Jump to content

Should the vulnerable 1.23.5 viewer still be available for download?


Qie Niangao
 Share

You are about to reply to a thread that has been inactive for 4698 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

The Lab informed TPV developers that V1 was vulnerable to specially crafted sound files that exploit a flaw in (I guess) the OggVorbis library to which the viewer links.

Out of curiousity, I just downloaded the 1.23.5 viewer installation from the wiki, and as far as I can tell it's the same version it's been since 2009.  Am I missing something?

Admittedly, I don't know the specifics of how the OggVorbis library is linked with the viewer, so it's conceivable that the vulnerability doesn't exist in the official viewer and Snowglobe, but that seems unlikely given that all the TPVs had to scramble to update their binaries for this.

Assuming those distributions are in fact vulnerable, and understanding that the Lab doesn't want to update those viewers, shouldn't they be made unavailable at this point?

Link to comment
Share on other sites

In my opinion, even if a lot of people want to use it still, it is getting about time to retire the old viewer.

LL is unlikely to do any work on it even when issues like this comes up. If this is a real vulnerability (I have no idea whether it is or not), it is one out of an increasing number of things that will not work properly in the viewer.

Another, not a security issue but more of an annoyance, is the flaw with the new physics layers causing avatars using a physics enabled viewer to be seen as the default shape in v. 1.23 based viewer. I do not think LL will remove the feature from v. 2 because of this flaw. TPV's are still developing their v 1. codebase, and will push out fixes for the issue, but LL is not going to. Meaning as long as people are still using it, avatars will be seen wrong by v. 1.23 users.

When mesh is ready and released on the main grid, we have yet another feature which will not work in viewer 1.23.5.

As time goes by, I'm sure there will be more things showing up, affecting v. 1.23 users. I say it's time to retire the viewer. For those who want to use v 1, there are TPV's available.

- Luc -

Link to comment
Share on other sites

Personally I don't see why LL doesn't just patch 1.23/1.5 and make it safe. As a large amount of people still use it. I don't mean adding all the 2.0 features to 1.23. Just a patch for This sound crash exploit. What will it take, an hour, maybe two to compile with safe newness?

After the emerald debacle, I have serious trust issues with TPVs. A few(safe) options from LL would go a long way. For me at least.

Link to comment
Share on other sites

I would recommend dropping it from download.  For people who want the 1.x style, there are TPVs.  More modern and now patched.  I consider 1.23.5 obsolete and not worth patching.  I would never recommend it to anyone -- I favor the 2.x design of the LL Standard or Firestorm, but recommend Phoenix or Imprudence for people who want the older design.  

Thinkerer

Link to comment
Share on other sites

I hate to be the one to say this, but default 1.23 has missed other security patches as well. And this is perfectly inline with LL's policy regarding it... "unsupported, use at your own risk" (garnered not from the official pages but various office hours).

I suppose if enough people say get rid of it, they will, since it's only there as part of a promise they made to keep it for PPC users, but I'd think that would have to come from those users.

to my knowledge none of the publicly available TPV's use it for a diff base (Cool I think was the last one, and dropped it months ago). but I could be wrong.

Link to comment
Share on other sites

Well, judging by Oz's comments noted here: http://dwellonit.taterunino.net/2011/05/18/if-third-party-viewers-dont-keep-up-things-will-break-says-oz-linden/ the only way forward will be on very current viewers.

 

That shouldn't scare me, but it does. I work in here, for a large SP, over 40 hours a week. I have given various versions of 2.0 more than a fair shake. I simply like 1.0 better and still use 1.5(snowglobe)when efficiency is needed or for meetings.

Looks like I'm going to be buying some liscences and start building/maintaining my own 1.x viewer. =) The Ali's Uber Awesome Viewer is born!

 

If any linden viewer types happen to read this... My largest stumble with 2.0 is the change away from the pie menu. Having to hunt and read each option every time, rather than using 6 odd years of muscle memory with the pie, completely kills my productivity. Usually the 3rd or 4th "OMG, where is it!!!" and I relog with 1.5. Adding an option to use pie in the new viewer would go a long way for me, and I expect many others as well.

Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 4698 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...