Security Update: 26 Sept 2008

cant believe that this was not posted on the blog.

you have to search for it here in the forum or at http://status.secondlifegrid.net/

to assume that the majority will upgrade when its kept so hidden is a bit disingenuous IMO


/me wonders how appointing a Linden to promote communications results in less blog posts!

~Is the blog now officially dead?

What about residents with "old" computers and who can't run v1.20+ with
decent frame rate ?...

Well, I backported the fix to v1.19.0.5, and I use it in the corresponding version of the Cool SL Viewer (http://sldev.free.fr/). The patch is avialable here:

http://sldev.free.fr/patches/11905/slviewer-0-v11905-SecurityFixBackport.patch.bz2

Henri.

Hi AWM, this is not correct: to close the vulnerability, you would need to upgrade to the latest official viewer, version 1.20.16. This version is not a Release Candidate; the 1.20 viewer became the primary offered download back in July 2008.

But, for those who are already helping to test the next upcoming viewer (1.21), we have also included the security patch to the 1.21 Release Candidate RC3 as well.

I hadn't had any problems with the RC until this update. Now I can't fully log-in before crashing. Have tried multiple times. But I guess that keeps me secure ) lolol

Hi Winter,
Rather than attempt to catalogue every mechanism that could indicate an unlikely attack, I would simply encourage Residents that you know to upgrade to the Security Updated version, 1.20.16.

When the next 1.21 viewer is released officially, they will again be reminded that a new version is available. Using the latest viewer always allows you to enjoy the latest security and bug fixes.... much like updates are published by the maker of your operating system.

Hi Tiwi-
Try this: Version 1.20 introduced a new option in Preferences called "Camera Smoothing." Try turning it off:

Preferences > Input and Camera > Camera Smoothing > set the slider to 0. (off)

Hi Jana-
How frustrating! Can you file a quick bug in the Issue Tracker so that we can see what computer Environment you are using? This will allow us to investigate why a crash occurs on login-- which is unusual this late in the RC cycle. You can assign the bug to me.

Will do

Hi tx- yes! Here are the release notes for the Release Candidate:
https://wiki.secondlife.com/wiki/Release_Notes/Second_Life_Release_Candidate/1.21

I've also opened another thread for discussing the latest RC3 batch.. sorry it's late!
/349/ca/284202/1.html

*whispers* how do i assign it to you?

OK call me stupid or just plain ignorant, but after spending hours searching the forums to find the place to dl Second Life Release Candidate Viewer 1.21 RC3 and also the security update, I have not found either.

You assume that everyone knows how to find these things. Why not make it easier for us not so computer savvy ppl to find an dl.

This is the biggest reason I NEVER use the forums as others do, I can never find what I want.

Unfortunately this does not address the needs of people whose graphics cards cannot handle windlight, and whose communication needs are better served by Retro-patching the Chat UI to pre-voice usability (in custom clients like Henri Beauchamp's Cool Viewer, and Nicholas Beresford's Nicholaz Viewer). Residents who are reliant on these third-party clients, do not gain the benefits of these security fixes, and it may be some time until updated versions of these custom clients are available. (likely several days for Cool SL, and perhaps MONTHS for Nicholaz).

Would it be so hard to post a list of "steps they can take" to protect themselves? Obviously making sure you haven't disabled "Transaction Popups" is a big one.. But would disabling auto-play streaming media.. and disabling "auto load web tabs in profiles" help at all? Would a caution against "loading webpages from people you don't know" be helpful?

Hi Constance-- you are right, the forums are very hard to search. We're also planning to improve the forums in the coming months.

I just made a sticky post with the place to download the Security Update viewer. I should have done that earlier. My personal apology for your frustration.

You can get 1.20.16 here: http://secondlife.com/support/downloads.php

You can get 1.21 RC3 here: http://secondlife.com/support/downloads.php#download-Testviewers (look under 'Release Candidate' section)

Hi Ramzi,
Thanks for answering my previous post, however, with the prolifercation of clients available at various stages of useability/stability for a variety of users, which has been adopted out of almost 'fear'.. "will updating mean I cannot loggin?" being high on the agenda. With people already claiming issues with the latest RC3 and 1.20.16. My point being, unless you make the update mandatory, how can we protect ourselves?

I believe a lot of people are loosing faith, myself included, as to LL's recent offerings, patches, rollbacks, restarts, more patches on the servers, coupled with the update Client performance reports, over the past 6 months, haven't instilled confidence to click the download button on yet another beta offering.

Already, you can read the many varieties of clients out there, no one singlular offering being suitable for a high percentage of the users. I download and install/use every update, but it is not long before I fire up the old 1.19 client, to gain something more useable.

I don't think residents have the power to assign issues. Next best thing would be to just post back here once you have the JIRA issue number.

The updated Cool SL Viewers (v1.19.0.5, v1.20.16.0 and v1.21.3.0) have been posted on my website some hours ago already (for Linux only: Boy's release for Windoze will take one day or two to be published)...

This said, I think that LL should seriously consider maintaining a legacy renderer based viewer for the many residents who are not lucky/rich enough to afford buying a new computer every two years...

Henri.

I agree Henri, as I said earlier in this thread preferably one that custom viewers can work off of reliable even if the version has to change for something like a security patch. Also it would have to be one that only changes rarely for high priority (security) patches.

Not sure if this is an issue with the sim version running North Gate, or the fact that I had the "old" pre-patch RC 3 client running, but the sim has a 24 hour auto-return. I got messages saying that two items where returned, but the client never showed them arriving in Lost and Found.

This is minor, since logging in with the patched version seems to have fixed the problem, but.. its the kind of bug that might really confuse some people.

THIS

Mandatory is the only way to ensure safety

Life is really going to suck once 1.21 becomes the standard viewer.. sculpt flipping and llDetectedTouch functions won't work for older clients.

I like how the update screwed up my clothes

Ramzi seems to have trying to say that this is certainly a scary bug and that we should upgrade to avoid ANY chance of being bit by it but that, in reality, it's really, really unlikely that we will ever see it if we don't upgrade.

I was a little confused at this being an optional security update but I've ended up thinking that it's just that LL really believes that there's a very low risk of having it bite you. Sorta like having meteor insurance.

I'm using your 1.21.3.0, and i keep getting "You have been disconnected from SecondLife" after a bit under one hour of uptime, especially if i've been crossing many sim borders on a vehicle. hasn't happened before. Oh, when I get that disconnect, i don't get the popup message, i only hear the "ping" and then the client crashes.

Any ideas?

I installed the new 1.20 client, when 'region handshaking' was reached on login, I was bounced to a LL owned sim, finding myself trapped in some plant, with my camera view being spazzed against the back of my head making it impossible to move. As TP's were down (again), the only solution was to logout and wait a couple of hours, before being able to login to 'my home'.

What is most frustrating is the lack of pre-announcements about restarting/rollbacks of the sims. This week we had planned several machinima shoots, only to discover lastnight, after the vast majority of our group not being able to login, inventory and tp failures, that LL had begun a 3 day series of rollback/restarts on the grid. Thanks for the advanced warning LL.... smart strategy

Hi AWM-
There are pre-announcements, but perhaps we have not made it easy for you to find them. The 3-day rolling restarts are announced, before they start, on the Status Reports page: http://status.secondlifegrid.net/
You could subscribe to an RSS feed to see such announcements the moment they are posted.

I know it might not be days & days of advance notice, but it is at least 1 day in advance, which would at least prevent "surprises" when you and your team are actively trying to log in.

A rolling restart is intended to only disrupt each region for about 5-10 minutes. For greater planned downtime, much more additional advanced notice is always posted, whenever humanly possible.