Debian-LTS has issued an advisory on January 29: https://lwn.net/Alerts/712996/ Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
This is known and documented and I would rather not change it, as it will make ZoneMinder set-up more difficult for new users. We have a note in zoneminder.conf which explains about this here: http://svnweb.mageia.org/packages/cauldron/zoneminder/current/SOURCES/zoneminder.conf?view=markup It has been the same for years. Opinions welcome ;)
The package should probably have something in its Apache configuration to restrict the directory with the images to only be accessible from localhost. People can then customize that to say what systems they want it to be accessible from, and/or implement authentication. By default then, it would be mitigated, but in a relatively simple way (restricting to localhost by default is simpler than having some default authentication enabled).
Another security issue in zoneminder: http://openwall.com/lists/oss-security/2017/02/02/18 There is apparently no fix available. It sounds like only Cauldron is affected.
Thanks David, I have pointed ZM devs to that report.
(In reply to David Walser from comment #3) > Another security issue in zoneminder: > http://openwall.com/lists/oss-security/2017/02/02/18 CVE-2016-1020[1-6] assigned: http://openwall.com/lists/oss-security/2017/02/05/1
Summary: zoneminder new security issue CVE-2016-10140 => zoneminder new security issues CVE-2016-10140 and CVE-2016-1020[1-6]
Fedora has issued an advisory on February 18: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/25GCK3X4C2XY4YBBWCKSWDEYWBHTJKGV/ It fixes an additional issue, CVE-2017-5595.
Summary: zoneminder new security issues CVE-2016-10140 and CVE-2016-1020[1-6] => zoneminder new security issues CVE-2016-10140, CVE-2016-1020[1-6], and CVE-2017-5595
(In reply to David Walser from comment #6) > Fedora has issued an advisory on February 18: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/25GCK3X4C2XY4YBBWCKSWDEYWBHTJKGV/ > > It fixes an additional issue, CVE-2017-5595. The patch for the above appears to be previously applied in our Mga5 and 6 versions, so I'm a little confused. I will have a word with Andrew Bauer upstream (and Fedora) and try to understand better what they have done.
CVE-2017-5595 is now fixed in Cauldron (the patch was faulty and I had to manually edit the files and re-diff with some help from upstream). Regarding this issue in Mageia 5, I think we may need to update it to the same version as Cauldron. I have been running this version on my Mga5 server for months, however we may be missing a perl dep in Mga5 IIRC - I will look into our options.
CVE-2016-10140 is now fixed in cauldron. I have fixes for both CVE-2017-5595 and CVE-2016-10140 for Mga5 which I will push together unless any others can be fixed at the same time. - WIP
any news for this in cauldron ?
CC: (none) => mageia
I have asked upstream .. again.
what is the list of the CVE we still need to adress ?
(In reply to Nicolas Lécureuil from comment #12) > what is the list of the CVE we still need to adress ? All of them in Mageia 5, CVE-2016-1020[1-6] in Cauldron (but I'm not aware of a fix for those).
Feel free to split a new bug for Mageia 5 with the available fixes if the last ones still can't be fixed.
what about updating to the latest version from cauldron in mga5 ?
As I said in #8 we are missing deps for the current cauldron version in Mga5. Updating to the latest version would offer no advantage re. CVEs as I have a fix for Mga5 that brings it to the same state as Mga6, but was hoping to apply all fixes in one update. It seems that there is little progress re. CVE-2016-1020[1-6] so I will go ahead and prepare advisory for CVE-2017-5595 and CVE-2016-10140 for Mga5 in the next few days.
and what is the status on cauldron ?
All has changed for the better since yesterday. Following my discussions with upstream regarding the various CVEs, they have now detailed the CVEs that have been fixed in the 1.30.2 release notes. Previously the release notes just mentioned 'various security issues'. https://github.com/ZoneMinder/ZoneMinder/releases/tag/1.30.2. I will now over the coming days (I am short on time) test this version in cauldron and look at the possibility of updating in Mageia 5.
I have requested a freeze push of zoneminder-1.30.3 in Cauldron and tested this version locally. I have also pushed the same version (with a lower release) to Mga5 updates_testing. Update goes smooth in Mga5 and I have the Mga5 version running on my Mga5 server using both php and the web API. There is a new Require needed in Mageia 5 for this, and perl-Sys--Meminfo has also been pushed to 5/updates_testing by Shlomi (thanks!). Update advisory to follow tomorrow, when I recover from this marathon ;)
pushed in cauldron
CVE: (none) => CVE-2016-10140, CVE-2016-1020[1-6], and CVE-2017-5595Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
CVEs have been assigned for security issues fixed upstream in ZoneMinder: CVE-2016-10140, CVE-2016-10201, CVE-2016-10202, CVE-2016-10203, CVE-2016-10204, CVE-2016-10205 CVE-2016-10206, CVE-2017-5367, CVE-2017-5368, CVE-2017-5595 and CVE-2017-7203. These are fixed in zoneminder-1.30.4-2.mga6 in Cauldron and a freeze push has been requested. Update candidate zoneminder-1.30.4-1.mga5 has been submitted to 5/core/updates_testing. Advisory: ========================= This update fixes the following security issues: Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI. (CVE-2016-10140) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. (CVE-2016-10201) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. (CVE-2016-10202) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. (CVE-2016-10203) SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. (CVE-2016-10204) Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. (CVE-2016-10205) Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. (CVE-2016-10206) Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367) ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). (CVE-2017-5368) A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request. (CVE-2017-5595) A Cross-Site Scripting (XSS) was discovered in ZoneMinder 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. (CVE-2017-7203) Notes for sysadmins: 1. CRSF attacks are now blocked by setting the ZoneMinder variable 'ENABLE_CSRF_MAGIC' to 'yes'. During system update you may want to check that this variable is set. In Mageia 'yes' is the default for new installs of ZoneMInder. 2. Changes have been made to /etc/httpd/conf/site.d/zoneminder.conf to mitigate CVE-2016-10140. Make sure to accept the new configuration when updating existing systems. References: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zoneminder https://github.com/ZoneMinder/ZoneMinder/releases/tag/1.30.2 https://github.com/ZoneMinder/ZoneMinder/releases https://github.com/ZoneMinder/ZoneMinder/commit/c5906a5d4f9adc7bdaabcf035fe223997883018b (CVE-2016-10201) https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10204) https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10205) https://github.com/ZoneMinder/ZoneMinder/commit/ea5342abd2ef3b7dfb1b05e59ccf420196264340 (CVE-2017-7203 & CVE-2017-5367) https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 (CVE-2017-5595) ======================== Updated packages in core/updates_testing: ======================== zoneminder-1.30.4-1.mga5.src.rpm zoneminder-1.30.4-1.mga5.x86_64.rpm zoneminder-debuginfo-1.30.4-1.mga5.x86_64.rpm zoneminder-1.30.4-1.mga5.i586.rpm zoneminder-debuginfo-1.30.4-1.mga5.i586.rpm ======================== I'm not sure how practical it will be to try to verify these fixes, however if someone does want to try to compromise my server, it is running this version of zoneminder on Mga5 ;) Please email me privately for access details. Barry
Assignee: zen25000 => qa-bugs
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
MGA5-32 on Asus A6000VM Xfce No installation issues. Tried to run zmsetup, but first run failed with firewall issue. Disabled firewall alltogether and then # zmsetup *** Welcome to ZoneMinder Setup *** Please wait a moment... Please enter your mysql root password: You already have a ZoneMinder database installed Do you want to re-use it? [y/n] n Delete existing ZoneMinder database? OK? [y/n] y Installing a new ZoneMinder database ... Job for zoneminder.service failed. See "systemctl status zoneminder.service" and "journalctl -xe" for details. Problem starting ZoneMinder - look at /var/logs/zm/zm_pkg.log But /var/logs does not exist, it is /var/log, so no log written. and systemctl -l status zoneminder.service â zoneminder.service - ZoneMinder CCTV recording and security system Loaded: loaded (/usr/lib/systemd/system/zoneminder.service; enabled) Active: failed (Result: exit-code) since do 2017-05-18 11:16:48 CEST; 1min 43s ago Process: 4568 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=255) mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: Can't connect to db at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder/Config.pm line 129. mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder/Config.pm line 129. mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: Compilation failed in require at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder.pm line 33. mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: BEGIN failed--compilation aborted at /usr/lib/perl5/vendor_perl/5.20.1/ZoneMinder.pm line 33. mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: Compilation failed in require at /usr/bin/zmpkg.pl line 48. mei 18 11:16:48 mach6.hviaene.thuis zmpkg.pl[4568]: BEGIN failed--compilation aborted at /usr/bin/zmpkg.pl line 48. mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: zoneminder.service: control process exited, code=exited status=255 mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: Failed to start ZoneMinder CCTV recording and security system. mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: Unit zoneminder.service entered failed state. mei 18 11:16:48 mach6.hviaene.thuis systemd[1]: zoneminder.service failed. and journal gives DBI connect('database=zm;host=localhost','zmuser',...) failed: Access denied for user 'zmuser'@'localhost I checked with phpmyadmin: the databasz zm is created, but there is no trace of a user "zmuser". Removedzm database completely and tried zmsztup again, but got the same result.
CC: (none) => herman.viaene
Hmm.. a clean install in Mga5 is the one scenario I did not test. Update in Mga5 tested fine, as did upgrade to Mga6. I will test in a clean install in a Mga5 VM, meanwhile I just tested a clean install in Mga6 for reference and zmsetup output follows: *** Welcome to ZoneMinder Setup *** Checking the current ZM_USER_PASSWORD... The password is not strong enough, it is based on a dictionary word. Passwords should have at least eight characters with no dictionary words or common sequences. Please enter a new one now. (hint: write it down first as it will not be displayed) New password: The password is not strong enough, it is too short. New password: OK Repeat password: Please wait a moment... You do not appear to have a mysql root password set. Passwords should have at least eight characters with no dictionary words or common sequences. Please enter a new one now. (hint: write it down first as it will not be displayed) New password: OK Repeat password: Set new password now - confirm - OK? [y/n] y Please wait ... Installing a new ZoneMinder database ... You do not appear to have a timezone set for php. This is required for the Web-UI to work. Added timezone Europe/London to /etc/php.ini Congratulations - ZoneMinder is now running. You should be able to access the ZM Console in your browser using :- http://leno/zm [root@leno baz]# Link works and ZM is running. Thanks for finding the (logs) typo ;)
CC: (none) => zen25000
Hi Herman, I found it! Phew! I packaged the old version of zmsetup and the old version of a README in error. Please re-test with zoneminder-1.30.4-1.1 when it hits 5/core_updates. If all is well I will re-do the advisory with the package name changed. Sorry for the extra work :\
Update candidate zoneminder-1.30.4-1.1.mga5 has been submitted to 5/core/updates_testing. Advisory: ========================= This update fixes the following security issues: Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI. (CVE-2016-10140) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. (CVE-2016-10201) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. (CVE-2016-10202) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. (CVE-2016-10203) SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. (CVE-2016-10204) Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. (CVE-2016-10205) Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. (CVE-2016-10206) Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367) ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). (CVE-2017-5368) A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request. (CVE-2017-5595) A Cross-Site Scripting (XSS) was discovered in ZoneMinder 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. (CVE-2017-7203) Notes for sysadmins: 1. CRSF attacks are now blocked by setting the ZoneMinder variable 'ENABLE_CSRF_MAGIC' to 'yes'. During system update you may want to check that this variable is set. In Mageia 'yes' is the default for new installs of ZoneMInder. 2. Changes have been made to /etc/httpd/conf/site.d/zoneminder.conf to mitigate CVE-2016-10140. Make sure to accept the new configuration when updating existing systems. References: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zoneminder https://github.com/ZoneMinder/ZoneMinder/releases/tag/1.30.2 https://github.com/ZoneMinder/ZoneMinder/releases https://github.com/ZoneMinder/ZoneMinder/commit/c5906a5d4f9adc7bdaabcf035fe223997883018b (CVE-2016-10201) https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10204) https://github.com/ZoneMinder/ZoneMinder/pull/1764 (CVE-2016-10205) https://github.com/ZoneMinder/ZoneMinder/commit/ea5342abd2ef3b7dfb1b05e59ccf420196264340 (CVE-2017-7203 & CVE-2017-5367) https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 (CVE-2017-5595) ======================== Updated packages in core/updates_testing: ======================== zoneminder-1.30.4-1.1.mga5.src.rpm zoneminder-1.30.4-1.1.mga5.x86_64.rpm zoneminder-debuginfo-1.30.4-1.1.mga5.x86_64.rpm zoneminder-1.30.4-1.1.mga5.i586.rpm zoneminder-debuginfo-1.30.4-1.1.mga5.i586.rpm ======================== ######################## Note: When this is validated it will be neccessary to also push/move perl-Sys-Meminfo from updates testing to core before zoneminder as this is a new Require (no need to wait for it to build - it's not a BuildRequire). ########################
> Note: When this is validated it will be neccessary to also push/move > perl-Sys-Meminfo from updates testing to core Then that package is part of this update and should have been listed in your package list with your advisory (and not in a separate note). Because it wasn't, whoever added the advisory to SVN missed it, and if that's not corrected, the package *won't* be pushed with this update. Removing the advisory tag from the whiteboard until that package is added (but note, if this gets validated, my removing that tag won't stop this from being pushed incorrectly).
Whiteboard: advisory => (none)
Added perl-Sys-MemInfo-0.910.0-1.mga5 to srpm list in the advisory.
Whiteboard: (none) => advisory
Testing M5x64 real hardware BEFORE update: installed zoneminder-1.28.0-2.33f3612.1.mga5 (Do not set up a database in advance, as is suggested somewhere). # zmsetup [3;J *** Welcome to ZoneMinder Setup *** Please wait a moment... Please enter your mysql root password: Installing a new ZoneMinder database ... Congratulations - ZoneMinder is now running. You should be able to access the ZM Console in your browser using :- http://localhost.localdomain/zm The MySQL dtabase set up is 'zm'. # systemctl status zoneminder.service ● zoneminder.service - ZoneMinder CCTV recording and security system Loaded: loaded (/usr/lib/systemd/system/zoneminder.service; enabled) Active: active (running) since Maw 2017-05-23 21:07:29 CEST; 7min ago Process: 22046 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=0/SUCCESS) Main PID: 22155 (zmdc.pl) CGroup: /system.slice/zoneminder.service ├─22155 /usr/bin/perl -wT /usr/bin/zmdc.pl startup ├─22430 /usr/bin/perl -wT /usr/bin/zmfilter.pl ├─22506 /usr/bin/perl -wT /usr/bin/zmaudit.pl -c └─22562 /usr/bin/perl -wT /usr/bin/zmwatch.pl Mai 23 21:07:24 localhost.localdomain zmdc[22155]: INF [Server starting at 17... etc etc http://localhost.localdomain/zm shows page "ZoneMinder Console - Running - v1.28.0" The 'Add new monitor' & 'Filters' buttons pop up neat dialogue windows; as do the 'Options' & 'Log' links. No sign of logout. All looks good. UPDATE to: zoneminder-1.30.4-1.1.mga5 also pulled in - perl-Class-Std-0.11.0-5.mga5.noarch - perl-Class-Std-Fast-0.0.8-9.mga5.noarch - perl-Data-UUID-1.219.0-7.mga5.x86_64 - perl-IO-Interface-1.70.0-3.mga5.x86_64 - perl-IO-Socket-Multicast-1.120.0-11.mga5.x86_64 - perl-SOAP-WSDL-3.1.0-3.mga5.noarch - perl-Sys-CPU-0.610.0-5.mga5.x86_64 - perl-Sys-MemInfo-0.910.0-1.mga5.x86_64 *** # zmsetup [3;J *** Welcome to ZoneMinder Setup *** Checking the current ZM_USER_PASSWORD... The password is not strong enough, it is based on a dictionary word. Passwords should have at least eight characters with no dictionary words or common sequences. [Mine complied, but I changed it anyway] Please enter a new one now. (hint: write it down first as it will not be displayed) New password: OK Repeat password: Please wait a moment... Please enter your mysql root password: You already have a ZoneMinder database installed Do you want to re-use it? [y/n] y Updating database structure where necessary ... Initiating database upgrade to version 1.30.4 from version 1.28.0 Please ensure that ZoneMinder is stopped on your system prior to upgrading the database. [ # systemctl stop zoneminder.service ] Press enter to continue or ctrl-C to stop : Do you wish to take a backup of your database prior to upgrading? This may result in a large file in /var/tmp/zm if you have a lot of events. Press 'y' for a backup or 'n' to continue : n Upgrading database to version 1.30.4 Loading config from DB No option 'ZM_EYEZM_DEBUG' found, removing. No option 'ZM_EYEZM_EVENT_VCODEC' found, removing. No option 'ZM_EYEZM_FEED_VCODEC' found, removing. No option 'ZM_EYEZM_H264_DEFAULT_BR' found, removing. No option 'ZM_EYEZM_H264_DEFAULT_EVBR' found, removing. No option 'ZM_EYEZM_H264_TIMEOUT' found, removing. No option 'ZM_EYEZM_LOG_FILE' found, removing. No option 'ZM_EYEZM_LOG_TO_FILE' found, removing. No option 'ZM_EYEZM_SEG_DURATION' found, removing. No option 'ZM_WEB_P_AJAX_TIMEOUT' found, removing. No option 'ZM_WEB_P_CAN_STREAM' found, removing. No option 'ZM_WEB_P_DEFAULT_RATE' found, removing. No option 'ZM_WEB_P_DEFAULT_SCALE' found, removing. No option 'ZM_WEB_P_SCALE_THUMBS' found, removing. No option 'ZM_WEB_P_STREAM_METHOD' found, removing. No option 'ZM_WEB_P_VIDEO_BITRATE' found, removing. No option 'ZM_WEB_P_VIDEO_MAXFPS' found, removing. Saving config to DB Upgrading DB to 1.28.1 from 1.28.0 Database successfully upgraded to version 1.28.1. [...19 times the same 3 lines] Database upgrade to version 1.30.4 successful. You do not appear to have a timezone set for php. This is required for the Web-UI to work. Added timezone Europe/Paris to /etc/php.ini Congratulations - ZoneMinder is now running. You should be able to access the ZM Console in your browser using :- http://localhost.localdomain/zm # systemctl status zoneminder.service ● zoneminder.service - ZoneMinder CCTV recording and security system Loaded: loaded (/usr/lib/systemd/system/zoneminder.service; enabled) Active: active (running) since Maw 2017-05-23 21:33:14 CEST; 4min 50s ago Process: 32071 ExecStart=/usr/bin/zmpkg.pl start (code=exited, status=0/SUCCESS) Main PID: 32182 (zmdc.pl) CGroup: /system.slice/zoneminder.service ├─32182 /usr/bin/perl -wT /usr/bin/zmdc.pl startup ├─32478 /usr/bin/perl -wT /usr/bin/zmfilter.pl ├─32528 /usr/bin/perl -wT /usr/bin/zmaudit.pl -c ├─32624 /usr/bin/perl -wT /usr/bin/zmwatch.pl └─32704 /usr/bin/perl -w /usr/bin/zmtelemetry.pl Mai 23 21:33:13 localhost.localdomain zmfilter[32478]: INF [Scanning for events] etc etc http://localhost.localdomain/zm Initial screen showed OK, Filters/Options/Log worked OK, but *not* 'Add new monitor'. In fact the 'Log' link was shown red, and in the displayed log: 2017-05-23 21:40:12.586201 web_js 24395 ERR ReferenceError: addMonitor is not defined http://localhost.localdomain/zm/ 1 2017-05-23 21:39:29.318748 web_js 32073 ERR TypeError: form.elements.autoArchive is undefined http://localhost.localdomain/zm/skins/classic/views/js/filter.js 10 2017-05-23 21:39:23.450179 web_js 32073 ERR TypeError: form.elements.autoArchive is undefined http://localhost.localdomain/zm/skins/classic/views/js/filter.js 10 2017-05-23 21:39:04.031831 web_js 32070 ERR ReferenceError: addMonitor is not defined http://localhost.localdomain/zm/ 1 2017-05-23 21:38:59.767802 web_js 32070 ERR ReferenceError: addMonitor is not defined http://localhost.localdomain/zm/ 1 ... 2017-05-23 21:26:45.565530 zmpkg 5025 FAT Can't execute: Unknown column 'IsActive' in 'field list' zmpkg.pl Need your feedback on this, please, Barry.
Whiteboard: advisory => advisory feedbackCC: (none) => lewyssmith
I am on it. Something went wrong in the db updates - those lines should not have repeated, but should have reported each step in the sequence between 1.28.x and 1.30.4. It worked fine when I tested it. :\ It may be a day or so.
I just net-installed Mga5 on a partition on my SSD on my main system. I'm using it now. I installed zoneminder-1.28.0 from Mga5 repo and ran zmsetup. I added a monitor for my uvc webcam but hit a minor issue which needed user apache adding to the video group, after which it worked fine. I then enabled updates_testing and ran urpmi zoneminder, which updated to 1.30.4-1.1 Followed by zmsetup The db update went perfectly and every step was different, no lines were repeated. The monitor still worked as before in the web interface and I was able to delete the monitor and create a new one which also works fine. Whether the fact that you maybe had no monitors set up before upgrading affected the database I am not sure, but anyone upgrading a working system would not hit that. I never have. I also checked the Web API by following: https://github.com/pliablepixels/zmNinja/wiki/Validating-if-APIs-work-on-ZM (skip test 4 which is known to fail in ZM > 1.30.1) This works as expected. I will attach the terminal output of both zmsetup runs below.
Created attachment 9328 [details] Terminal output for zmsetup - upgrade - zmsetup Note that "Please ensure that ZoneMinder is stopped on your system prior to upgrading the database." May be ignored as my script does this first. That text is output by an upstream perl script that I can't silence :\ Barry
Forgot to mention the password - zmsetup now uses the same cracklib password checker that is used by mariadb to be certain that a password will not cause a breakage of zmsetup later on in the process. This was necessary since the new mariadb ships with strict password checking ON by default. An existing mysql root password that would fail now is still honoured if it was set in an earlier version (found by experiment). Barry
@Barry: Thank you for all your cross-checking. I will ask in QA for someone with a webcam etc. to try this update - I have nothing. If nothing crops up, your own test looks impeccable. Give it a few days.
Whiteboard: advisory feedback => advisory
More on post-update x64 The 19 database upgrade messages note in Comment 28 clearly relate to the DB's 18 tables. After a reboot or two, I had another look at zoneminder. This time the initial screen showed no errors ('log' link not red). Better, the 'Add new monitor' worked. Despite having nothing for it, I saved the default dialogue, and it was shown on the main screen with 'Source' in red; reasonable. The log is full of errors. By the time I wrote this, the startup ones had scrolled away and the following 6 were being repeated every several 10s of seconds: 2017-05-27 16:24:02.429900 zmdc 8611 INF 'zmc -d /dev/video0' started at 17/05/27 16:24:02 zmdc.pl 2017-05-27 16:24:02.419410 zmdc 5521 INF 'zmc -d /dev/video0' starting at 17/05/27 16:24:02, pid = 8611 zmdc.pl 2017-05-27 16:24:01.666480 zmwatch 5987 INF Restarting capture daemon for Monitor-1, shared data not valid zmwatch.pl 2017-05-27 16:21:41.358240 zmwatch 5987 ERR Memory map file '/dev/shm/zm.mmap.1' does not exist. zmc might not be running. zmwatch.pl 2017-05-27 16:21:31.489180 zmdc 5521 ERR 'zmc -d /dev/video0' exited abnormally, exit status 255 zmdc.pl 2017-05-27 16:21:31.445558 zmc_dvideo0 31177 FAT Can't find swscale format for palette 0 zm_local_camera.cpp 223 If I can capture the startup ones anothe time, I will post them. They were more varied.
All the log messages look reasonable since you have created a monitor that has no camera attached. ZoneMinder is quite verbose and spews out lots of info into the logs, even on a fully working system, so don't be too worried by a few red ones, especially during start-up.
In the light of Barry's generous feedback, and particularly his own run-through of the update (Comments 30-31), this looks good for 64-bit. If nobody comes forward for 32-bits soon, it can be validated as-is.
Whiteboard: advisory => advisory MGA5-64-OK
Got it working on an i586 install, on x86_64 hardware, with a webcam (had to override several settings, such as image size, ntsc instead of pal, etc.), and confirmed it was still working after installing the update. Validating the update.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/core/zoneminder-1.30.4-1.mga5) â 'validated_update' keyword reset.
Keywords: validated_update => (none)
(In reply to Nicolas Lécureuil from comment #38) > Update ID assignment failed > Checking for QA validation keyword⦠â > Checking dependent bugs⦠â (None found) > Checking SRPMs⦠â (5/core/zoneminder-1.30.4-1.mga5) â I see; advisory wrong. The package tested was: zoneminder-1.30.4-1.1.mga5 The advisory had .4-1 which I have updated to .4-1.1 Re-validating.
Keywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0162.html
Status: NEW => RESOLVEDResolution: (none) => FIXED