New Releases 1.36.27, 1.36.28, 1.36.29
New Releases 1.36.27, 1.36.28, 1.36.29
# Changes since 1.36.26
- Use zm_setcookie, which will automatically set samesite on the session cookie. Maybe fixes https://github.com/ZoneMinder/zoneminder/issues/3517
- commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
- Use y instead of Y for path generation when using Deep scheme. Fixes https://github.com/ZoneMinder/zoneminder/issues/3583
- Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
- Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
- In failure state populate imageData array to reduce output php errors in frame view
- Add connkey and semaphore key to logging about failure to get semaphore. Add sem_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
- fix not saving v4l settings.
- Only warn about event exceeding section_length if we are not using close_mode=TIME. Fixes https://github.com/ZoneMinder/zoneminder/issues/3599
- make OutputCodec work in API Maybe fixes https://github.com/ZoneMinder/zoneminder/issues/3341
- Handle filter[query] not being defined
- Fix export not working for filter due to limit set to 0.
- Only look for action if there is a view. Prevents lookup of a non-existent file.
- Include monitor Id in zmwatch logs, for consistency as well as utility
- Escape File parameters when inserting log to prevent XSS. Related to fixing https://github.com/ZoneMinder/zoneminder/issues/2466. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
- Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-xgv6-qv6c-399q
- Upgrade jquery to 3.6.1
- Update jquery-ui to 1.13.2 to remove reported dependency advisory
- Fix missing STATE_UNKNOWN in perl libs causing missed events in zmes.
- Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488
https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.27
Full Changelog
https://github.com/ZoneMinder/zoneminder/compare/1.36.26...1.36.27
# Changes since 1.36.27
- Add ZM_LOG_INJECT config parameter to disable unprivileged log injection through api.
- Check value of System:Edit permission and ZM_LOG_INJECT to disable ajax log injection.
- Use canEdit['System'] and value of new ZM_LOG_INJECT to disable attempting to inject javascript errors into zm logs
- The above 3 Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-cfcx-v52x-jh74
- Fix Monitor => monitor in zmwatch causing crash in zmwatch
- update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes https://github.com/ZoneMinder/zoneminder/issues/3605
https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.28
Full Changelog
https://github.com/ZoneMinder/zoneminder/compare/1.36.27...1.36.28
# Changes since 1.36.28
- update web/ajax.log.php to contents from master. Fixes errors causing log view to not work. Fixes https://github.com/ZoneMinder/zoneminder/issues/3606
- use ajax() instead of getJSON so that we can specify no timeouts.. This prevents log queries from stacking up overloading the db
- Check for definition of CAMBOZOLA defines. The purpose is just to ease running the 1.36 UI against a 1.37 database.
- Added option ZM_AUTH_CASE_INSENSITIVE_USERNAMES to match mixed case Usernames to lower case usernames in database https://github.com/ZoneMinder/zoneminder/issues/3516
- Move LIBAVCODEC_VERSION_CHECK so that it is defined when the include files are under ffmpeg. Maybe fixes build with 5.1.2?
- Test for matches[operator]. Fixes https://github.com/ZoneMinder/zoneminder/issues/3607
https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.29
Full Changelog
https://github.com/ZoneMinder/zoneminder/compare/1.36.28...1.36.29
The fixes to the security vulnerabilities broke other things, hence the flurry of releases. Expect 1.36.30 soon which fixes changing Function from the function popup. Use full monitor edit for now.
Also broken is logging in with using a POST, breaking Home Assistant integrations.