Patch Applied….

Posted on Nov 12, 2014 in Tech Blog

Yesterday, November 11th, 2014 the developers of OpenSim released a security patch which has been applied to all regions of our grid.

Information about this issue as released by the developers….

“There is only one change in these releases. This is to fix an issue where llRemoteLoadScriptPin() does not treat the pin ‘0’ as an unset pin. By default, all prims have a pin set to 0. Therefore, this bug allows llRemoteLoadScriptPin() to specify a 0 pin to load scripts into owned prims with no pin set where this should not be possible.

Unless you are very sure that no user will run a script from an untrusted source, we would advise you to update as soon as possible. There are no database migrations or config changes in this release compared to the previous in the series, so all config files can be used without alteration.

This bug was introduced more than 6 years ago with the original llRemoteLoadScriptPin() implementation and so affects all versions of OpenSimulator at least from 0.4. If you are using a version of OpenSimulator older than 0.7.4 (which was released in August 2012) then you will need to upgrade or apply the patch in commit 5aa8ba1 manually.

Many thanks to Tranquility Dexter of Inworldz for pointing out the bug and the fix. “