[sldev] Security Update 2008-10-06 to SL Viewers and source code - CLARIFICATION

[Rob Lanphier]

Clarification on source code access:  We're going to delay the general
release of the source code until tomorrow.  Early access to the source
code for this fix are available on an as needed basis to developers of
some widely available viewers (contact me for details).  General source
code access should be provided sometime tomorrow here:
http://wiki.secondlife.com/wiki/Source_downloads

Sorry for the inconvenience, and thanks for your patience.

Rob

On 10/06/2008 07:13 PM, Ramzi wrote:
> Dear SLDEVelopers,
>
> I want to let you know that Linden Lab released a mandatory security
> update to the official and Release Candidate viewers, to address a
> potential security issue. Updated source code is available at:
> http://wiki.secondlife.com/wiki/Source_downloads
>
> The full text of the announcement to Second Life Residents is on the
> Status Page of secondlifegrid.net, and repeated here below for your
> convenience.
>
> Best regards,
> Ramzi Linden
>
>
> -
> http://status.secondlifegrid.net/2008/10/06/post275/
>
> Security Update to Second Life viewers: 2008-10-06
>
> Today, we released an important update that improves the security of
> the Second Life viewer for all Residents. This update eliminates a
> recently discovered issue, and we're requiring that all Residents
> download and install it to ensure that everyone remains secure while
> using Second Life. You will be prompted to download and install the
> update when you log-in, or you can get it from the Downloads page.
>
> More details about the improvements included in this update are
> available below.
>
> -------------
>
> Linden Lab has released a Security Update to the Second Life viewer
> software today to address a potential security issue. This Security
> Update includes an additional security patch related to the Security
> Update issued on 26-Sept-2008.
>
> Available for:
>
> Second Life Viewer 1.20.15 / 1.20.16
> Second Life Release Candidate Viewer 1.21.4
>
> Description:
>
> We recently updated the Second Life server and viewers to enhance the
> communications code. All transfer operations are now restricted to
> files that the user has expressly chosen, and specific directories
> that the viewer uses for transferring data. For the safety of all
> Second Life users, we are releasing this updated viewer to all Residents.
>
> Potential vulnerabilities had been identified in those message
> communications directed at a Second Life viewer over the previous
> protocol. By taking advantage of this vulnerability, while extremely
> difficult technically, a malicious user could potentially use the
> viewer to access files on the victim’s computer. We currently have no
> evidence of this vulnerability ever being exploited.
>
> This Security Update 2008-10-06 is required to continue to log-in to
> Second Life. By downloading the update, you will upgrade the software
> on your computer to version 1.20.17:
>
> * Second Life Release Viewer 1.20.17
>
> For Residents who use the Release Candidate viewer, you are required
> to update to RC5, which also includes other latest bug fixes:
>
> * Second Life Release Candidate Viewer 1.21 RC5
>
> Earlier versions of Second Life (1.19.1, 1.19, and before) include the
> serious vulnerabilities and are no longer supported. You will be
> prompted to upgrade to the latest version on your next login.
>
> For any Residents who prefer / have been using earlier versions that
> do not include WindLight rendering, we have created a page on the
> Second Life Wiki that explains how to turn all related graphics
> settings to "Low," effectively turning off WindLight in the current
> official viewer:
> https://wiki.secondlife.com/wiki/Turn_off_WindLight_rendering
>
> The source code for these new 1.20 and 1.21 RC5 viewers will be made
> available via the usual open source channels.
>
> For discussion about the issue, please visit this thread in the SL
> Forums: http://forums.secondlife.com/forumdisplay.php?f=353
>
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/SLDev
> Please read the policies before posting to keep unmoderated posting
> privileges