Blender 2.73 Released

Message boards : Client : Blender 2.73 Released
Message board moderation

To post messages, you must log in.

AuthorMessage
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13512 - Posted: 7 Jan 2015, 23:19:42 UTC

Like stated twice before, I don't know why you didn't wait for this. It appears you've released a new BURP client on the very day that Blender 2.73 released :( How long will it be to get 2.73 now?

Release notes:
http://wiki.blender.org/index.php/Dev:Ref/Release_Notes/2.73
ID: 13512 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13523 - Posted: 18 Jan 2015, 15:32:22 UTC

Bump. As well as a massive amount of bugs fixed in v2.73, there is also a security issue resolved: https://developer.blender.org/rBe1afaa0

Maintenance Monday tomorrow and no projects active, seems like a good opportunity.
ID: 13523 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13535 - Posted: 2 Feb 2015, 1:32:04 UTC

It would be nice if we had a better turnaround time of updating the app when security issues are found than Microsoft currently does for patching :)
ID: 13535 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Janus
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 16 Jun 04
Posts: 4544
Credit: 2,097,282
RAC: 214
Message 13538 - Posted: 2 Feb 2015, 18:33:16 UTC
Last modified: 2 Feb 2015, 18:42:57 UTC

Let me be absolutely clear here funkydude. A client release is never late, nor is it early, it happens exactly when it happens to do so.
If you use any Linux distro you will also notice that most of the programs supplied in that distro are not bleeding edge source code checked directly out of git/svn - it takes a little while for people to validate that everything is working, to write bootscripts, to package the stuff.

Now with that being said we DO keep track of security related updates including the LZO vulnerability you mentioned. In that regard I would like to mention a few things:
1) All uploaded files are parsed by a sandboxed system. If the file does not check out as a properly formatted .blend it is rejected right there. The file never reaches a Blender executable
2) A virus scanner validates the file
3) A human being validates the file
4) All the platforms we deploy to (Windows x64 and Linux x64) use methods to ensure that memory-related attacks like this one will have a real hard time working properly. Most importantly allocation randomization.
5) The security announcement comes with ratings (most audits like that do). The RCE practicality rating is set to "Impractical". And continues with text relating to 64 bit systems like: "An overflow would require so much input data that an attack would be infeasible even in modern computers.".
6) The standard installation of BOINC provides additional user-level isolation for exactly this reason.
7) In the case of a DoS attack based on this vulnerability the attacker would most likely be attacking their own session - which is kinda counterproductive

The issue was assigned a low relevance rating for BURP back in September, more than three months ago. It was originally posted in June. No further action was taken as the issue would be resolved automatically as part of the standard update workflow when upstream (Blender) released a fix.

BURP is a beta project, it does not yet provide the security and stability of a full-blown BOINC project. There are real risks running this project, as with most any project. If you don't like the risks please do not run this project.
ID: 13538 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
funkydude

Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13543 - Posted: 2 Feb 2015, 22:52:47 UTC - in response to Message 13538.  

Thanks for the input but I have a bone to pick with this statement:

If you use any Linux distro you will also notice that most of the programs supplied in that distro are not bleeding edge source code checked directly out of git/svn - it takes a little while for people to validate that everything is working, to write bootscripts, to package the stuff.


On Linux all the libraries are generally provided by the disto producer/publisher, not the software program. Whilst the software itself (Blender) may not be bleeding edge, the libraries generally get security fixes back ported to them and published to the users.

You can't say the same for Windows which is generally a static library environment.
ID: 13543 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote

Message boards : Client : Blender 2.73 Released