Re: Vulnerability?, posted by Konstantin Olchanski on Tue Apr 26 17:39:49 2022
|
> > > debian package still outdated?
> removed from debian-unstable
> https://tracker.debian.org/pkg/elog
> https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/
contacted security@debian.org and they requested removal from the next buster/bullseye point releases:
https://bugs.debian.org/1010196
https://bugs.debian.org/1010197
next is to request removal of ubuntu package.
K.O. |
|
history of long-removed freebsd package, Re: Vulnerability?, posted by Konstantin Olchanski on Tue Apr 26 18:03:03 2022
|
> > > > debian package still outdated?
the freebsd elog package was removed back in 2014 during
a purge of "not staged" packages. Originally submitted
in 2006, went through at least two maintainers.
https://www.freshports.org/www/elog/
K.O. |
|
Re: Vulnerability?, posted by Konstantin Olchanski on Wed Apr 27 19:36:25 2022
|
> next is to request removal of ubuntu package.
contacted ubuntu security team, got very quick response.
they noted our request and informed us that ubuntu cannot remove packages from existing releases.
https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1970480
K.O. |
PDF preview special steps to enable, posted by Konstantin Olchanski on Fri May 6 21:12:11 2022
|
Ubuntu LTS 20.04 and others have elog PDF preview disabled by default. To enable,
please follow these steps, see https://daq00.triumf.ca/DaqWiki/index.php/Ubuntu#Enable_elog_PDF_preview
Enable elog PDF preview
see https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
xemacs -nw /etc/ImageMagick-6/policy.xml
remove this section at the end:
<!-- disable ghostscript format types -->
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
K.O. |
|
Re: Unable to add user, posted by Konstantin Olchanski on Mon Aug 8 20:52:17 2022
|
> Error: Command "config" is not allowed for user ""
Could it be related to the error messages thrown by "activate user"? see
https://elog.psi.ch/elogs/Forum/69479
K.O. |
|
remove elog from EPEL and Fedora., posted by Konstantin Olchanski on Mon Dec 5 04:15:17 2022
|
> elogd binary from EPEL
thank you for bringing this up to our attention. we recently went through this with debian and ubuntu. the elog package was severely out of date and
did not include the security patches that went it right before covid started in the Winter of 2020.
the elogd package in EPEL7 is insecure and should not be used. (I see it is removed from EPEL8, EPEL9 and current Fedora).
I will have to contact EPEL maintainers to have it removed from EPEL7 (or at least to have it marked as "insecure, do not use").
https://dl.fedoraproject.org/pub/epel/7/SRPMS/Packages/e/elog-3.1.4-1.20190113git283534d97d5a.el7.src.rpm
https://packages.fedoraproject.org/pkgs/elog/elog/
https://packages.fedoraproject.org/pkgs/elog/elog/fedora-35.html
https://packages.fedoraproject.org/pkgs/elog/elog/epel-7.html
note in the changelog "Update to post-release snapshot of 3.1.4. - Fix several security issues."
K.O. |
|
a hack around, posted by Konstantin Olchanski on Fri Dec 30 00:46:03 2022
|
- rsprintf("<textarea rows=%d cols=%d wrap=hard name=\"Text\">\n", height, width);
+ rsprintf("<textarea rows=%d cols=%d name=\"Text\">\n", height, width);
my vote is to remove "wrap=hard":
1) I try to read the specs and my head explodes: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/textarea
2) textarea should just accept input typed by user, should not try to "neatify" it. if user wants long lines, we should let them.
3) this bug (introduced in recent safari, the best I can tell)
K.O. |
update elog downloads page, posted by Konstantin Olchanski on Fri Sep 15 21:42:38 2023
|
The elog downloads page is slightly out of date, https://elog.psi.ch/elog/download.html
1) the "git clone" instructions work (but there is no git tags corresponding to different releases, I suggest adding test: "elog developers
recommend always using latest version from elog git repository").
2) "elog source code", recommends downloading tar file, but latest tar file is from February 2023, probably out of date. people who can compile elog
from sources can do "git clone", is the "tar" method still relevant?
3) windows binaries, latest available is from 2018, before the famous security fixes, probably no longer safe for running on the open internet. I
suggest we remove this section and say "sorry, windows binaries no longer available".
4) linux binaries, all links are dead, and we have requested removal of elog packages from red hat, debian and ubuntu. (and they have been removed).
K.O. |