ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
67709
|
Fri Oct 24 12:51:00 2014 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug fix | All | ALL | POODLE vulnerability | IMPORTANT SECURITY ANNOUNCEMENT
Recently the POODLE vulnerability has been announced: http://en.wikipedia.org/wiki/POODLE
ELOG is prone to this vulnerability if it runs directly the SSL protocol and can be accessed from the internet. If ELOG runs behind an Apache proxy, and the Apache server has been correctly configured (disabled the SSLv23 protocols), ELOG is safe as well.
To fix this vulnerability, ELOG needs to be recompiled after the attached patch has been applied. This prohibits ELOG to fallback to the insecure SSLv2 & v3 protocols and only use the safe TLSv1 protocol.
If you do not know how to recompile ELOG, please do not run ELOG directly accessible from the internet until the next binary release has been published.
/Stefan Ritt |
Attachment 1: elogd.patch
|
diff --git a/src/elogd.c b/src/elogd.c
index fac34f8..13c619f 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -2342,7 +2342,7 @@ int ssl_connect(int sock, SSL ** ssl_con)
SSL_library_init();
SSL_load_error_strings();
- meth = (SSL_METHOD *) SSLv23_method();
+ meth = (SSL_METHOD *) TLSv1_method();
ctx = SSL_CTX_new(meth);
*ssl_con = SSL_new(ctx);
@@ -28902,7 +28902,7 @@ SSL_CTX *init_ssl(void)
SSL_library_init();
SSL_load_error_strings();
- meth = (SSL_METHOD *) SSLv23_method();
+ meth = (SSL_METHOD *) TLSv1_method();
ctx = SSL_CTX_new(meth);
if (getcfg("global", "SSL Passphrase", pwd, sizeof(pwd))) {
|
67884
|
Wed May 6 15:13:11 2015 |
| Christof Hanke | hanke@rzg.mpg.de | Bug fix | All | 3.1.0 | parse a correctly the username in save_user_config when using Webserver authentication | Hi Stefan,
When we use Webserver authentication, we have the correct username already in the variable http_user.
The old way of copying this http_user to "user" is wrong since we don't use the size of http_user.
Instead, just encode the http_user variable directly.
See attached patch against git HEAD.
Christof
|
Attachment 1: parse_http_user_correctly.patch
|
diff --git a/src/elogd.c b/src/elogd.c
index 601639c..de4734b 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -13142,12 +13142,13 @@ int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user)
/* if we outsourced the authentication, use external username */
getcfg(lbs->name, "Authentication", str, sizeof(str));
- if ( stristr(str, "Webserver")) {
- strlcpy(user, http_user, sizeof(user));
- }
/* do not allow HTML in user name */
- strencode2(user_enc, user, sizeof(user_enc));
+ if ( stristr(str, "Webserver")) {
+ strencode2(user_enc, http_user, sizeof(user_enc));
+ } else {
+ strencode2(user_enc, user, sizeof(user_enc));
+ }
/* check for user name */
if (!isparam("new_user_name") || *getparam("new_user_name") == 0) {
|
67976
|
Tue Jun 9 15:44:49 2015 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug fix | All | 3.1.0 | Re: parse a correctly the username in save_user_config when using Webserver authentication | Hi Christof,
thanks for the patch, I merged it into the current HEAD.
/Stefan
Christof Hanke wrote: |
Hi Stefan,
When we use Webserver authentication, we have the correct username already in the variable http_user.
The old way of copying this http_user to "user" is wrong since we don't use the size of http_user.
Instead, just encode the http_user variable directly.
See attached patch against git HEAD.
Christof
|
|
68102
|
Fri Aug 28 21:01:42 2015 |
| Daniel Sajdyk | daniel.sajdyk@gmail.com | Bug fix | Windows | V3.1.1-3f311c5 | Draft saved is treated as an entry edit | Hello.
In Elog i have attribute called "Zmieniano" (eng. changed) which should store how many times entry was edited. If entry was not edited it should have only preset value "oryginalny wpis" (eng. oryginal entry), but when I edit it, it should have also date, time, and person who make edit (this is made by "Subst on Edit Zmieniano = $Zmieniano<br>- Zmiana $date przez $long_name z $remote_host)".
From version V3.1.1-3f311c5 I have problem with that.
When I add entry, and entry is auto saved, then auto save is shown in the attribute "Zmieniano" (eng. changed) as an next edit, which I dont want. Entry from attached screenshot was not edited, but in "Zmieniano" (eng. changed) attributes it has two values:
- Oryginalny wpis (eng. oryginal entry),
- Zmiana 27.08.2015, 10:52 przez Daniel Sajdyk z serwerownia.sr.lez (eng. Changed 27.08.2015.... )
The second value is autosave time.
Is this a bug?
Regards
Daniel.
|
Attachment 1: entry.png
|
|
68103
|
Mon Aug 31 09:38:38 2015 |
| Andreas Luedeke | andreas.luedeke@psi.ch | Bug fix | Windows | V3.1.1-3f311c5 | Re: Draft saved is treated as an entry edit | Hi Daniel,
this is an undesired side effect of a new feature. I wouldn't call it a bug ;-)
There is no straight forward way for elog to distinguish between a "Submit" and an automatic save. Therefore the "... on edit = ..." kicks in when an entry is saved automatically.
I guess Stefan can figure out a workaround, but for the moment I would sugest that you just switch off the auto save feature -- if you want to keep your save history:
Save drafts = 0
Cheers
Andreas
Daniel Sajdyk wrote:Save drafts = 0 |
Hello.
In Elog i have attribute called "Zmieniano" (eng. changed) which should store how many times entry was edited. If entry was not edited it should have only preset value "oryginalny wpis" (eng. oryginal entry), but when I edit it, it should have also date, time, and person who make edit (this is made by "Subst on Edit Zmieniano = $Zmieniano<br>- Zmiana $date przez $long_name z $remote_host)".
From version V3.1.1-3f311c5 I have problem with that.
When I add entry, and entry is auto saved, then auto save is shown in the attribute "Zmieniano" (eng. changed) as an next edit, which I dont want. Entry from attached screenshot was not edited, but in "Zmieniano" (eng. changed) attributes it has two values:
- Oryginalny wpis (eng. oryginal entry),
- Zmiana 27.08.2015, 10:52 przez Daniel Sajdyk z serwerownia.sr.lez (eng. Changed 27.08.2015.... )
The second value is autosave time.
Is this a bug?
Regards
Daniel.
|
|
68104
|
Mon Aug 31 13:12:09 2015 |
| Daniel Sajdyk | daniel.sajdyk@gmail.com | Bug fix | Windows | V3.1.1-3f311c5 | Re: Draft saved is treated as an entry edit | Hi Andreas and thank you very much for explanation ;)
So, we'll have to wait for new version which will correct this.
Cheers
Daniel.
Andreas Luedeke wrote: |
Hi Daniel,
this is an undesired side effect of a new feature. I wouldn't call it a bug ;-)
There is no straight forward way for elog to distinguish between a "Submit" and an automatic save. Therefore the "... on edit = ..." kicks in when an entry is saved automatically.
I guess Stefan can figure out a workaround, but for the moment I would sugest that you just switch off the auto save feature -- if you want to keep your save history:
Save drafts = 0
Cheers
Andreas
Daniel Sajdyk wrote:Save drafts = 0 |
Hello.
In Elog i have attribute called "Zmieniano" (eng. changed) which should store how many times entry was edited. If entry was not edited it should have only preset value "oryginalny wpis" (eng. oryginal entry), but when I edit it, it should have also date, time, and person who make edit (this is made by "Subst on Edit Zmieniano = $Zmieniano<br>- Zmiana $date przez $long_name z $remote_host)".
From version V3.1.1-3f311c5 I have problem with that.
When I add entry, and entry is auto saved, then auto save is shown in the attribute "Zmieniano" (eng. changed) as an next edit, which I dont want. Entry from attached screenshot was not edited, but in "Zmieniano" (eng. changed) attributes it has two values:
- Oryginalny wpis (eng. oryginal entry),
- Zmiana 27.08.2015, 10:52 przez Daniel Sajdyk z serwerownia.sr.lez (eng. Changed 27.08.2015.... )
The second value is autosave time.
Is this a bug?
Regards
Daniel.
|
|
|
68426
|
Sun Sep 18 03:31:42 2016 |
| Darren Hollinrake | hollinrakedp@gmail.com | Bug fix | Linux | 3.0.0 | Re: notification error services in CentOS 6.5 | The quick fix I found was to uncomment line 10 in the init.d file. (This was tested on a CentOS 6.8 AWS instance.)
. /etc/rc.d/init.d/functions
This will allow the status command to function properly.
Clean install:
[centos@ip-172-31-51-59 ~]$ service elogd status
status: invalid option: -p
After uncommenting line 10:
[centos@ip-172-31-51-59 ~]$ service elogd status
elogd (pid 11438) is running...
When you start elog it still won't show that the service started successfully (No 'OK'). If you go to stop the service, it will give you the proper 'OK' indicating it stopped successfully.
So to fix the missing 'OK' (or 'FAILED') we need to update the start section around line 51 as follows:
touch /var/lock/subsys/elogd
echo_success
else
echo_failure
fi
echo
;;
I've attached my modified init file which I believe corrects the above issues. I will say though that I'm not a programmer so I won't guarantee it's perfect. I haven't checked to see if CentOS 7 works with this modified version. Just checked it on a CentOS 7.2 AWS instance and it also appears to function correctly.
[root@oceana ~]# systemctl status elogd
● elogd.service - SYSV: ELOG is a weblog with integrated database
Loaded: loaded (/etc/rc.d/init.d/elogd)
Active: active (running) since Sun 2016-09-18 22:35:44 UTC; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 2263 ExecStop=/etc/rc.d/init.d/elogd stop (code=exited, status=0/SUCCESS)
Process: 2275 ExecStart=/etc/rc.d/init.d/elogd start (code=exited, status=0/SUCCESS)
Main PID: 2277 (elogd)
CGroup: /system.slice/elogd.service
└─2277 /usr/local/sbin/elogd -D -c /usr/local/elog/elogd.cfg
Sep 18 22:35:44 oceana elogd[2277]: elogd 3.1.1 built Aug 4 20...0
Sep 18 22:35:44 oceana elogd[2277]: revision
Sep 18 22:35:44 oceana elogd[2277]: Falling back to default gro..."
Sep 18 22:35:44 oceana elogd[2277]: Falling back to default use..."
Sep 18 22:35:44 oceana elogd[2277]: CKeditor detected
Sep 18 22:35:44 oceana systemd[1]: Started SYSV: ELOG is a webl....
Sep 18 22:35:44 oceana elogd[2279]: Falling back to default gro..."
Sep 18 22:35:44 oceana elogd[2279]: Falling back to default use..."
Sep 18 22:35:44 oceana elogd[2277]: ImageMagick detected
Sep 18 22:35:44 oceana elogd[2277]: SSLServer listening on port....
Hint: Some lines were ellipsized, use -l to show in full.
The old SysV style commands ('service elogd start|stop|status') also function correctly.
[root@oceana ~]# service elogd stop
Stopping elogd (via systemctl): [ OK ]
[root@oceana ~]# service elogd start
Starting elogd (via systemctl): [ OK ]
Stefan Ritt wrote: |
The init script supplied with elog was originally written for Redhat. It seems like CentOS has slightly changed the init daemon management, but I'm not an expert on that, nor do I have CentOS installed. If somebody comes with a fixed elogd.init for CentOS, I'm happy to include that in the distribution.
/Stefan
Banata wrote: |
hello, I just upgrade from 2.9 into 3.0.0 in CentOS 6.5
but after upgrade, I can't check elogd services via command line
service elogd status,
always result in missing argument, while it works with httpd or mysqld services and old elogd version.
I try to uninstall and install rom scratch and same result,
Okay I give you screenshoot of that,
you may notice, on check service status and stopping services, error resulted
|
|
|
Attachment 1: elogd_modified
|
#!/bin/sh
# chkconfig: 3 90 10
# description: ELOG is a weblog with integrated database
# processname: elogd
# config: /usr/local/elog/elogd.cfg
# pidfile: /var/run/elogd.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Check for the config file
if [ ! -f /usr/local/elog/elogd.cfg ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
if [ -f /var/run/elogd.pid ] ; then
pid=`cat /var/run/elogd.pid`
if [ -d /proc/$pid ] ; then
echo "elogd already running"
# echo_failure
exit 1
fi
fi
if [ -f /var/run/elogd.pid ] ; then
rm -f /var/lock/subsys/elogd
rm -f /var/run/elogd.pid
fi
echo -n "Starting elogd: "
/usr/local/sbin/elogd -D -c /usr/local/elog/elogd.cfg > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
touch /var/lock/subsys/elogd
echo_success
else
echo_failure
fi
echo
;;
stop)
echo ""
if [ -f /var/run/elogd.pid ] ; then
echo -n "Stoping elogd: "
/bin/kill `cat /var/run/elogd.pid`
rm -f /var/lock/subsys/elogd
rm -f /var/run/elogd.pid
echo_success
echo
else
echo -n "No elogd running?"
echo
fi
;;
status)
status -p /var/run/elogd.pid /usr/local/sbin/elogd
RETVAL=$?
;;
restart|reload)
$0 stop
sleep 1
$0 start
;;
*)
echo "Usage: $0 {start|stop|status|restart}"
exit 1
esac
exit 0
|
68427
|
Wed Sep 21 17:23:15 2016 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug fix | Linux | 3.0.0 | Re: notification error services in CentOS 6.5 | Ok, I will include this patch in the distribution.
Stefan
Darren Hollinrake wrote: |
The quick fix I found was to uncomment line 10 in the init.d file. (This was tested on a CentOS 6.8 AWS instance.)
. /etc/rc.d/init.d/functions
This will allow the status command to function properly.
Clean install:
[centos@ip-172-31-51-59 ~]$ service elogd status
status: invalid option: -p
After uncommenting line 10:
[centos@ip-172-31-51-59 ~]$ service elogd status
elogd (pid 11438) is running...
When you start elog it still won't show that the service started successfully (No 'OK'). If you go to stop the service, it will give you the proper 'OK' indicating it stopped successfully.
So to fix the missing 'OK' (or 'FAILED') we need to update the start section around line 51 as follows:
touch /var/lock/subsys/elogd
echo_success
else
echo_failure
fi
echo
;;
I've attached my modified init file which I believe corrects the above issues. I will say though that I'm not a programmer so I won't guarantee it's perfect. I haven't checked to see if CentOS 7 works with this modified version. Just checked it on a CentOS 7.2 AWS instance and it also appears to function correctly.
[root@oceana ~]# systemctl status elogd
● elogd.service - SYSV: ELOG is a weblog with integrated database
Loaded: loaded (/etc/rc.d/init.d/elogd)
Active: active (running) since Sun 2016-09-18 22:35:44 UTC; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 2263 ExecStop=/etc/rc.d/init.d/elogd stop (code=exited, status=0/SUCCESS)
Process: 2275 ExecStart=/etc/rc.d/init.d/elogd start (code=exited, status=0/SUCCESS)
Main PID: 2277 (elogd)
CGroup: /system.slice/elogd.service
└─2277 /usr/local/sbin/elogd -D -c /usr/local/elog/elogd.cfg
Sep 18 22:35:44 oceana elogd[2277]: elogd 3.1.1 built Aug 4 20...0
Sep 18 22:35:44 oceana elogd[2277]: revision
Sep 18 22:35:44 oceana elogd[2277]: Falling back to default gro..."
Sep 18 22:35:44 oceana elogd[2277]: Falling back to default use..."
Sep 18 22:35:44 oceana elogd[2277]: CKeditor detected
Sep 18 22:35:44 oceana systemd[1]: Started SYSV: ELOG is a webl....
Sep 18 22:35:44 oceana elogd[2279]: Falling back to default gro..."
Sep 18 22:35:44 oceana elogd[2279]: Falling back to default use..."
Sep 18 22:35:44 oceana elogd[2277]: ImageMagick detected
Sep 18 22:35:44 oceana elogd[2277]: SSLServer listening on port....
Hint: Some lines were ellipsized, use -l to show in full.
The old SysV style commands ('service elogd start|stop|status') also function correctly.
[root@oceana ~]# service elogd stop
Stopping elogd (via systemctl): [ OK ]
[root@oceana ~]# service elogd start
Starting elogd (via systemctl): [ OK ]
Stefan Ritt wrote: |
The init script supplied with elog was originally written for Redhat. It seems like CentOS has slightly changed the init daemon management, but I'm not an expert on that, nor do I have CentOS installed. If somebody comes with a fixed elogd.init for CentOS, I'm happy to include that in the distribution.
/Stefan
Banata wrote: |
hello, I just upgrade from 2.9 into 3.0.0 in CentOS 6.5
but after upgrade, I can't check elogd services via command line
service elogd status,
always result in missing argument, while it works with httpd or mysqld services and old elogd version.
I try to uninstall and install rom scratch and same result,
Okay I give you screenshoot of that,
you may notice, on check service status and stopping services, error resulted
|
|
|
|
|