Skip to content

Releases: ZoneMinder/zoneminder

The Memory Remains 1.36.35

22 Oct 15:17
Compare
Choose a tag to compare

Changes since 1.36.34

  • Merge in auto package building using github ci
  • On upgrade, always attempt re-applying the last db update. This helps when running proposed ppa
  • Only use fps_report_interval for the logging of fps updates. Always update the db. This fixes cameras being listed as offline despite being fine due to a very long fps update interval
  • Track Monitor_Status and FPS logging times separately. Update db every 10seconds.
  • Don't output the boundary if we aren't streaming. Single jpegs don't need it and something was complaining about it
  • Only output 403 status if not nph
  • add MariaDB to docs
    • more ffmpeg5 deprecations
  • Handle ffmpeg6 deprecating (renaming) pkt_duration
  • ffmpeg7 fixes
  • add logging of stream index in debug code
  • Remove deprecated reconnect setting for mysql
  • Auto reconnect when mysql is lost
  • Replace deprecated mysql_ssl_set with mysql_options()
  • Add getting the connection id from mysql and log it in zmDbDo. This is so that when mysql reports a dropped connection, we can figure out which process it was.
  • Add debugging of db failures
  • If an invalid port is specified, don't actually start the rtp threads. They don't get used in RTP/RTSP. Fixes [#3759]
  • Default end_time to start_time on event creation so that we don't get a negative duration
  • Don't start max score at -1 as that is not a valid value for the db.
  • Add support for DateTime and Server advsearch filters
  • Remove reorder_queue_size from output options to prevent logging
  • Add event->Duration and use it when considering min_section_length because the first keyframe may have been quite a while ago and we can end up closing an empty event.
  • Remove default of NOW from UpdatedOn in Monitor_Status field because old mysql can't handle it. Explicilty set it in zmc. Fixes [#4155]
  • Use htmlspecialchars on Message to prevent Stored Cross-Site Scripting. Fixes GHSA-rqxv-447h-g7jx
  • Fix crash in api when auth is turned off and you try to log in
  • Add End Date Time and None as options for sorting in filters, which allows us to create more efficient SQL queries.
  • Fix labelling for defaultCodec, as it is used for event viewing, not live view.
  • Only show location tab when GEOLOCATION is turned on
  • Fix zone edit image jumping around when status is alert
  • Handle change of res/colours in zms by reloading the monitor object.
  • Count keyframes on queuePacket so that analysis Ready() will start recording when there are enough packets in queue.
  • Make NULL be case-insensitive in filter rules

Full Changelog: 1.36.34...1.36.35

A lot of back ports from 1.37. One security vulnerability fix. The main thrust was the mysql and ffmpeg deprecations. All users are encouraged to upgrade.

Updating the sort field on your filters can have a significant effect on mysql cpu/ram use. For example the Update Disk Space filter defaults to sorting by StartDateTime or ID which makes mysql not use the index on EndDateTime and DiskSpace. Since we don't care about the order we act on results, we don't need to sort at all. So on a large database this query can go from hitting every row in the table, to almost none.

The Memory Remains 1.36.34

12 Aug 18:45
Compare
Choose a tag to compare

Changes since 1.36.33

  • fix mouseEvent property names, allowing zooming into recorded events
  • Handle ffmpeg5 channel deprecations
  • add debian Add bookworm support
  • add Help text for OPTIONS_ALARMMAXFPS
  • remove Remove chowning /usr/share/zoneminder from docs.
  • docs: Spelling, fix missing db in database create for bullseye, add bookworm instructions
  • Clean up help text for ZM_LOG_DEBUG_FILE to not say that it can include a directory. It should be JUST a filename.
  • Do not allow directory names in ZM_LOG_DEBUG_FILE. Only log to ZM_LOG_DIR
  • Load the ZM::Event using the Event Model data instead of loading by Id which goes back to db for performance (API faster)
  • If no next bulk frame use Event data to estimate the delta to supply an image
  • remove duplicate event save when updating Disk Space
  • Allow caching of images in view=image
  • Improve logging wrt insufficient permissions
  • Update fail2ban.rules
  • Don't show bandwidth options if there are none to choose from
  • Update redhat build docs
  • Fix missing auth_relay on alarm xhr
  • Make objdetect modals 65% width to make it easier to see
  • Don't exit on segfault, perhaps allowing graceful shutdown
  • Switch from utf8 to utf8mb4 so that collation works
  • Handle failure to db query more gracefully
  • Transform date string to int to satisfy newer php
  • Add auth_relay to control command
  • ONVIF: Handle RateControl being undef
  • Restrict mid to a cardinal value. Fixes GHSA-9cmr-7437-v9fj
  • in detaintPath also strip :// because php:// is a way to inject code
  • Only allow Events Columns for sort. Fixes GHSA-2qp3-fwpv-mc96. Fixes GHSA-9cmr-7437-v9fj
  • Use https proxy instead of http since we now access an https url
  • Fix Auto Unarchive not deselecting
  • define count. Fixes #3799
  • Add quotes around dbUser and dbPass to prevent command injection in zmcamtool.pl and zmupdate.pl
  • If group is empty, return false for canview so that it doesn't appear in dropdowns etc.
  • Only show groups that we can view
  • Revert change to cookie and cookie expire to fix loss of bootstrap table preferences. Add samesite
  • Info to Debug for login.
  • API: Always return an array in getCredentialsDeprecated
  • API: Don't try to do auth if auth is turned off
  • When ZM_AUTH_HASH_IPS is off, don't use remote ip in storing auth hash in session. If ips are constantly changing it breaks.
  • API: Don't assume findByEventidAndType actually returns a frame. If we are only recoridng, then there will be no alarm frames in the db
  • Make view does not exist an error instead of fatal
  • Handle ffmpeg 7 deprecations
  • Set fps and bandwidth to 0 on start and stop of zmc.
  • When editing buffer settings, ensure that MaxImageBuffers > PreEventCount.
  • Use either version or version.txt. Fixes #3798
  • clear packet images even when there is an event, because we send it to the event, which will use the images and so we don't need them anymore. ALso free analysis images even when not passthrough.
  • Set default value for rows per page using WEB_EVENTS_PER_PAGE. Fixes #3728
  • When save cookies via PHP >= 7.3.0, add handling of the "path" value in the options (session.php)
  • Change save button to a regular button that calls validateForm and don't set form.subit to validateForm. ValidateForm will now alert and switch tabs to better inform what the incorrect value is. Built-in validation doesn't work due to tabs and the invalid input not being focusable
  • Add UpdatedOn field to Monitor_Status and update it when updating Monitor_Status
  • Delete Monitor_Status records that havn't been updated in over a minute
  • Sanitise displayinterval,speed and scale parameters. Fixes GHSA-pjjm-3qxp-6hj8
  • Sanitise filter[Id] when parsing filter. Fixes GHSA-6rrw-66rf-6g5f
  • Move code to shutdown the process properly into exit_zms and use it when auth fails. The stops a segfault.
  • Limit scale to 16x mainly to put an upper bound on the amount of ram we might use.
  • Limit scale in montagereview to 1.1 to prevent requesting images larger than 100%
  • Add dependencies for ubuntu noble
  • Redo the event thread. Instead of analysis adding packets to an event specific queue, just pass in the iterator and let the event thread do it's own locking. This allows us to free ram in packet in the event, and not segfault.
  • move image_count to shared mem. Use it in monitorstream to detect when last_write_time % buffer_count hasn't changed, but there is in fact a new image. Should improve streaming when ImageBufferCount<=3. Should allow = 2.
  • Reset last_capture_image_count in connect so that we don't get negative fps reports and possible floating point exceptions
  • Don't log failure to get packet. Can only happen when stopping the packetqueue.
  • Handle non increasing timestamps from ffmpeg
  • Use last duration instead of 1 when adjusting dts when non-monotonic. Some googling indicates this might be a better approach. What I am seeing with a tapo C520WS agrees.
  • Update charset header in ja_jp.php from Shift_JIS to UTF-8
  • Always re-apply the latest update. Mainly because sometimes Isaac forgets to add the zm_update file when bumping versions, also in release branches, we increment version before release. zm_update scripts are always supposed to be re-runnable.
  • Limit segfaults to 1
  • Put swap file File::find into an eval because it can die in zmaudit.pl
  • Put back code that looks for iterators when cleaning packet queue. event thread can now have an iterator that follows analysis
  • Sometimes the initial keyframe packet will have AV_NOPTS for pts and dts. When this happenes, set last_dts to -1 instead of 0, so that when the next packet comes in and sets the first_dts value, the resulting dts will be 0 which is > -1.
  • Update debian.rst, enable autostart of ZM at boot
  • If the css in cookie is invalid, clear it so that the logs don't fill up with the warnings
  • Don't log error when ignoring action if it is an ajax request
  • Handle more than one level of output buffering when cleaning and ending them so we can send the video file so we don't run out of ram. Fixes #4110

Full Changelog: 1.36.33...1.36.34

The Memory Remains 1.36.33

24 Feb 04:36
Compare
Choose a tag to compare

Changes since 1.36.32

  • Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
  • Add object-src CSP directive to help prevent XSS
  • db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
  • use detaintPath on modal to prevent including other files instead of real modals
  • Check for valid date in minTime and maxTime to prevent SQL attack
  • Introduce check_datetime function to validate dates
  • Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
  • Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
  • Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
  • test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
  • Move actions process to after the unauth check to prevent actions happening when unathentication
  • Fix detaintPath not stripping sequences like ..././
  • Escape <> in log messages to prevent html shenanigans. Fixes [#3596]
  • Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
  • Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes [#3510]
  • Use reload instead of restart on zone save
  • Add reload to monitor zmcControl
  • Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes [#3643]
  • Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
  • Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
  • fix format endtime on events list on watch view
  • Include command line in debug output when generating images
  • Fix missing/corrupted pre-alarm frames in recording. Fixes #3656
  • Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes [#3657]
  • Allow viewing of events whose Monitor[Function]=None
  • Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes [#3655]
  • Apply chosen styles to dropdowns in Options, allowing text search
  • Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
  • fixes for freebsd
  • Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
  • Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes [#3488]
  • Add 2>&1 to command to delete event dir so that we get error messages logged.
  • Move code from Event to Storage to implement delete_path()
  • Use ajax() instead of getJSON with no timeout when deleting events.
  • Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
  • Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
  • Improve info when moving event to show source and Dest paths
  • Remove dead code from report_event_audit.js
  • Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
  • Add styles to table headers to left align them to match the body

Vulnerabilities address by this release

GHSA-h5m9-6jjc-cgmw CVE-2023-26036
GHSA-6c72-q9mw-mwx9 CVE-2023-26032
GHSA-65jp-2hj3-3733 CVE-2023-26037
GHSA-44q8-h2pw-cc9g CVE-2023-26039
GHSA-wrx3-r8c4-r24w CVE-2023-2603
GHSA-72rg-h4vf-29gr CVE-2023-26035
GHSA-222j-wh8m-xjrx CVE-2023-26034
GHSA-68vf-g4qm-jr6v CVE-2023-25825

Full Changelog: 1.36.32...1.36.33

The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/

Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.

All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.

The Memory Remains 1.36.32

18 Nov 19:57
Compare
Choose a tag to compare

Changes since 1.36.31

  • More properly fix the alarm status api changing. The previous hack broke doing alarm on/off.
  • fix handle of SQL generation of IN array when array is empty. Just always return false.
  • Fix test for null in Object::find
  • Make inputs on filter action table 100%
  • Fix Warning when monitor is not visible
  • Switch to utf8mb4 to support 4 byte unicode Fixes [#3514]
  • Make search input the same size as other toolbar elements
  • Remove deprecated CAMBOZOLA references
  • Update Monitor symlinking, improving deleting old link when changing name
  • Fix zone deleting and fix an extra comma in default coordinates
  • Add libswscale6 and libswresample4 dependencies for ubuntu kinetic
  • Remove return type from session class methods. not supported in php5.4. Fixes breakage on centos7. Fixes [#3622]
  • Fix recalculating Event Disk Space a second time when updating.
  • Set xhrFields: withCredentials: true so that we send cookies with our streaming xhr requests so that we pick up new auth hashes
  • Add Access-Control-Allow-Credentials: true so that we can pass cookies along with xhr requests.
  • Add Cause, Notes and EndDateTime to available columns in events list on watch view
  • Make button on Filter Debug modal be Close instead of Cancel
  • Handle empty but defined REQUEST[action]
  • replace php Memcached with Apc on Fedora
  • Allow MonitorName as default sort field as well as Monitor
  • Try out just using connkey as the semaphore key instead of ftok in ajax streaming requests
  • Turn back on error_reporting, just don't display the error in json ajax requests.
  • Check for return value of openEvent. Fixes crash when openEvent fails
  • Fix infinite recursion in montagereview
  • Add error message when minTime >= maxTime in montagereview
  • Fix crash in zmfilter DiskSpace Update when Event doesn't exist
  • Make .form-group styles export page specific because they are affecting layout in modals
  • Cleanup the state modal. Fix form post
  • Set web backend db connection to utf8 Fixes [#3631]
  • implode the output from zmu to fix php complaint abou array to string
  • convert strings into integers before doing math as of php 8.2 Fixes Unsupported operand types: string - int

Full Changelog: 1.36.31...1.36.32

The Memory Remains 1.36.31

17 Oct 23:12
Compare
Choose a tag to compare

Changes since 1.36.30

  • Fix failed login due to remoteAddr not being populated in session after regeneration
  • Use REQUEST instead of SESSION to store the post login redirect because we clear the session on login. Fixes [#3517]
  • Turn off logging of deprecation notices so that we work with php8.2

Full Changelog: 1.36.30...1.36.31

The Memory Remains 1.36.30

17 Oct 19:57
Compare
Choose a tag to compare

What's Changed

  • Test for definition of ZM_LOG_INJECT. We don't include the config when not logged in. So it won't be defined and an error will be logged
  • Fix saving from the function modal (and other modals)
  • left align option value column
  • when a config value is overridden via *.conf files, put up a warning/explanation on the options view
  • Turn failure to send into a debug instead of warn. When running under fpm etc we may not get SIGPIPE.
  • Move relevant code out of includes/actions/auth.php into includs/auth.php. Fixes inability to login using GET method.
  • Don't panic if no font file found. We seem to be able to continue without it.
  • Rework session handling to fix breakage with php8.2. Please note that php 8.2 still completely breaks a ton of our code. Do not upgrade to php8.2 and expect ZoneMinder to work.

Full Changelog: 1.36.29...1.36.30

The Memory Remains 1.36.29

11 Oct 23:07
Compare
Choose a tag to compare

#Changes since 1.36.28

  • update web/ajax.log.php to contents from master. Fixes errors causing log view to not work. Fixes [#3606]
  • use ajax() instead of getJSON so that we can specify no timeouts.. This prevents log queries from stacking up overloading the db
  • Check for definition of CAMBOZOLA defines. The purpose is just to ease running the 1.36 UI against a 1.37 database.
  • Added option ZM_AUTH_CASE_INSENSITIVE_USERNAMES to match mixed case Usernames to lower case usernames in database [#3516]
  • Move LIBAVCODEC_VERSION_CHECK so that it is defined when the include files are under ffmpeg. Maybe fixes build with 5.1.2?
  • Test for matches[operator]. Fixes [#3607]

Full Changelog: 1.36.28...1.36.29

The Memory Remains 1.36.28

07 Oct 20:04
Compare
Choose a tag to compare

#Changes since 1.36.27

  • Add ZM_LOG_INJECT config parameter to disable unprivileged log injection through api.
  • Check value of System:Edit permission and ZM_LOG_INJECT to disable ajax log injection.
  • Use canEdit['System'] and value of new ZM_LOG_INJECT to disable attempting to inject javascript errors into zm logs
  • The above 3 Fixes GHSA-cfcx-v52x-jh74
  • Fix Monitor => monitor in zmwatch causing crash in zmwatch
  • update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes [#3605]

Full Changelog: 1.36.27...1.36.28

The Memory Remains 1.36.27

07 Oct 14:22
Compare
Choose a tag to compare

#Changes since 1.36.26

  • Use zm_setcookie, which will automatically set samesite on the session cookie. Maybe fixes [#3517]
  • commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
  • Use y instead of Y for path generation when using Deep scheme. Fixes [#3583]
  • Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
  • Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
  • In failure state populate imageData array to reduce output php errors in frame view
  • Add connkey and semaphore key to logging about failure to get semaphore. Add sem_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
  • fix not saving v4l settings.
  • Only warn about event exceeding section_length if we are not using close_mode=TIME. Fixes [#3599]
  • make OutputCodec work in API Maybe fixes [#3341]
  • Handle filter[query] not being defined
  • Fix export not working for filter due to limit set to 0.
  • Only look for action if there is a view. Prevents lookup of a non-existent file.
  • Include monitor Id in zmwatch logs, for consistency as well as utility
  • Escape File parameters when inserting log to prevent XSS. Related to fixing [#2466]. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
  • Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes GHSA-xgv6-qv6c-399q
  • Upgrade jquery to 3.6.1
  • Update jquery-ui to 1.13.2 to remove reported dependency advisory
  • Fix missing STATE_UNKNOWN in perl libs causing missed events in zmes.
  • Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes GHSA-mpcx-3gvh-9488

Full Changelog: 1.36.26...1.36.27

The Memory Remains 1.36.26

16 Sep 17:00
Compare
Choose a tag to compare

#Changes since 1.36.25

  • Fix [#3580] Export page broken due to type on dateTimeFormater => dateTimeFormatter
  • Restore the integer value returned for status on API MonitorsController to per 1.36.16 value. The values got shifted due to making 0 = Unknown instead of -1.
  • Only init the bootstrap table of events on watch view if the user has permission to view events. This prevents endless logging of insufficient permissions errors.
  • Add fade to the logout modal which for some reason fixes it not showing after a cancel
  • Specify that only main page content tables should have the first column be min-width: 300px. This was affecting the logout dialog table content when viewing the monitor edit view.
  • fix export from event view
  • Only try to set TIMEZONE when loading dateTimeFormatter if it is set and handle the exception when any of TIMEZONE or LOCALE are invalid.
  • Fix values in LOCALE_DEFAULT dropdown in options.
  • Add libio-interface-perl to dependencies. Fixes [#3577]
  • Show the Reboot control when it is enabled without wake, sleep or reset.

Full Changelog: 1.36.25...1.36.26