> > debian package still outdated?
> We reached to the package maintainer

the good Roger Kalt requested removal of debian package elog
and it is now removed from debian-unstable. I am not sure
if it can be removed from debian-stable releases (debian-11, debian-10).

https://tracker.debian.org/pkg/elog
https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/

K.O.

> The CVEs you refer to are very old and have been fixed a long time ago.
> 
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
> 
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
> 
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
> 
> K.O.

I should better capture these "additional references" and the "disclosure timeline"
before they vanish from tenable.com:
https://www.tenable.com/security/research/tra-2019-53

Additional References
https://bitbucket.org/ritt/elog/commits/7367647d40d9b43d529d952d3a063d53606697cb
https://bitbucket.org/ritt/elog/commits/38c08aceda8e5ac4bfdcc040710b5792bd5fe4d3
https://bitbucket.org/ritt/elog/commits/32ba07e19241e0bcc68aaa640833424fb3001956
https://bitbucket.org/ritt/elog/commits/15787c1edec1bbe1034b5327a9d6efa710db480b
https://bitbucket.org/ritt/elog/commits/283534d97d5a181b09960ae1f0c53dbbe42d8a90

Disclosure Timeline
12/3/2019 - Notice sent to stefan.ritt - AT - psi.ch. 90 day is March 3, 2020
12/4/2019 - Dr. Ritt acknowledges the report.
12/9/2019 - Dr. Ritt stages fixes in bitbucket.
12/9/2019 - Tenable provides feedback.
12/10/2019 - Dr. Ritt acknowledges.
12/11/2019 - Tenable reserves CVE.
12/11/2019 - Tenable notes the various ELOG instances maintained by Paul Scherrer Institute are patched.
12/11/2019 - Tenable informs Dr. Ritt and Mr. Roger Kalt (Debian/Ubuntu package manager) of intent to publish CVE tomorrow (Dec. 
12).

K.O.

> > > debian package still outdated?
> removed from debian-unstable
> https://tracker.debian.org/pkg/elog
> https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/

contacted security@debian.org and they requested removal from the next buster/bullseye point releases:

https://bugs.debian.org/1010196
https://bugs.debian.org/1010197

next is to request removal of ubuntu package.

K.O.

> > > > debian package still outdated?

the freebsd elog package was removed back in 2014 during
a purge of "not staged" packages. Originally submitted
in 2006, went through at least two maintainers.

https://www.freshports.org/www/elog/

K.O.

> next is to request removal of ubuntu package.

contacted ubuntu security team, got very quick response.

they noted our request and informed us that ubuntu cannot remove packages from existing releases.

https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1970480

K.O.

Hi,

I have set up my elog for testing and setup postfix to be able to send email notification for register of new user but whatever i try elog cannot set email. I try to sent test email in my bash and this is working without problem to my gmail account.

I have tried several configuration for my smtp client on my centos 7 but nothing is working in elog for the email. I also tried with several other email but no change either.

Is there a problem with the automatic sending of email ? 

Best

Pierre

Why don't you start elogd interactively with the "-v" flag (verbose) and watch the communication between elog and postfix. Maybe you see a specific error there.

Stefan

Hi Stefan, I did run in verbose mode but only got this output with the 587 SMTP port from gmail

Email from <ELog@localhost.localdomain> to XXXX@gmail.com, SMTP host smtp.gmail.com:
220 smtp.gmail.com ESMTP n1sm6153685pfd.156 - gsmtp
EHLO localhost.localdomain
250-smtp.gmail.com at your service, [134.160.38.27]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
AUTH LOGIN
530 5.7.0 Must issue a STARTTLS command first. n1sm6153685pfd.156 - gsmtp

However the mail command in my bash is working juste fine

Pierre