> The CVEs you refer to are very old and have been fixed a long time ago.
> 
> Please refer to:
> https://www.tenable.com/security/research/tra-2019-53
> 
> This report states that all the reported problems are fixed as of ELOG 3.1.4-283534d or later.
> 
> Note that the elog git history does not refer to these CVEs because
> they were fixed before the CVE number was assigned, per "Disclosure Timeline"
> in the above document. The relevant commits are listed under "Additional References".
> 
> K.O.

I should better capture these "additional references" and the "disclosure timeline"
before they vanish from tenable.com:
https://www.tenable.com/security/research/tra-2019-53

Additional References
https://bitbucket.org/ritt/elog/commits/7367647d40d9b43d529d952d3a063d53606697cb
https://bitbucket.org/ritt/elog/commits/38c08aceda8e5ac4bfdcc040710b5792bd5fe4d3
https://bitbucket.org/ritt/elog/commits/32ba07e19241e0bcc68aaa640833424fb3001956
https://bitbucket.org/ritt/elog/commits/15787c1edec1bbe1034b5327a9d6efa710db480b
https://bitbucket.org/ritt/elog/commits/283534d97d5a181b09960ae1f0c53dbbe42d8a90

Disclosure Timeline
12/3/2019 - Notice sent to stefan.ritt - AT - psi.ch. 90 day is March 3, 2020
12/4/2019 - Dr. Ritt acknowledges the report.
12/9/2019 - Dr. Ritt stages fixes in bitbucket.
12/9/2019 - Tenable provides feedback.
12/10/2019 - Dr. Ritt acknowledges.
12/11/2019 - Tenable reserves CVE.
12/11/2019 - Tenable notes the various ELOG instances maintained by Paul Scherrer Institute are patched.
12/11/2019 - Tenable informs Dr. Ritt and Mr. Roger Kalt (Debian/Ubuntu package manager) of intent to publish CVE tomorrow (Dec. 
12).

K.O.

> > > debian package still outdated?
> removed from debian-unstable
> https://tracker.debian.org/pkg/elog
> https://tracker.debian.org/news/1320035/removed-313-1-1-from-unstable/

contacted security@debian.org and they requested removal from the next buster/bullseye point releases:

https://bugs.debian.org/1010196
https://bugs.debian.org/1010197

next is to request removal of ubuntu package.

K.O.

> > > > debian package still outdated?

the freebsd elog package was removed back in 2014 during
a purge of "not staged" packages. Originally submitted
in 2006, went through at least two maintainers.

https://www.freshports.org/www/elog/

K.O.

> next is to request removal of ubuntu package.

contacted ubuntu security team, got very quick response.

they noted our request and informed us that ubuntu cannot remove packages from existing releases.

https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1970480

K.O.

Dear all, 

I have a question for you. On my elog server I have plenty of images not included in any logbook entry, but that nevertheless I would the user to have access to that via the browser. In order words, I would like to have a link like this https://myelog/my_pics_folder/my_pic.png

I have realized that if I put my_pics_folder in the script folder, then it works as I wanted, but I strongly doubt this is the right position. If I put in the resources folder, it is not found and the elogd displays a message saying that my_pics_folder is not a valid logbook.

Do you have any suggestions for this problem? 

Thanks in advance and enjoy your day!

toto

Hi I am running elog on windows 2022 server and trying to use ldap for Auth.

No matter what i do I cannot get it to authenticate against the DC.

Invalid user name or password!

11-May-2022 17:09:15 [xxx.xxx.xxx.xxx] {TrainingHouse1} LOGIN user "xxxxx" (attempt)

Using an LDAP browser I can connect to the DC without issue so not firewall.

Not sure what I am doing wrong.

[global]
port = 5050
Page title = Elog Training
Entries per page = 25
Password file = password.pwd
List page title = Elog Training
Login page title = Elog Training
Show top groups = 0
Logbook tabs = 0
Menu commands = Back, New, Find, Download, Logout
List Menu commands = New, Find, Logout
Self register = 0
Max content length = 100000
Allow password change = 0
Enable attachments = 0
Show attachments = 0
Hide attachments = 1
List after submit = 1
Logout to main = 0
Allowed encoding = 5
Default encoding = 1
Welcome title = Elog Training LogBook.
## Welcome title = <font size=5 color=white>Elog Training LogBook </font><img src="elog.png">
Summary lines = 5
Summary line length = 100
Search all logbooks = 0
Refresh = 300
Login expiration = 0
Reply string = 
Suppress default = 2
Thread display = $category entered by $author on $Entry time
Thread icon = Icon
Preset on reply author = $long_name
All display limit = 300
Start page = ?last=31
Bottom text =
Bottom text login = <font size=5 color=Red><center></br>ELOG Training web site</center></font>

[ADTrainingHouse1]
Hidden = 0
Authentication = LDAP, File
LDAP server = ldap://xxxxxx.xxxxx.xxxx.xxxx.xxxx.au:389
LDAP userbase = OU=Users,OU=CP,DC=xxxx,DC=xxxx,DC=xxxx,DC=xxxx,DC=au
LDAP login attribute = uid
LDAP register = 0
Theme = default
Comment =Training House 1 LogBook
Preset Author = $long_name
Locked Attributes = Author
Attributes = Category, Codes, Residents Involved, Medical, Synopsis, Event Date, Author
Options Synopsis = Yes, No
MOptions Medical = Yes
MOptions Residents Involved = Pleaseadd, Test User
Extendable options = Residents Involved
Style Synopsis Yes = background-color:yellow
Style Medical Yes = background-color:green
Type Event Date = datetime
Preset Event Date = $datetime
Date format %A %B %d %Y %H:%M 
List Display = ID, Event Date, Category, Medical, Codes, Residents Involved, Synopsis, Date, Author
MOptions Category = Assault, Death, Fire, Illness, Inappropriate Sexualised Behaviour, Injury To Child, Injury To Staff, Property Damage, Self-Harm, Substance Misuse, Theft/Loss, Threat
MOptions Codes = MED, ACH, LEGAL, MPR, P/C, PSYCH, MFP, BEH, INC, CM, FAM, INFO, MVT, OBS, POLICE, PROG, ROU, VIS, S/O
Required Attributes = Author, Event Date, Codes
Style Codes MED = background-color:green
Page Title = DCP Elog Training
Reverse sort = 1
Quick filter = Date, Category, Codes, Medical,
Sort Attributes = Event Date
Logfile = traininghouse1.log
Logging level = 3
Bottom text =

Is anyone able to assist with what I am doing wrong is anyone successful used LDAP in windows elog

I would like to edit an existing entry by adding new attachments at each call of elog from the command line.

If I issue

elog -h localhost -p 8XXX -l test -f /path/to/file_0.pdf -e N -x

and then 

elog -h localhost -p 8XXX -l test -f /path/to/file_1.pdf -e N -x

file_1.pdf replaces file_0.pdf, while I'd like entry N to have both pdfs.

Is there a workaround?