> > elogd binary from EPEL
> 
> thank you for bringing this up to our attention. we recently went through this with debian and ubuntu. the elog package was severely out of date and 
> did not include the security patches that went it right before covid started in the Winter of 2020.
> 
> the elogd package in EPEL7 is insecure and should not be used. (I see it is removed from EPEL8, EPEL9 and current Fedora).
> 
> I will have to contact EPEL maintainers to have it removed from EPEL7 (or at least to have it marked as "insecure, do not use").
> 
> https://dl.fedoraproject.org/pub/epel/7/SRPMS/Packages/e/elog-3.1.4-1.20190113git283534d97d5a.el7.src.rpm
> 
> https://packages.fedoraproject.org/pkgs/elog/elog/
> https://packages.fedoraproject.org/pkgs/elog/elog/fedora-35.html
> https://packages.fedoraproject.org/pkgs/elog/elog/epel-7.html
> 
> note in the changelog "Update to post-release snapshot of 3.1.4. - Fix several security issues."
> 
> K.O.


Good day, elog has never been retired in EPEL 7. It is still there
https://src.fedoraproject.org/rpms/elog/tree/epel7

I am pretty sure because I am a Fedora/RHEL package maintainer and a retired package should contain in its Git branch only a file named "dead.package"

Hello, the following URL

https://foo.bar/elog/Shift+Reports/?new_user_name=a2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.com&new_full_name=a2seferewd%40fanneat.com&new_user_email=a2seferewd%40fanneat.com&newpwd=asdf&newpwd2=asdf&cmd=Save

causes elog 3.1.4 to crash. I attach full GDB trace

(gdb) set height 0
(gdb) set print elements 0
(gdb) set print frame-arguments all
(gdb) thread apply all backtrace

Thread 1 (Thread 0x7fc6d1624840 (LWP 1126)):
#0  0x00007fc6d06c6387 in raise () from /lib64/libc.so.6
#1  0x00007fc6d06c7a78 in abort () from /lib64/libc.so.6
#2  0x00007fc6d0708f67 in __libc_message () from /lib64/libc.so.6
#3  0x00007fc6d07a87a7 in __fortify_fail () from /lib64/libc.so.6
#4  0x00007fc6d07a6922 in __chk_fail () from /lib64/libc.so.6
#5  0x00007fc6d07a5e2b in _IO_str_chk_overflow () from /lib64/libc.so.6
#6  0x00007fc6d070d031 in __GI__IO_default_xsputn () from /lib64/libc.so.6
#7  0x00007fc6d06dd033 in vfprintf () from /lib64/libc.so.6
#8  0x00007fc6d07a5eb8 in __vsprintf_chk () from /lib64/libc.so.6
#9  0x00007fc6d07a5e0d in __sprintf_chk () from /lib64/libc.so.6
#10 0x0000000000423b5b in sprintf (__fmt=<optimized out>, __s=<optimized out>) at /usr/include/bits/stdio2.h:33
#11 get_user_line (lbs=<optimized out>, lbs@entry=0x2833748, 
    user=user@entry=0x7fffc84d0780 "a2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.combasar", password=password@entry=0x0, full_name=full_name@entry=0x0, email=email@entry=0x0, email_notify=email_notify@entry=0x0, 
    last_logout=last_logout@entry=0x0, inactive=inactive@entry=0x0) at src/elogd.c:25739
#12 0x0000000000433d0a in save_user_config (lbs=lbs@entry=0x2833748, 
    user=0x7704fc <_value+1500> "a2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.coma2seferewd@fonomsdfef.com", new_user=new_user@entry=1) at src/elogd.c:13343
#13 0x0000000000456068 in do_self_register (lbs=0x2833748, command=0x7fffc84d2650 "Save") at src/elogd.c:26768
#14 0x000000000045c1f7 in interprete (lbook=lbook@entry=0x7fffc84f92f0 "Shift Reports", path=path@entry=0x7fffc84d4430 "") at src/elogd.c:27594
#15 0x000000000045ecc6 in decode_get (logbook=logbook@entry=0x7fffc84f92f0 "Shift Reports", string=<optimized out>) at src/elogd.c:28393
#16 0x0000000000460970 in process_http_request (request=<optimized out>, 
    request@entry=0x284bee8 "GET /Shift+Reports/?new_user_name=a2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.coma2seferewd%402sefddsfgfd.com&new_full_name=a2seferewd%40fanneat.com&new_user_email=a2seferewd%40fanneat.com&newpwd=asdf&newpwd2=asdf&cmd=Save", i_conn=i_conn@entry=1) at src/elogd.c:29201
#17 0x00000000004623d2 in server_loop () at src/elogd.c:30212
#18 0x0000000000404209 in main (argc=8, argv=0x7fffc84fb6c8) at src/elogd.c:3123

Dear All,

Just want to come back to this issue I faced.

In the config file, I call an html form to format input. The way I call the html file inside my config file is described below.

My point is, even if I am already logged in, each time I try to submit an html form, it sais I am not logged in ...

please refer to the corresponding form to see the screenshots.

Many thanks

Hayg

------->

that is strange since I logged in ... 

It seems like when I go in the shift check topic in the elog, it does not get my login id ... is there something coming from the HTML file that should be set in order to get the login from elog ?

see in the attached image : I am logged in but I still need to feed the Author item. And even If I fill it, 

And then if I Click on new to write a new filling form, author is not filled as you could see on the second image "Author ?"  ...

so I don' see from where appears the problem

When you log in manually to a logbook, a session ID is created and stored in a cookie "sid". On your shift check list you need some code to copy this session ID into your current form. In the code form 2010, I used "unm" and "upwd", but this was removed since it's not safe. So now you need somethign like:

<input type="hidden" name="sid" id="sid">

and

document.getElementById('sid').value = get_cookie('sid');

in your init code.

I haven't tried that in the past 12 years so no guarantee that it should work.

Stefan

I added a user name validation in the current version.

Stefan

Hi,

I currently testing last ELOG version from git in a docker with LDAP activated (https://hub.docker.com/r/usinagaz/elog-ldap). The goal is to use it on Synology NAS server, associated with local LDAP server.

The reverse proxy is done by embedded DSM nginx, according to FDQN associated to ELOG service (elog.corp.com). In Docker, URL is set to elog.corp.com.

All is good, but when I post any enclosure in any elog post, the elogd exits and docker is automatically restarted. The browser shows an error 405 generated by nginx server.

Do you have any idea of the cause of this problem  ?

Thanks for help.

Laurent

The issue is still present and now it's quite urgent to move this last service into the Swarm. Does anyone maybe have an idea what's wrong? To sum up: if there is a non-empty password file, the login page chokes in an infinite loop of redirects. I am using the same HAProxy load balancer configuration as for all the other services (running Apache, NGINX, GitLab, XWiki, etc.):

backend be_elog.km3net.de
    mode http

    option forwardfor except 127.0.0.1
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

    server-template km3net-elog- 1 km3net-elog_elog:8080 check resolvers docker init-addr libc,none

The issue is still present and now it's quite urgent to move this last service into the Swarm. Does anyone maybe have an idea what's wrong? To sum up: if there is a non-empty password file, the login page chokes in an infinite loop of redirects. I am using the same HAProxy load balancer configuration as for all the other services (running Apache, NGINX, GitLab, XWiki, etc.):

backend be_elog.km3net.de
    mode http

    option forwardfor except 127.0.0.1
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

    server-template km3net-elog- 1 km3net-elog_elog:8080 check resolvers docker init-addr libc,none