| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69469
|
Thu Feb 10 14:02:15 2022 |
 | Stefan Ritt | stefan.ritt@psi.ch | Question | Linux | ELOG V3.1.4-395 | Re: Password File Config Issue |
Can you try the "top groups" option, which means putting each logbook into a separate top group as described in the documentation. For us this works well, new users are only added to the right password file. There is however the problem that as admin you might be logged in to several logbooks (as remembered in your browser via cookies), so you might want to log out from all logbooks first (or clear all cookies of elog), then log in to one logbook and add the user there. In worst case you still can modify the password file by hand, they are plain ASCII files. Only the password has to be entered later since it's encrypted.
Stefan
| Mark Delaney wrote: |
|
I expanded an elog server from 1 to 3 logbooks. For each logbook there is a separate password file defined.
When I try to add a new user in one of the 2 new logbooks using config => new user, it adds the user to the password file for the original logbook.
Have verified that access to the logbooks is controlled via the separate password files. If it would help to provide an example of the elogd.cfg or if I need to clarify further, let me know.
Any suggestions welcome.
Thanks. Mark.
|
|
|
69483
|
Thu Mar 3 08:26:40 2022 |
 | Alessandro Petrolini | alessandro.petrolini@cern.ch | Question | Windows | 3.1.4-a04faf9f | Vulnerability? |
Hi, I have been using elog for years at CERN.
Now I installed in my local workstation at my home inistitue
and sysadmin reported the following vulnerabilities:
- Configuration File Disclosure (CVE-2019-3992)
- Password Hash Disclosure (CVE-2019-3993)
- Use After Free (CVE-2019-3994)
- NULL Pointer Dereference (CVE-2019-3995)
- Unintended Proxy (CVE-2019-3996)
Am I doing soimething wrong?
sysadmin will not allow me to use it until it is fixed....
Any help is welcome.
|
|
69484
|
Thu Mar 3 16:49:40 2022 |
| Konstantin Olchanski | olchansk@triumf.ca | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
The CVEs you refer to are very old and have been fixed a long time ago.
Please refer to:
https://www.tenable.com/security/research/tra-2019-53
This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
Note that the elog git history does not refer to these CVEs because
they were fixed before the CVE number was assigned, per "Disclosure Timeline"
in the above document. The relevant commits are listed under "Additional References".
K.O. |
|
69485
|
Fri Mar 4 08:51:24 2022 |
| Alessandro Petrolini | alessandro.petrolini@cern.ch | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
Ok, many many thanks!
I will pass the info to my sysadmin.
Best Regards.
> The CVEs you refer to are very old and have been fixed a long time ago.
>
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
>
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
>
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
>
> K.O. |
|
69486
|
Sun Mar 6 09:00:33 2022 |
| Alessandro Petrolini | alessandro.petrolini@cern.ch | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> Ok, many many thanks!
> I will pass the info to my sysadmin.
> Best Regards.
>
> > The CVEs you refer to are very old and have been fixed a long time ago.
> >
> > Please refer to:
> > https://www.tenable.com/security/research/tra-2019-53
> >
> > This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
> >
> > Note that the elog git history does not refer to these CVEs because
> > they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> > in the above document. The relevant commits are listed under "Additional References".
> >
> > K.O.
Am I wrong that the windows executable version on the site is dated 2018? 3.1.4-2? |
|
69487
|
Sun Mar 6 17:33:04 2022 |
| Konstantin Olchanski | olchansk@triumf.ca | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> > > The CVEs you refer to are very old and have been fixed a long time ago.
>
> Am I wrong that the windows executable version on the site is dated 2018? 3.1.4-2?
I confirm. Windows executables at https://elog.psi.ch/elog/download/windows/
and Debian packages at https://packages.debian.org/search?keywords=elog all
appear to be older than the cve fixes.
I trust Stefan is reading this thread and will do something about it. My vote would
be to remove the download link to the windows executables and ask Debian to remove
the elog package. I think they have a way for upstream developers (Stefan) to request
removal of unmaintained out-of-date insecure versions of their stuff. ROOT
was in the same situation years ago, the Debian package for ROOT was very old version,
also built incorrectly, and everybody complained to us that our stuff does
not work (midas, rootana, etc).
K.O. |
|
69488
|
Mon Mar 7 08:49:41 2022 |
| Stefan Ritt | stefan.ritt@psi.ch | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
> I trust Stefan is reading this thread and will do something about it. My vote would
> be to remove the download link to the windows executables and ask Debian to remove
> the elog package. I think they have a way for upstream developers (Stefan) to request
> removal of unmaintained out-of-date insecure versions of their stuff. ROOT
> was in the same situation years ago, the Debian package for ROOT was very old version,
> also built incorrectly, and everybody complained to us that our stuff does
> not work (midas, rootana, etc).
Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
If anybody can compile the Windows version with the current source code I would be happy.
Stefan |
|
69489
|
Mon Mar 7 14:30:16 2022 |
| Daniel Pfuhl | daniel.pfuhl@medizin.uni-leipzig.de | Question | Windows | 3.1.4-a04faf9f | Re: Vulnerability? |
>
> Yeah, I have to recompile the Windows version. Unfortunately my old Windows PC is gone, I
> switched now completely to MacOSX and Linux. Probably have to borrow something from somewhere.
> If anybody can compile the Windows version with the current source code I would be happy.
>
> Stefan
That would be most welcome!
I tried to recompile the windows version a while ago but didn't manage it.
I'm just a simple ELOG __user__ ^^
Looking forward to the new precompiled Windows version.
Thnx in advance!
daniel |