the
> > viewer.
> >
> > Best Regards
> >
> > Teravus
> >
> >
> > On 9/26/08, Dahlia Trimble <dahliatrimble at gmail.com> wrote:
> > > Thought this would be of interest to the opensim community
> > > -d
> > >
> > >
> > > ---------- Forwarded message ----------
> > > From: Ramzi <ramzi at lindenlab.com>
> > > Date: Fri, Sep 26, 2008 at 1:11 PM
> > > Subject: [sldev] Security Update to SL Viewers and source code
> > > To: sldev at lists.secondlife.com
> > >
> > >
> > > Hi SLDEVelopers,
> > >
> > > I wanted to mention directly to the SLDEV list that Linden Lab released a
> > > security update to the official and Release Candidate viewers to address a
> > > potential security issue. Updated source code is available at:
> > > http://wiki.secondlife.com/wiki/Source_downloads
> > >
> > > The full text of the announcement to Second Life Residents is on the Status
> > > Page of secondlifegrid.net,
> > > and repeated here below for your convenience.
> > >
> > > Kind regards,
> > > Ramzi Linden
> > >
> > >
> > >
> > > http://status.secondlifegrid.net/2008/09/26/post256/
> > >
> > > *Security Update to Second Life viewers: 26 Sept 2008*
> > >
> > > Linden Lab has released an optional update to the Second Life viewers today
> > > to address a potential security issue. Recently an audit identified a
> > > possible vulnerability. If a malicious user were able to obtain the IP
> > > address and port of a Resident's viewer, then the malicious user could forge
> > > data packets to the Resident's computer. This could be done in a way to
> > > cause the viewer to return enough information about its session to allow the
> > > attacker to initiate various server-side operations as if they were the
> > > Resident, including L$ transactions.
> > >
> > > In the case of L$ transactions, this action would be visible to you: if this
> > > were to occur, the viewer would report the transaction after it occurred in
> > > the normal blue dialog box. Also, you are always able to inspect the
> > > transaction log to see recent transactions. This would allow you to notice
> > > and report these actions for violating the Second Life Terms of Service.
> > >
> > > This type of malicious action would constitute a violation of the Terms of
> > > Service, and would be against the law in some locations. At this time we
> > > have no evidence that this vulnerability was ever exploited.
> > >
> > > To eliminate this vulnerability, we have now updated the Second Life servers
> > > to transmit the messages over an encrypted channel (HTTPS). Now that the
> > > server upgrade is complete, we are releasing updated viewers that only
> > > accept these messages when transmitted over an encrypted channel. Once you
> > > have downloaded the update, if a malicious third party were to attempt to
> > > send messages over the old channel (UDP), they would be ignored.
> > >
> > > Again, we have no indication to date that this security issue has ever been
> > > exploited or is being exploited currently. However, we strongly encourage
> > > Second Life Residents to update to the latest viewer with the security
> > > patches in place. The viewers are:
> > >
> > > * Second Life Release Viewer 1.20.16 (this updates 1.20.15, released on July
> > > 24th)
> > > * Second Life Release Candidate Viewer 1.21 RC3 (this updates RC2 and
> > > includes additional bug fixes as part of the usual release candidate cycle)
> > >
> > > Older viewers (such as the 1.19 series) are not being required to upgrade to
> > > version 1.20.16, but we encourage Residents to update if possible to take
> > > advantage of the latest bug and security fixes.
> > >
> > > The updated source code for these new 1.20 and 1.21 RC viewers is being made
> > > available via the usual open source channels.
> > >
> > > For discussion about the issue, please visit the Second Life Forum:
> > > http://forums.secondlife.com/forumdisplay.php?f=350
> > >
> > > _______________________________________________
> > > Policies and (un)subscribe information available here:
> > > http://wiki.secondlife.com/wiki/SLDev
> > > Please read the policies before posting to keep unmoderated posting
> > > privileges
> > >
> > >
> > > _______________________________________________
> > > Opensim-dev mailing list
> > > Opensim-dev at lists.berlios.de
> > > https://lists.berlios.de/mailman/listinfo/opensim-dev
> > >
> > >
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
--
justincc
Justin Clark-Casey
http://justincc.wordpress.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic