| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69521
|
Sat Apr 23 18:05:57 2022 |
 | Konstantin Olchanski | olchansk@triumf.ca | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> The CVEs you refer to are very old and have been fixed a long time ago.
>
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
>
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
>
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
>
> K.O.
I should better capture these "additional references" and the "disclosure timeline"
before they vanish from tenable.com:
https://www.tenable.com/security/research/tra-2019-53
Additional References
https://bitbucket.org/ritt/elog/commits/7367647d40d9b43d529d952d3a063d53606697cb
https://bitbucket.org/ritt/elog/commits/38c08aceda8e5ac4bfdcc040710b5792bd5fe4d3
https://bitbucket.org/ritt/elog/commits/32ba07e19241e0bcc68aaa640833424fb3001956
https://bitbucket.org/ritt/elog/commits/15787c1edec1bbe1034b5327a9d6efa710db480b
https://bitbucket.org/ritt/elog/commits/283534d97d5a181b09960ae1f0c53dbbe42d8a90
Disclosure Timeline
12/3/2019 - Notice sent to stefan.ritt - AT - psi.ch. 90 day is March 3, 2020
12/4/2019 - Dr. Ritt acknowledges the report.
12/9/2019 - Dr. Ritt stages fixes in bitbucket.
12/9/2019 - Tenable provides feedback.
12/10/2019 - Dr. Ritt acknowledges.
12/11/2019 - Tenable reserves CVE.
12/11/2019 - Tenable notes the various ELOG instances maintained by Paul Scherrer Institute are patched.
12/11/2019 - Tenable informs Dr. Ritt and Mr. Roger Kalt (Debian/Ubuntu package manager) of intent to publish CVE tomorrow (Dec.
12).
K.O. |
|
69520
|
Fri Apr 22 21:15:37 2022 |
| Konstantin Olchanski | olchansk@triumf.ca | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> > debian package still outdated?
> We reached to the package maintainer
the good Roger Kalt requested removal of debian package elog
and it is now removed from debian-unstable. I am not sure
if it can be removed from debian-stable releases (debian-11, debian-10).
https://tracker.debian.org/pkg/elog
https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/
K.O. |
|
69519
|
Fri Apr 22 17:10:24 2022 |
| Jan Just Keijser | janjust@nikhef.nl | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> > > > I've built the last C version of elog in git, revision 1ebfd06c using mingw-64 ; the resulting binaries work for me on Windows 2019.
> > > > Attached is a zip file with the binaries.
> > > > I was not able to create a new installer, these are just the executables
> > >
> > > I tried to just exchange the attached binaries in my installation but this didn't worked.
> > > elogd was not able to start.
> >
> > hmmm strange - did you get an error message or did the binary simply not start? I've only tested this on a single Windows machine....
>
> Error message is:
>
> Error 1053: The service did not respond to the start or control request in a timely fashion.
>
> I have to admit that I'm doing all this on a Server 2012 machine.
Windows Server 2012 itself is almost EOL but it should still work, I believe. I did see that the elog314-2.exe file is a Win32 binary whereas my binaries are 64bit. On Windows Server 2019 did not cause any issues.
Can you try the following
- extract the new elogd.exe binary somewhere , e.g. c:\temp\elogd.exe
- then type
cd \Program Files (x86)\ELOG
\temp\elogd.exe
- post the output/error code that you see.
|
|
69518
|
Fri Apr 22 12:55:21 2022 |
 | Andreas Luedeke | andreas.luedeke@psi.ch | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> it would be good if the current state was listed in https://elog.psi.ch/elogs/Vulnerabilities/
> It seems there's now updated builds for at least windows, and the debian package still outdated?
>
> Personally, I don't think removing download links and pulling packages should be more than a temporary measure.
> Treating people fairly IMHO means they should be able to reach a safe version by the same means that brought and left them exposed.
>
> A clear central source would be best, one that has
>
> - package autobuilds
> - source
> - cve list
>
> If I understand correctly, currently only the source is up to date?
>
>
> (I found py_elog on Github, so it could be an easy option to mirror ELOG there and let some free service handle the autobuilds.
> I don't know how well one can flag vulnerabilities there, but likely it's possible, and ideally more people would help there.)
>
>
> p.s.: My hat is off to the sysadmin who checked carefully, I wanted to introduce ELOG in a windows-centric place and I can't swear I would have checked this (official) download as well.
Very good ideas! Go ahead and implement them! We very much appreciate your contribution. |
|
69517
|
Thu Apr 21 14:19:35 2022 |
| Maarten de Jong | mjg@nikhef.nl | Question | Linux | 3.1.4 | Re: Download attachments from command line |
Thanks - I can confirm that the given command works.
However, for an e-log with username and password protection, this no longer seems to work.
It would be very useful if the elog command can be used to also download attachments (and not only a message).
| Stefan Ritt wrote: |
|
Sure. Just figure out the URL from your browser and then use it in wget, e.g.
wget https://elog.psi.ch/elogs/Forum/220309_175728/elog-3.1.4-1ebfd06c-win64.zip
to download one attachement from this forum.
Stefan
| Maarten de Jong wrote: |
|
Would it be possible to download attachments (e.g. with elog or wget) from the command line?
|
|
|
|
69516
|
Thu Apr 21 03:45:20 2022 |
| neerajan nepal | nepal1n@cmich.edu | Question | Linux | not known | Re: recovery of elog from backup disk |
> unfortunately instructions do not exist to cover every possible situation.
>
> but in general, to migrate elog to a new machine, I would say do this:
> - on new machine, install new elog from scratch
> - copy the old elogs from "logbooks" on the backup disk to the new elog "logbooks"
> - merge the config file by hand (this may require a few tries)
>
> feel free to ask for more help with any of these steps here.
> K.O.
Thank you so much. It worked this way. |
|
69515
|
Wed Apr 20 14:19:08 2022 |
 | Antonio Bulgheroni | antonio.bulgheroni@gmail.com | Request | Windows | 3.1.4 | Dynamic substitution with date |
Dear all,
I would need your help with an incremental index with date information.
I want to have an incremental number made by the last two digits of the year, the two digits of the month and an incremental four digits number.
Subst Number = %y%m####
The problem is that I don't want to have the incremental number reset to zero every new month, but rather only once a year. Is it something like this possible?
Thanks for your help!
toto
|
|
69513
|
Tue Apr 19 21:15:19 2022 |
| Konstantin Olchanski | olchansk@triumf.ca | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> it would be good if the current state was listed in https://elog.psi.ch/elogs/Vulnerabilities/
> It seems there's now updated builds for at least windows
I checked with Stefan and he plans to address both of those fairly soon.
> debian package still outdated?
We reached to the package maintainer (who is not us), if he cannot help,
we will request package removal through debian official channels. Then we have
to repeat same for the ubuntu package.
> A clear central source would be best ...
this already exists. git clone, make, run.
> p.s.: My hat is off to the sysadmin who checked carefully, I wanted to introduce ELOG in a windows-centric place and I can't swear I
would have checked this (official) download as well.
I usually check the date of stuff I install and go "hmm..." if it is not super fresh or very fresh.
K.O. |