[sldev] Security Update 2008-10-06 to SL Viewers and source code
Ramzi
ramzi at lindenlab.com
Mon Oct 6 19:13:43 PDT 2008
Dear SLDEVelopers,
I want to let you know that Linden Lab released a mandatory security
update to the official and Release Candidate viewers, to address a
potential security issue. Updated source code is available at:
http://wiki.secondlife.com/wiki/Source_downloads
The full text of the announcement to Second Life Residents is on the
Status Page of secondlifegrid.net, and repeated here below for your
convenience.
Best regards,
Ramzi Linden
-
http://status.secondlifegrid.net/2008/10/06/post275/
Security Update to Second Life viewers: 2008-10-06
Today, we released an important update that improves the security of the
Second Life viewer for all Residents. This update eliminates a recently
discovered issue, and we're requiring that all Residents download and
install it to ensure that everyone remains secure while using Second
Life. You will be prompted to download and install the update when you
log-in, or you can get it from the Downloads page.
More details about the improvements included in this update are
available below.
-------------
Linden Lab has released a Security Update to the Second Life viewer
software today to address a potential security issue. This Security
Update includes an additional security patch related to the Security
Update issued on 26-Sept-2008.
Available for:
Second Life Viewer 1.20.15 / 1.20.16
Second Life Release Candidate Viewer 1.21.4
Description:
We recently updated the Second Life server and viewers to enhance the
communications code. All transfer operations are now restricted to files
that the user has expressly chosen, and specific directories that the
viewer uses for transferring data. For the safety of all Second Life
users, we are releasing this updated viewer to all Residents.
Potential vulnerabilities had been identified in those message
communications directed at a Second Life viewer over the previous
protocol. By taking advantage of this vulnerability, while extremely
difficult technically, a malicious user could potentially use the viewer
to access files on the victim’s computer. We currently have no evidence
of this vulnerability ever being exploited.
This Security Update 2008-10-06 is required to continue to log-in to
Second Life. By downloading the update, you will upgrade the software on
your computer to version 1.20.17:
* Second Life Release Viewer 1.20.17
For Residents who use the Release Candidate viewer, you are required to
update to RC5, which also includes other latest bug fixes:
* Second Life Release Candidate Viewer 1.21 RC5
Earlier versions of Second Life (1.19.1, 1.19, and before) include the
serious vulnerabilities and are no longer supported. You will be
prompted to upgrade to the latest version on your next login.
For any Residents who prefer / have been using earlier versions that do
not include WindLight rendering, we have created a page on the Second
Life Wiki that explains how to turn all related graphics settings to
"Low," effectively turning off WindLight in the current official viewer:
https://wiki.secondlife.com/wiki/Turn_off_WindLight_rendering
The source code for these new 1.20 and 1.21 RC5 viewers will be made
available via the usual open source channels.
For discussion about the issue, please visit this thread in the SL
Forums: http://forums.secondlife.com/forumdisplay.php?f=353
More information about the SLDev
mailing list