[sldev] Security Update 2008-10-06 to SL Viewers and source code

[Ramzi]

Dear SLDEVelopers,

I want to let you know that Linden Lab released a mandatory security 
update to the official and Release Candidate viewers, to address a 
potential security issue. Updated source code is available at: 
http://wiki.secondlife.com/wiki/Source_downloads

The full text of the announcement to Second Life Residents is on the 
Status Page of secondlifegrid.net, and repeated here below for your 
convenience.

Best regards,
Ramzi Linden


-
http://status.secondlifegrid.net/2008/10/06/post275/

Security Update to Second Life viewers: 2008-10-06

Today, we released an important update that improves the security of the 
Second Life viewer for all Residents. This update eliminates a recently 
discovered issue, and we're requiring that all Residents download and 
install it to ensure that everyone remains secure while using Second 
Life. You will be prompted to download and install the update when you 
log-in, or you can get it from the Downloads page.

More details about the improvements included in this update are 
available below.

-------------

Linden Lab has released a Security Update to the Second Life viewer 
software today to address a potential security issue. This Security 
Update includes an additional security patch related to the Security 
Update issued on 26-Sept-2008.

Available for:

Second Life Viewer 1.20.15 / 1.20.16
Second Life Release Candidate Viewer 1.21.4

Description:

We recently updated the Second Life server and viewers to enhance the 
communications code. All transfer operations are now restricted to files 
that the user has expressly chosen, and specific directories that the 
viewer uses for transferring data. For the safety of all Second Life 
users, we are releasing this updated viewer to all Residents.

Potential vulnerabilities had been identified in those message 
communications directed at a Second Life viewer over the previous 
protocol. By taking advantage of this vulnerability, while extremely 
difficult technically, a malicious user could potentially use the viewer 
to access files on the victim’s computer. We currently have no evidence 
of this vulnerability ever being exploited.

This Security Update 2008-10-06 is required to continue to log-in to 
Second Life. By downloading the update, you will upgrade the software on 
your computer to version 1.20.17:

* Second Life Release Viewer 1.20.17

For Residents who use the Release Candidate viewer, you are required to 
update to RC5, which also includes other latest bug fixes:

* Second Life Release Candidate Viewer 1.21 RC5

Earlier versions of Second Life (1.19.1, 1.19, and before) include the 
serious vulnerabilities and are no longer supported. You will be 
prompted to upgrade to the latest version on your next login.

For any Residents who prefer / have been using earlier versions that do 
not include WindLight rendering, we have created a page on the Second 
Life Wiki that explains how to turn all related graphics settings to 
"Low," effectively turning off WindLight in the current official viewer: 
https://wiki.secondlife.com/wiki/Turn_off_WindLight_rendering

The source code for these new 1.20 and 1.21 RC5 viewers will be made 
available via the usual open source channels.

For discussion about the issue, please visit this thread in the SL 
Forums: http://forums.secondlife.com/forumdisplay.php?f=353