Blender 2.73 Released


Advanced search

Message boards : Client : Blender 2.73 Released

Author Message
funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13512 - Posted: 7 Jan 2015, 23:19:42 UTC

Like stated twice before, I don't know why you didn't wait for this. It appears you've released a new BURP client on the very day that Blender 2.73 released :( How long will it be to get 2.73 now?

Release notes:
http://wiki.blender.org/index.php/Dev:Ref/Release_Notes/2.73

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13523 - Posted: 18 Jan 2015, 15:32:22 UTC

Bump. As well as a massive amount of bugs fixed in v2.73, there is also a security issue resolved: https://developer.blender.org/rBe1afaa0

Maintenance Monday tomorrow and no projects active, seems like a good opportunity.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13535 - Posted: 2 Feb 2015, 1:32:04 UTC

It would be nice if we had a better turnaround time of updating the app when security issues are found than Microsoft currently does for patching :)

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4478
Credit: 2,094,806
RAC: 0
Message 13538 - Posted: 2 Feb 2015, 18:33:16 UTC
Last modified: 2 Feb 2015, 18:42:57 UTC

Let me be absolutely clear here funkydude. A client release is never late, nor is it early, it happens exactly when it happens to do so.
If you use any Linux distro you will also notice that most of the programs supplied in that distro are not bleeding edge source code checked directly out of git/svn - it takes a little while for people to validate that everything is working, to write bootscripts, to package the stuff.

Now with that being said we DO keep track of security related updates including the LZO vulnerability you mentioned. In that regard I would like to mention a few things:
1) All uploaded files are parsed by a sandboxed system. If the file does not check out as a properly formatted .blend it is rejected right there. The file never reaches a Blender executable
2) A virus scanner validates the file
3) A human being validates the file
4) All the platforms we deploy to (Windows x64 and Linux x64) use methods to ensure that memory-related attacks like this one will have a real hard time working properly. Most importantly allocation randomization.
5) The security announcement comes with ratings (most audits like that do). The RCE practicality rating is set to "Impractical". And continues with text relating to 64 bit systems like: "An overflow would require so much input data that an attack would be infeasible even in modern computers.".
6) The standard installation of BOINC provides additional user-level isolation for exactly this reason.
7) In the case of a DoS attack based on this vulnerability the attacker would most likely be attacking their own session - which is kinda counterproductive

The issue was assigned a low relevance rating for BURP back in September, more than three months ago. It was originally posted in June. No further action was taken as the issue would be resolved automatically as part of the standard update workflow when upstream (Blender) released a fix.

BURP is a beta project, it does not yet provide the security and stability of a full-blown BOINC project. There are real risks running this project, as with most any project. If you don't like the risks please do not run this project.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13543 - Posted: 2 Feb 2015, 22:52:47 UTC - in response to Message 13538.

Thanks for the input but I have a bone to pick with this statement:

If you use any Linux distro you will also notice that most of the programs supplied in that distro are not bleeding edge source code checked directly out of git/svn - it takes a little while for people to validate that everything is working, to write bootscripts, to package the stuff.


On Linux all the libraries are generally provided by the disto producer/publisher, not the software program. Whilst the software itself (Blender) may not be bleeding edge, the libraries generally get security fixes back ported to them and published to the users.

You can't say the same for Windows which is generally a static library environment.


Post to thread

Message boards : Client : Blender 2.73 Released