The Memory Remains 1.36.33

Changes since 1.36.32

• Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
• Add object-src CSP directive to help prevent XSS
• db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
• use detaintPath on modal to prevent including other files instead of real modals
• Check for valid date in minTime and maxTime to prevent SQL attack
• Introduce check_datetime function to validate dates
• Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
• Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
• Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
• test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
• Move actions process to after the unauth check to prevent actions happening when unathentication
• Fix detaintPath not stripping sequences like ..././
• Escape <> in log messages to prevent html shenanigans. Fixes [#3596]
• Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
• Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes [#3510]
• Use reload instead of restart on zone save
• Add reload to monitor zmcControl
• Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes [#3643]
• Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
• Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
• fix format endtime on events list on watch view
• Include command line in debug output when generating images
• Fix missing/corrupted pre-alarm frames in recording. Fixes #3656
• Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes [#3657]
• Allow viewing of events whose Monitor[Function]=None
• Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes [#3655]
• Apply chosen styles to dropdowns in Options, allowing text search
• Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
• fixes for freebsd
• Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
• Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes [#3488]
• Add 2>&1 to command to delete event dir so that we get error messages logged.
• Move code from Event to Storage to implement delete_path()
• Use ajax() instead of getJSON with no timeout when deleting events.
• Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
• Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
• Improve info when moving event to show source and Dest paths
• Remove dead code from report_event_audit.js
• Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
• Add styles to table headers to left align them to match the body

Vulnerabilities address by this release

GHSA-h5m9-6jjc-cgmw CVE-2023-26036
GHSA-6c72-q9mw-mwx9 CVE-2023-26032
GHSA-65jp-2hj3-3733 CVE-2023-26037
GHSA-44q8-h2pw-cc9g CVE-2023-26039
GHSA-wrx3-r8c4-r24w CVE-2023-2603
GHSA-72rg-h4vf-29gr CVE-2023-26035
GHSA-222j-wh8m-xjrx CVE-2023-26034
GHSA-68vf-g4qm-jr6v CVE-2023-25825

The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/

Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.

All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.

The Memory Remains 1.36.32

Changes since 1.36.31

• More properly fix the alarm status api changing. The previous hack broke doing alarm on/off.
• fix handle of SQL generation of IN array when array is empty. Just always return false.
• Fix test for null in Object::find
• Make inputs on filter action table 100%
• Fix Warning when monitor is not visible
• Switch to utf8mb4 to support 4 byte unicode Fixes [#3514]
• Make search input the same size as other toolbar elements
• Remove deprecated CAMBOZOLA references
• Update Monitor symlinking, improving deleting old link when changing name
• Fix zone deleting and fix an extra comma in default coordinates
• Add libswscale6 and libswresample4 dependencies for ubuntu kinetic
• Remove return type from session class methods. not supported in php5.4. Fixes breakage on centos7. Fixes [#3622]
• Fix recalculating Event Disk Space a second time when updating.
• Set xhrFields: withCredentials: true so that we send cookies with our streaming xhr requests so that we pick up new auth hashes
• Add Access-Control-Allow-Credentials: true so that we can pass cookies along with xhr requests.
• Add Cause, Notes and EndDateTime to available columns in events list on watch view
• Make button on Filter Debug modal be Close instead of Cancel
• Handle empty but defined REQUEST[action]
• replace php Memcached with Apc on Fedora
• Allow MonitorName as default sort field as well as Monitor
• Try out just using connkey as the semaphore key instead of ftok in ajax streaming requests
• Turn back on error_reporting, just don't display the error in json ajax requests.
• Check for return value of openEvent. Fixes crash when openEvent fails
• Fix infinite recursion in montagereview
• Add error message when minTime >= maxTime in montagereview
• Fix crash in zmfilter DiskSpace Update when Event doesn't exist
• Make .form-group styles export page specific because they are affecting layout in modals
• Cleanup the state modal. Fix form post
• Set web backend db connection to utf8 Fixes [#3631]
• implode the output from zmu to fix php complaint abou array to string
• convert strings into integers before doing math as of php 8.2 Fixes Unsupported operand types: string - int

Full Changelog: 1.36.31...1.36.32

The Memory Remains 1.36.31

Changes since 1.36.30

• Fix failed login due to remoteAddr not being populated in session after regeneration
• Use REQUEST instead of SESSION to store the post login redirect because we clear the session on login. Fixes [#3517]
• Turn off logging of deprecation notices so that we work with php8.2

Full Changelog: 1.36.30...1.36.31

The Memory Remains 1.36.30

What's Changed

• Test for definition of ZM_LOG_INJECT. We don't include the config when not logged in. So it won't be defined and an error will be logged
• Fix saving from the function modal (and other modals)
• left align option value column
• when a config value is overridden via *.conf files, put up a warning/explanation on the options view
• Turn failure to send into a debug instead of warn. When running under fpm etc we may not get SIGPIPE.
• Move relevant code out of includes/actions/auth.php into includs/auth.php. Fixes inability to login using GET method.
• Don't panic if no font file found. We seem to be able to continue without it.
• Rework session handling to fix breakage with php8.2. Please note that php 8.2 still completely breaks a ton of our code. Do not upgrade to php8.2 and expect ZoneMinder to work.

Full Changelog: 1.36.29...1.36.30

The Memory Remains 1.36.29

#Changes since 1.36.28

• update web/ajax.log.php to contents from master. Fixes errors causing log view to not work. Fixes [#3606]
• use ajax() instead of getJSON so that we can specify no timeouts.. This prevents log queries from stacking up overloading the db
• Check for definition of CAMBOZOLA defines. The purpose is just to ease running the 1.36 UI against a 1.37 database.
• Added option ZM_AUTH_CASE_INSENSITIVE_USERNAMES to match mixed case Usernames to lower case usernames in database [#3516]
• Move LIBAVCODEC_VERSION_CHECK so that it is defined when the include files are under ffmpeg. Maybe fixes build with 5.1.2?
• Test for matches[operator]. Fixes [#3607]

Full Changelog: 1.36.28...1.36.29

The Memory Remains 1.36.28

#Changes since 1.36.27

• Add ZM_LOG_INJECT config parameter to disable unprivileged log injection through api.
• Check value of System:Edit permission and ZM_LOG_INJECT to disable ajax log injection.
• Use canEdit['System'] and value of new ZM_LOG_INJECT to disable attempting to inject javascript errors into zm logs
• The above 3 Fixes GHSA-cfcx-v52x-jh74
• Fix Monitor => monitor in zmwatch causing crash in zmwatch
• update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes [#3605]

Full Changelog: 1.36.27...1.36.28

The Memory Remains 1.36.27

#Changes since 1.36.26

• Use zm_setcookie, which will automatically set samesite on the session cookie. Maybe fixes [#3517]
• commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
• Use y instead of Y for path generation when using Deep scheme. Fixes [#3583]
• Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
• Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
• In failure state populate imageData array to reduce output php errors in frame view
• Add connkey and semaphore key to logging about failure to get semaphore. Add sem_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
• fix not saving v4l settings.
• Only warn about event exceeding section_length if we are not using close_mode=TIME. Fixes [#3599]
• make OutputCodec work in API Maybe fixes [#3341]
• Handle filter[query] not being defined
• Fix export not working for filter due to limit set to 0.
• Only look for action if there is a view. Prevents lookup of a non-existent file.
• Include monitor Id in zmwatch logs, for consistency as well as utility
• Escape File parameters when inserting log to prevent XSS. Related to fixing [#2466]. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
• Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes GHSA-xgv6-qv6c-399q
• Upgrade jquery to 3.6.1
• Update jquery-ui to 1.13.2 to remove reported dependency advisory
• Fix missing STATE_UNKNOWN in perl libs causing missed events in zmes.
• Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes GHSA-mpcx-3gvh-9488

Full Changelog: 1.36.26...1.36.27

The Memory Remains 1.36.26

#Changes since 1.36.25

• Fix [#3580] Export page broken due to type on dateTimeFormater => dateTimeFormatter
• Restore the integer value returned for status on API MonitorsController to per 1.36.16 value. The values got shifted due to making 0 = Unknown instead of -1.
• Only init the bootstrap table of events on watch view if the user has permission to view events. This prevents endless logging of insufficient permissions errors.
• Add fade to the logout modal which for some reason fixes it not showing after a cancel
• Specify that only main page content tables should have the first column be min-width: 300px. This was affecting the logout dialog table content when viewing the monitor edit view.
• fix export from event view
• Only try to set TIMEZONE when loading dateTimeFormatter if it is set and handle the exception when any of TIMEZONE or LOCALE are invalid.
• Fix values in LOCALE_DEFAULT dropdown in options.
• Add libio-interface-perl to dependencies. Fixes [#3577]
• Show the Reboot control when it is enabled without wake, sleep or reset.

Full Changelog: 1.36.25...1.36.26

The Memory Remains 1.36.25

Changes since 1.36.24

• add build for ubuntu kinetic
• fix javascript error on zone edit
• fix deprecation error on php8 due to implicit conversion to integer when displaying event duration
• Update ZM_MIN_RTSP_PORT description
• fix some javascript errors during page transition
• Ignore errors when decoding log message
• add detection of out of order packets from ffmpeg
• Keep track of max_keyframe_interval and log it when complaining
• fix hang during logrotate due to waiting in packetqueue for decode
• Remove warning about maxImageBuffer. Will be handled better in queuePacket.
• Fix snapshot jpeg not being created early enough
• finally fix (we think) hung zmu/zms processes due to race in db thread creation.
• Update material icons to v1.11.10
• Add a button to event view to jump to this event time in montage review
• fix different button heights when using font awesome vs material icons
• Add a back to frames button from frame view
• Use HTTP_X_FORWARDED_HOST or HTTP_X_FORWARDED_SERVER if present to get correct hostname to use when behind a reverse proxy.
• Handle case where time_base is not set in the codec. Fixes h265 not playing through zms
• When there are less than 3 storage areas, just list them in the header instead of making it a dropdown
• fix problems with migrateHash

Full Changelog: 1.36.24...1.36.25

The Memory Remains 1.36.24

Changes since 1.36.23

• fixes failure to build due to missing ffmpeg include in zm_packet.h
• add -x option to zmu to get monitor triggered status.
• fix deadlock when doing logrot when analysis is waiting for decode. We do this by notifying each packet in packetqueue::stop.
• Revert "Sync up with c++ shm alignment to fix same size of 32bit"
• Fix hang due to not increasing iterator for audio packets.
• Fix memleak due to not deleting okpt in VideoStore destructor

Full Changelog: 1.36.23...1.36.24