> elogd binary from EPEL

thank you for bringing this up to our attention. we recently went through this with debian and ubuntu. the elog package was severely out of date and 
did not include the security patches that went it right before covid started in the Winter of 2020.

the elogd package in EPEL7 is insecure and should not be used. (I see it is removed from EPEL8, EPEL9 and current Fedora).

I will have to contact EPEL maintainers to have it removed from EPEL7 (or at least to have it marked as "insecure, do not use").

https://dl.fedoraproject.org/pub/epel/7/SRPMS/Packages/e/elog-3.1.4-1.20190113git283534d97d5a.el7.src.rpm

https://packages.fedoraproject.org/pkgs/elog/elog/
https://packages.fedoraproject.org/pkgs/elog/elog/fedora-35.html
https://packages.fedoraproject.org/pkgs/elog/elog/epel-7.html

note in the changelog "Update to post-release snapshot of 3.1.4. - Fix several security issues."

K.O.

> > elogd binary from EPEL
> 
> thank you for bringing this up to our attention. we recently went through this with debian and ubuntu. the elog package was severely out of date and 
> did not include the security patches that went it right before covid started in the Winter of 2020.
> 
> the elogd package in EPEL7 is insecure and should not be used. (I see it is removed from EPEL8, EPEL9 and current Fedora).
> 
> I will have to contact EPEL maintainers to have it removed from EPEL7 (or at least to have it marked as "insecure, do not use").
> 
> https://dl.fedoraproject.org/pub/epel/7/SRPMS/Packages/e/elog-3.1.4-1.20190113git283534d97d5a.el7.src.rpm
> 
> https://packages.fedoraproject.org/pkgs/elog/elog/
> https://packages.fedoraproject.org/pkgs/elog/elog/fedora-35.html
> https://packages.fedoraproject.org/pkgs/elog/elog/epel-7.html
> 
> note in the changelog "Update to post-release snapshot of 3.1.4. - Fix several security issues."
> 
> K.O.


Good day, elog has never been retired in EPEL 7. It is still there
https://src.fedoraproject.org/rpms/elog/tree/epel7

I am pretty sure because I am a Fedora/RHEL package maintainer and a retired package should contain in its Git branch only a file named "dead.package"

Hello, the following URL

https://foo.bar/elog/Shift+Reports/?new_user_name=a2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.com&new_full_name=a2seferewd%40fanneat.com&new_user_email=a2seferewd%40fanneat.com&newpwd=asdf&newpwd2=asdf&cmd=Save

causes elog 3.1.4 to crash. I attach full GDB trace

(gdb) set height 0
(gdb) set print elements 0
(gdb) set print frame-arguments all
(gdb) thread apply all backtrace

Thread 1 (Thread 0x7fc6d1624840 (LWP 1126)):
#0  0x00007fc6d06c6387 in raise () from /lib64/libc.so.6
#1  0x00007fc6d06c7a78 in abort () from /lib64/libc.so.6
#2  0x00007fc6d0708f67 in __libc_message () from /lib64/libc.so.6
#3  0x00007fc6d07a87a7 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007fc6d07a6922 in __chk_fail () from /lib64/libc.so.6
#5  0x00007fc6d07a5e2b in _IO_str_chk_overflow () from /lib64/libc.so.6
#6  0x00007fc6d070d031 in __GI__IO_default_xsputn () from /lib64/libc.so.6
#7  0x00007fc6d06dd033 in vfprintf () from /lib64/libc.so.6
#8  0x00007fc6d07a5eb8 in __vsprintf_chk () from /lib64/libc.so.6
#9  0x00007fc6d07a5e0d in __sprintf_chk () from /lib64/libc.so.6
#10 0x0000000000423b5b in sprintf (__fmt=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:33
#11 get_user_line (lbs=<optimized out>, lbs@entry=0x2833748, 
    user=user@entry=0x7fffc84d0780 "a2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.combasar", password=password@entry=0x0, full_name=full_name@entry=0x0, email=email@entry=0x0, email_notify=email_notify@entry=0x0, 
    last_logout=last_logout@entry=0x0, inactive=inactive@entry=0x0) at src/elogd.c:25739
#12 0x0000000000433d0a in save_user_config (lbs=lbs@entry=0x2833748, 
    user=0x7704fc <_value+1500> "a2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.com", new_user=new_user@entry=1) at src/elogd.c:13343
#13 0x0000000000456068 in do_self_register (lbs=0x2833748, command=0x7fffc84d2650 "Save") at src/elogd.c:26768
#14 0x000000000045c1f7 in interprete (lbook=lbook@entry=0x7fffc84f92f0 "Shift Reports", path=path@entry=0x7fffc84d4430 "") at src/elogd.c:27594
#15 0x000000000045ecc6 in decode_get (logbook=logbook@entry=0x7fffc84f92f0 "Shift Reports", string=<optimized out>) at src/elogd.c:28393
#16 0x0000000000460970 in process_http_request (request=<optimized out>, 
    request@entry=0x284bee8 "GET /Shift+Reports/?new_user_name=a2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.com&new_full_name=a2seferewd%40fanneat.com&new_user_email=a2seferewd%40fanneat.com&newpwd=asdf&newpwd2=asdf&cmd=Save", i_conn=i_conn@entry=1) at src/elogd.c:29201
#17 0x00000000004623d2 in server_loop () at src/elogd.c:30212
#18 0x0000000000404209 in main (argc=8, argv=0x7fffc84fb6c8) at src/elogd.c:3123

see https://elog.psi.ch/elogs/Forum/69594

I added a reply to my previous post about this issue (a few months ago) to point to the solution, but ELOG moved it to the top of the forum. 
And I cannot delete this now, because I change my user name from "Andrey" to "Andrey Pashnin" :)

"Only user Andrey can delete this entry"

I added a user name validation in the current version.

Stefan

I am still struggling to get ELOG running behind a load balancer and hope to get some advice here. As already reported in https://elog.psi.ch/elogs/Forum/69542 I observed an infinite loop of redirects when prompted to log in and using a non-empty password file. Without a password, the service worked as expected. This was with version 3.1.3.

With the new version 3.1.4-3, I get another error: "Invalid Content-Length in header" when I click on "submit" of a new post. Viewing the logbooks works fine. The instance is currently live and running here: https://elog.test.km3net.de but I might change it anytime due to debugging etc.

This is a kind of difficult thing to debug (I spent the whole day and no progress). The only thing I've found was this post: https://techcommunity.microsoft.com/t5/iis-support-blog/invalid-content-length/ba-p/3038724 where it seems that some responses are not RFC conform and were rejected in the load-balancer.

The load balancer I use is HAProxy, the same as in my old setup where I got the infinite redirects, and I can't find any setting which would work. To my understanding, the most basic setup should work just fine. The SSL termination is on the load-balancer side so ELOG doesn't even have to know anything about it. The configuration is below. I am running a single instance, so there is not even replication with session keep-alive via cookies or anything fancy.

I also want to mention that I am runnin around 30 different services behind the load balancer and none of them are having any issues with the SSL termination or the load-balancing itself, that's why assume that something in ELOG is either non-conform or buggy.

Any thoughts? I'd really like to use the same infrastructure for the ELOG service as for every other service (automatic certificate renewal via letsencrypt, load-balancing, easy movement to other nodes, SSL termination etc.), to minimise the complexity of our Docker Swarm system.

backend be_elog.km3net.de
    mode http
    server-template km3net-elog- 1 km3net-elog_elog:8080 check resolvers docker init-addr libc,none

Btw. I am running ELOG with -v but I don't see any error whatsoever in the logs:

km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | GET /demo/ HTTP/1.1
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Received unknown cookie "ios_specific_templates_id"
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Received unknown cookie "rl_anonymous_id"
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Received unknown cookie "rl_group_id"
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Received unknown cookie "rl_group_trait"
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Received unknown cookie "rl_trait"
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Received unknown cookie "rl_user_id"
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Received unknown cookie "logged_out_marketing_header_id"
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Returned 3437 bytes
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | GET / HTTP/1.1
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Returned 120 bytes
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | GET /demo/ HTTP/1.1
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Returned 3518 bytes
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | GET / HTTP/1.1
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Returned 120 bytes
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | GET /demo/ HTTP/1.1
km3net-elog_elog.1.fm8i1eia9l9t@ecap-s021    | Returned 3518 bytes

I put the ELOG service behind an Apache reverse proxy which is now sitting behind the HAProxy. It works like this, but it's just a workaround. I am pretty sure that ELOG has problems to communicate with HAProxy correctly and it seems that Apache is more forgiving. So that the chain HAProxy -> Apache -> ELOG and vice versa is working.

If anyone manages to figure out what's wrong, I am happy to get rid of the extra reverse proxy layer!