Released 1.36.33 The Memory Remains

Discussions related to the 1.36.x series of ZoneMinder
User avatar
iconnor
Posts: 2880
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Released 1.36.33 The Memory Remains

Post by iconnor »

# Changes since 1.36.32

- Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
- Add object-src CSP directive to help prevent XSS
- db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
- use detaintPath on modal to prevent including other files instead of real modals
- Check for valid date in minTime and maxTime to prevent SQL attack
- Introduce check_datetime function to validate dates
- Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
- Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
- Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
- test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
- Move actions process to after the unauth check to prevent actions happening when unathentication
- Fix detaintPath not stripping sequences like ..././
- Escape <> in log messages to prevent html shenanigans. Fixes #3596
- Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
- Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes 3510
- Use reload instead of restart on zone save
- Add reload to monitor zmcControl
- Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes 3643
- Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
- Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
- fix format endtime on events list on watch view
- Include command line in debug output when generating images
- Fix missing/corrupted pre-alarm frames in recording. Fixes 3656
- Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes 3657
- Allow viewing of events whose Monitor[Function]=None
- Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes 3655
- Apply chosen styles to dropdowns in Options, allowing text search
- Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
- fixes for freebsd
- Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
- Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes 3488
- Add 2>&1 to command to delete event dir so that we get error messages logged.
- Move code from Event to Storage to implement delete_path()
- Use ajax() instead of getJSON with no timeout when deleting events.
- Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
- Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
- Improve info when moving event to show source and Dest paths
- Remove dead code from report_event_audit.js
- Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
- Add styles to table headers to left align them to match the body

# Vulnerabilities address by this release
https://github.com/ZoneMinder/zoneminde ... -6jjc-cgmw CVE-2023-26036
https://github.com/ZoneMinder/zoneminde ... -q9mw-mwx9 CVE-2023-26032
https://github.com/ZoneMinder/zoneminde ... -2hj3-3733 CVE-2023-26037
https://github.com/ZoneMinder/zoneminde ... -h2pw-cc9g CVE-2023-26039
https://github.com/ZoneMinder/zoneminde ... -r8c4-r24w CVE-2023-2603
https://github.com/ZoneMinder/zoneminde ... -h4vf-29gr CVE-2023-26035
https://github.com/ZoneMinder/zoneminde ... -wh8m-xjrx CVE-2023-26034
https://github.com/ZoneMinder/zoneminde ... -g4qm-jr6v CVE-2023-25825

The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/

Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.

All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.

https://github.com/ZoneMinder/zoneminde ... es/1.36.33
**Full Changelog**: https://github.com/ZoneMinder/zoneminde ... ...1.36.33
pat2
Posts: 156
Joined: Fri Sep 16, 2016 6:35 pm

Re: Released 1.36.33 The Memory Remains

Post by pat2 »

great job! thanks
---------------------------------------------------------------------------
ZM 1.36.34 - 14 cameras on Orange Pi 5 (arm64) - Ubuntu Jammy 22.04
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: Released 1.36.33 The Memory Remains

Post by Magic919 »

Sounds like I need to get this applied. No sign of it on Ubuntu Focal as yet.
-
User avatar
iconnor
Posts: 2880
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: Released 1.36.33 The Memory Remains

Post by iconnor »

Crap.. something went wrong with pushing to ppa. This is actually a big problem. Sigh. And there I thought everything was going so well.
User avatar
iconnor
Posts: 2880
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: Released 1.36.33 The Memory Remains

Post by iconnor »

ppa is up to date. Everybody upgrade!
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: Released 1.36.33 The Memory Remains

Post by Magic919 »

Thanks for the quick response. Upgrade completed.
-
dougmccrary
Posts: 1172
Joined: Sat Aug 31, 2019 7:35 am
Location: San Diego

Re: Released 1.36.33 The Memory Remains

Post by dougmccrary »

And there I thought everything was going so well.
You should know by now not to let that thought cross your mind...
TULOA
Posts: 1
Joined: Mon Feb 27, 2023 3:33 am

Re: Released 1.36.33 The Memory Remains

Post by TULOA »

Had 1 bug installing this coming back here and giving it another shot.

I had no images on the stream watching it in the web montage.

I found that until I set the path on focal to the following it didnt work because it couldnt find it until I changed it twice. Ultimately to:

# ZoneMinder url path to the zms streaming server
ZM_PATH_ZMS=/zm/cgi-bin/zms

Apparently if I leave it the original value then it cant find it. If I leave the nph-zms I am not authorized to view the page unless I change:
Options -MultiViews +SymLinksIfOwnerMatch +ExecCGI
To:
Options -MultiViews +FollowSymLinks +ExecCGI

So just to keep it whatever more secure the first one makes it I removed the nph- from the path variable and now set like this it works fine.

Hopefully things stay well and now that I got this all figured out I can plan a time to do a donation to help with this program.
JariR
Posts: 26
Joined: Wed Sep 25, 2013 10:22 am

Re: Released 1.36.33 The Memory Remains

Post by JariR »

Upgraded yesterday to 1.36.33 and noticed that this version won't anymore remember earlier selected option for displayed rows per page on events listing. If I choose option to display "all" next time arrive to list page it has changed selection to smallest option "10".
User avatar
lazyleopard
Posts: 403
Joined: Tue Mar 02, 2004 6:12 pm
Location: Gloucestershire, UK

Re: Released 1.36.33 The Memory Remains

Post by lazyleopard »

I'm running Debian old-stable (buster). I have zoneminder/buster 1.36.32-buster1 amd64 installed. I can't upgrade to 1.36.33-buster1 amd64. Details in post: viewtopic.php?t=32439
Last edited by lazyleopard on Wed Mar 15, 2023 11:36 am, edited 1 time in total.
Rick Hewett
sbodeen
Posts: 1
Joined: Wed Mar 15, 2023 1:33 pm

Re: Released 1.36.33 The Memory Remains

Post by sbodeen »

JariR wrote: Wed Mar 01, 2023 6:28 am Upgraded yesterday to 1.36.33 and noticed that this version won't anymore remember earlier selected option for displayed rows per page on events listing. If I choose option to display "all" next time arrive to list page it has changed selection to smallest option "10".
I'm seeing that as well. I've also noticed that when viewing the last 20 events, the scale always changes back to auto instead of what you change it to.
pat2
Posts: 156
Joined: Fri Sep 16, 2016 6:35 pm

Re: Released 1.36.33 The Memory Remains

Post by pat2 »

JariR wrote: Wed Mar 01, 2023 6:28 am Upgraded yesterday to 1.36.33 and noticed that this version won't anymore remember earlier selected option for displayed rows per page on events listing. If I choose option to display "all" next time arrive to list page it has changed selection to smallest option "10".
same for me
---------------------------------------------------------------------------
ZM 1.36.34 - 14 cameras on Orange Pi 5 (arm64) - Ubuntu Jammy 22.04
lightguy48
Posts: 101
Joined: Sun Nov 15, 2015 7:19 pm

Re: Released 1.36.33 The Memory Remains

Post by lightguy48 »

I've been chasing this issue and also I'm noticing the same thing, all of the column settings and row number selections are getting lost.
pat2
Posts: 156
Joined: Fri Sep 16, 2016 6:35 pm

Re: Released 1.36.33 The Memory Remains

Post by pat2 »

hi Isaac,

the code change suggested at https://github.com/ZoneMinder/zoneminde ... e92246c5f9 is already implemented in my /usr/share/zoneminder/www/skins/classic/views/events.php

Anyway, it is not an important issue.
thanks
---------------------------------------------------------------------------
ZM 1.36.34 - 14 cameras on Orange Pi 5 (arm64) - Ubuntu Jammy 22.04
Post Reply