Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.

**The Memory Remains 1.36.31**

**Changes since 1.36.30**

*   Fix failed login due to remoteAddr not being populated in session after regeneration
*   Use REQUEST instead of SESSION to store the post login redirect because we clear the session on login. Fixes \[#3517\]
*   Turn off logging of deprecation notices so that we work with php8.2

**Full Changelog**: 1.36.30...1.36.31

**The Memory Remains 1.36.30**

**What's Changed**

*   Test for definition of ZM\_LOG\_INJECT. We don't include the config when not logged in. So it won't be defined and an error will be logged
*   Fix saving from the function modal (and other modals)
*   left align option value column
*   when a config value is overridden via \*.conf files, put up a warning/explanation on the options view
*   Turn failure to send into a debug instead of warn. When running under fpm etc we may not get SIGPIPE.
*   Move relevant code out of includes/actions/auth.php into includs/auth.php. Fixes inability to login using GET method.
*   Don't panic if no font file found. We seem to be able to continue without it.
*   Rework session handling to fix breakage with php8.2. Please note that php 8.2 still completely breaks a ton of our code. Do not upgrade to php8.2 and expect ZoneMinder to work.

**Full Changelog**: 1.36.29...1.36.30

**The Memory Remains 1.36.29**

#Changes since 1.36.28

*   update web/ajax.log.php to contents from master. Fixes errors causing log view to not work. Fixes \[#3606\]
*   use ajax() instead of getJSON so that we can specify no timeouts.. This prevents log queries from stacking up overloading the db
*   Check for definition of CAMBOZOLA defines. The purpose is just to ease running the 1.36 UI against a 1.37 database.
*   Added option ZM\_AUTH\_CASE\_INSENSITIVE\_USERNAMES to match mixed case Usernames to lower case usernames in database \[#3516\]
*   Move LIBAVCODEC\_VERSION\_CHECK so that it is defined when the include files are under ffmpeg. Maybe fixes build with 5.1.2?
*   Test for matches\[operator\]. Fixes \[#3607\]

**Full Changelog**: 1.36.28...1.36.29

**The Memory Remains 1.36.28**

#Changes since 1.36.27

*   Add ZM\_LOG\_INJECT config parameter to disable unprivileged log injection through api.
*   Check value of System:Edit permission and ZM\_LOG\_INJECT to disable ajax log injection.
*   Use canEdit\['System'\] and value of new ZM\_LOG\_INJECT to disable attempting to inject javascript errors into zm logs
*   The above 3 Fixes GHSA-cfcx-v52x-jh74
*   Fix Monitor => monitor in zmwatch causing crash in zmwatch
*   update storage modal to fix buttons not being in form. Also remove duplicate view field and make button action be save instead of Save. Fixes \[#3605\]

**Full Changelog**: 1.36.27...1.36.28

**The Memory Remains 1.36.27**

#Changes since 1.36.26

*   Use zm\_setcookie, which will automatically set samesite on the session cookie. Maybe fixes \[#3517\]
*   commit to free up locks when there is an error doing MoveTo (like does not exist on disk). Also remove commit from CopyTo which does no transactions/locking.
*   Use y instead of Y for path generation when using Deep scheme. Fixes \[#3583\]
*   Add spans and title attributes on the title h2 parts of frame view so that on mouseover it tells you what the numbers are
*   Update frame view js to use const etc instead of var. Put back EventId and FrameId in stats being links and fix FrameId not being populated. If no stats available disable the stats button and use the title to explain why.
*   In failure state populate imageData array to reduce output php errors in frame view
*   Add connkey and semaphore key to logging about failure to get semaphore. Add sem\_release before every ajaxError call because ajaxError exits and so we never release the semaphore.
*   fix not saving v4l settings.
*   Only warn about event exceeding section\_length if we are not using close\_mode=TIME. Fixes \[#3599\]
*   make OutputCodec work in API Maybe fixes \[#3341\]
*   Handle filter\[query\] not being defined
*   Fix export not working for filter due to limit set to 0.
*   Only look for action if there is a view. Prevents lookup of a non-existent file.
*   Include monitor Id in zmwatch logs, for consistency as well as utility
*   Escape File parameters when inserting log to prevent XSS. Related to fixing \[#2466\]. Fixes https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
*   Only perform actions on post. Doing them on GET allows doing actions without CSRF from things like img tags which is not good. Fixes GHSA-xgv6-qv6c-399q
*   Upgrade jquery to 3.6.1
*   Update jquery-ui to 1.13.2 to remove reported dependency advisory
*   Fix missing STATE\_UNKNOWN in perl libs causing missed events in zmes.
*   Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs. Fixes GHSA-mpcx-3gvh-9488

**Full Changelog**: 1.36.26...1.36.27

**The Memory Remains 1.36.26**

#Changes since 1.36.25

*   Fix \[#3580\] Export page broken due to type on dateTimeFormater => dateTimeFormatter
*   Restore the integer value returned for status on API MonitorsController to per 1.36.16 value. The values got shifted due to making 0 = Unknown instead of -1.
*   Only init the bootstrap table of events on watch view if the user has permission to view events. This prevents endless logging of insufficient permissions errors.
*   Add fade to the logout modal which for some reason fixes it not showing after a cancel
*   Specify that only main page content tables should have the first column be min-width: 300px. This was affecting the logout dialog table content when viewing the monitor edit view.
*   fix export from event view
*   Only try to set TIMEZONE when loading dateTimeFormatter if it is set and handle the exception when any of TIMEZONE or LOCALE are invalid.
*   Fix values in LOCALE\_DEFAULT dropdown in options.
*   Add libio-interface-perl to dependencies. Fixes \[#3577\]
*   Show the Reboot control when it is enabled without wake, sleep or reset.

**Full Changelog**: 1.36.25...1.36.26

**The Memory Remains 1.36.25**

**Changes since 1.36.24**

*   add build for ubuntu kinetic
*   fix javascript error on zone edit
*   fix deprecation error on php8 due to implicit conversion to integer when displaying event duration
*   Update ZM\_MIN\_RTSP\_PORT description
*   fix some javascript errors during page transition
*   Ignore errors when decoding log message
*   add detection of out of order packets from ffmpeg
*   Keep track of max\_keyframe\_interval and log it when complaining
*   fix hang during logrotate due to waiting in packetqueue for decode
*   Remove warning about maxImageBuffer. Will be handled better in queuePacket.
*   Fix snapshot jpeg not being created early enough
*   finally fix (we think) hung zmu/zms processes due to race in db thread creation.
*   Update material icons to v1.11.10
*   Add a button to event view to jump to this event time in montage review
*   fix different button heights when using font awesome vs material icons
*   Add a back to frames button from frame view
*   Use HTTP\_X\_FORWARDED\_HOST or HTTP\_X\_FORWARDED\_SERVER if present to get correct hostname to use when behind a reverse proxy.
*   Handle case where time\_base is not set in the codec. Fixes h265 not playing through zms
*   When there are less than 3 storage areas, just list them in the header instead of making it a dropdown
*   fix problems with migrateHash

**Full Changelog**: 1.36.24...1.36.25

**The Memory Remains 1.36.24**

**The Memory Remains 1.36.23**

**WARNING: This release is flawed. Do not use. 1.36.24 is coming soon.**

**Changes since 1.36.22**

*   Fix failed build
*   set timezone when initializing IntlDateFormatter

**Full Changelog**: 1.36.22...1.36.23

**The Memory Remains 1.36.22**

**WARNING: This release is flawed. It will not compile. Do not use. 1.36.24 is coming soon.**

**Changes since 1.36.21**

*   Make proportional zoom and movement work for AxisV2 API
*   remove padding from ptz buttons making proportional zoom/pan not work right
*   Fix memleak
*   reduce debugging calls
*   include reorder\_queue\_size setting in warning about out of order dts
*   Sync up with c++ shm alignment to fix same size on 32bit
*   improve warning about MaxImageBuffer size being smaller than keyframe interval
*   Fix ever increasing duration in event list
*   fix javascript console log about leaflet not being installed
*   Fix event listing for filter involving AlarmedZone rule.
*   Fix logic inversion causing Filters involving DiskPercent rules to still hit the database
*   Fix too much logging about finding locked packets
*   Fix segfault when audio stream is present but not being recorded
*   when a new auth hash is generated, don't reload the image stream, just update the global var to be used if the image stream breaks.

**Full Changelog**: 1.36.21...1.36.22

CVE-2022-30769: Releases · ZoneMinder/zoneminder

Heap based buffer overflow in HTTP Server functionality in Micrium uC-HTTP 3.01.01 allows remote code execution via HTTP request.

top.location='https://community.silabs.com/ex/errorduringprocessing.jsp'

CVE-2022-24942

Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45396: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CVE-2022-45385: Jenkins Security Advisory 2022-11-15

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

CVE-2022-45379: Jenkins Security Advisory 2022-11-15

Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45386: Jenkins Security Advisory 2022-11-15

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.

CVE-2022-38666: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics.

CVE-2022-45399: Jenkins Security Advisory 2022-11-15

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

CVE-2022-45391: Jenkins Security Advisory 2022-11-15

Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Tag

#js