Slight Change of Plans

Vulnerabilities! Yikes!
We had several reports of vulnerabilities come in during the last release candidate. We thank the security professionals for taking the time to review our project and have been hard at work implementing fixes. There are a few remaining vulnerabilities, similar to ones we already fixed, which we cannot currently duplicate. The purpose of this release is to establish a new baseline for testing before the next 1.30.3 release. If any of the remaining vulnerabilities turn out to be valid, understand that they require valid ZoneMinder user credentials to implement.

Because some of the vulnerabilities go back as far as our github history tracks, we recommend everyone upgrade to this version of ZoneMinder.

Yes, this also means the next 1.30.3 release will also be a bug fix release. It will not be a new feature release as we had hoped.

Thank You to Those who have Contributed

First, a big thank you to those who have contributed their time to this project, or who have contributed financially. The money donated to the project is primarily used to maintain an Internet presence. The donated funds are not used as income for our developers. We do occasionally assign funds to open issues through Bountysource, but those funds can be claimed by anyone who does the work. We all, from those that respond to questions in the forums to those who develop the underlying code, are effectively volunteers, each with our own $dayjobs. We participate because we want to be part of an open-source, community project, which brings me to my next point.

We know from our telemetry data that ZoneMinder has an extremely large user base. In just one week, we received 20k ip addresses, actively running ZoneMinder, and those sites are just the sites who have the telemetry data enabled. On the flip side to this, there are comparatively few people who contribute back to the project. This puts us in a perpetual situation where we cannot keep up whether that be responding in the forums, writing new code, fixing existing code, writing documentation, etc. We are looking for help from mature individuals who understand what it means to be part of a team project. To become part of the team, you don't need to know how to do a particular task, write code, etc. Rather, you simply need a strong desire to learn and interact with the other members.

Bug Fix Release

While there are a few new features, this release focuses on bug fixes and improvements to existing code.

Here is the short list of changes:

Various sql injection, xss, and other vulnerabilities have been fixed.
- CVE-2017-7203 is a duplicate of CVE-2017-5367 fixed ea5342a
- CVE-2017-5595 fixed 8b19fca
- CVE-2016-10205, CVE-2016-10204 fixed #1764
- CVE-2016-10201 fixed c5906a5
CVE-2017-5368, CVE-2016-10206 Added CSRF mitigation. This option ENABLE_CSRF_MAGIC defaults to OFF currently and must be turned on under Options. Packagers should choose to default on to resolve CVE-2017-5368 and CVE-2016-10206. If a package maintainer wants to change the default, then they should do the following in the build script before calling cmake: ./utils/zmeditconfigdata.sh ZM_ENABLE_CSRF_MAGIC yes
Fixed an issue where the red outline did not appear in images with blob detection enabled
The new ONVIF probe should now properly detect many more ONVIF compliant cameras
A few security fixes were implemented to help mitigate malicious activity
Various updates to the documentation including an emphasis to use the "ffmpeg" source type for modern IP cameras. Only use the other source types if there is a problem using ffmpeg.
New Hikvision & Keekon PTZ control scripts have been added
Since the amount of free /dev/shm memory is critical, this is now shown at the top of the web console.

A Notice about the next release following 1.30.3

We have had a number of big ticket items in the works for a while now, and after a recent discussion, we have decided to implement some, or perhaps all, of these major features following the release of 1.30.3. I won't name there here, because the list of features we deploy might change. What I do want to emphasize, however, is that the release which contains these new features will need to run its course to find and work out any bugs which will likely be introduced. So if you are running a production system and don't want reliability to suffer, then I would recommend you upgrade to 1.30.3, but skip the next release after that.

As always, here is the long list of changes:

Change Log

1.30.2 (2017-03-30)

Full Changelog

Merged pull requests:

Setup api cache dirs #1835 (connortechnology)
Fix check that API user is enabled #1828 (mnoorenberghe)
Fix failure to attribute previous work #1819 (SteveGilvarry)
Increase default window sizes for the flat theme. Fixes #1059 #1816 (mnoorenberghe)
ZoneMinder: Rename public enum CHAR_WIDTH/CHAR_HEIGHT to avoid conflicts #1806 (adam900710)
fix permissions on zm.conf in deb pkg scripts #1800 (knnniggett)
use === operator in getDiskPercent function #1794 (knnniggett)
Reduce the default API debug level #1793 (knnniggett)
zmlinkcontent: fix syntax error #1792 (kunkku)
fix missing isset check, caused number of Undefined Property warnings #1790 (vajonam)
fix usage of wrong key #1785 (vajonam)
fix typo for correct checking if a command has excuted for an event, … #1777 (vajonam)
Remove SSH server from docker image #1774 (michaelarnauts)
Add the missing F back in. #1773 (SteveGilvarry)
add motion zone preset disclaimer #1767 (knnniggett)
Align Method description to what it is actually doing #1765 (SteveGilvarry)
Test for Controllable as well as ControlId #1843 (connortechnology)
fix inserting x10 record with missing comma #1836 (connortechnology)
Implement CSRF Mitigation #1822 (knnniggett)
Properly escape postLoginQuery. Fixes #1797 #1815 (mnoorenberghe)
Fix zmc crashing when zones are no good #1811 (connortechnology)
use escapeshellarg on inputs to daemonControl and other functions #1780 (connortechnology)
remove line that causes endless reading when doing single image mode #1770 (connortechnology)
sanitize the image path before processing #1758 (knnniggett)
must call zmMemInvalidate before next #1717 (connortechnology)
Improve filter #1504 (connortechnology)

1.30.2-rc.1 (2017-02-05)

Full Changelog

Merged pull requests:

sql injection and session fixation vulerability fixes #1764 (kylejohnson)
check if crud plugin exists before unpacking #1759 (knnniggett)
sanitize the image path before processing #1758 (knnniggett)
1716 doc img typo #1754 (pliablepixels)
Docker - Fixed broken cgi-bin path in apache site conf. #1753 (jbehrends)
initial commit for packpack support #1751 (knnniggett)
Fixed apache documentroot, and fixed permissions for "/" in the project's Dockerfile #1749 (jbehrends)
fix else behaviour by adding braces #1746 (connortechnology)
change regexp to handle quotes in the content-type line. #1744 (connortechnology)
fix conditional logic in controlcap.js #1742 (knnniggett)
Control fixes #1741 (connortechnology)
Fix 1720 #1734 (connortechnology)
Add MonitorPreset for Qihan IP cameras via RTSP #1727 (StefanLindblom)
must call zmMemInvalidate before next #1717 (connortechnology)
When use warnings is on and there is a null value in the monitor data… #1733 (connortechnology)
Fix events list #1729 (connortechnology)
Path zms message #1728 (connortechnology)
Initial commit of github issue template. #1724 (kylejohnson)
spelling fixes #1721 (ka7)
Add HikVision ptz control sciprt #1719 (knnniggett)
bump minimum version of cmake to 2.8.7 #1718 (knnniggett)
remove the use of empty which on php < 5.5 only supports variables. #1714 (connortechnology)
replace the old socket_sendto error message with something more useful #1710 (connortechnology)
Fix 1703 #1709 (connortechnology)
Message column to text #1708 (connortechnology)
log failed sql when db insert fails. #1707 (connortechnology)
Fix Travis #1702 (knnniggett)
Update nl_NL translation #1700 (bajansen)
Apache indexes #1697 (connortechnology)
Disk space in events #1694 (connortechnology)
add a zmMemInvalidate at the beginning of the while loop #1693 (connortechnology)
Small fixes #1692 (connortechnology)
Restore former zmswap path behaviour #1689 (knnniggett)
sort and remove duplicates using vims :%sort u command #1687 (connortechnology)
Fix Undefined index: loginFailed. Resolves #1684 #1685 (kylejohnson)
unlink the mmap file when the monitor object is destroyed #1681 (knnniggett)
Show error message upon unsuccessful login. Fixes #1648 #1680 (kylejohnson)
Fix event.stop error in watch.js See #1672 #1678 (kylejohnson)
fix sftp xfers in zmfilter #1677 (knnniggett)
prevent the end user from slecting an invalid configuration on the PT… #1676 (knnniggett)
Show available PATH_MAP percent on console #1675 (knnniggett)
Fix event deletion from watch view. Fixes #1671 #1672 (kylejohnson)
Fix braces #1670 (connortechnology)
Fix FilteredPixels Mode description #1669 (zestysoft)
Add additional details to increasing mapped memory. #1668 (zestysoft)
Change CREATE_ANALYSIS_IMAGES Help text #1667 (zestysoft)
tabs to spaces #1666 (connortechnology)
change fast_delete to off #1657 (knnniggett)
added TimeZone get API #1656 (pliablepixels)
handle when window.open fails #1652 (connortechnology)
Fix logic when disabling a monitor #1651 (connortechnology)
Disabled autocorrect, autocapitalize, spellcheck on username field #1650 (jvogt)
move jpeg context freeing to a Deinitialise function instead of ~Image #1646 (connortechnology)
Fix onvif #1645 (connortechnology)
Add a TZ env setting for systemd. #1643 (connortechnology)
store the scale value for watch and event views in a cookie, differen… #1639 (connortechnology)
enabled utf8 #1635 (pliablepixels)
ptzControl expects a monitor object instead of a dbrow array. #1621 (connortechnology)
Update German translation #1617 (coracis)
1537 zone controller bug #1614 (pliablepixels)
implement suggested code to stop the monitor when Function is set to … #1609 (connortechnology)
Added check for SINGLE_IMAGE to ignore socket closed by remote side #1608 (mattdurant)
Fix issue #1460 #1607 (mattdurant)
Correct spelling of 'Mageia' in readme #1605 (kylejohnson)
Fix name of OPT_USE_AUTH option in getting started guide. #1604 (donnieblaw)
added missing ssmtp support in sendMessage #1602 (mdrush)
add some more translation #1599 (sabbath88)
Update README.md #1594 (vikaskedia)
Fix analysis frame #1592 (connortechnology)
don't build the onvif libraries in travis #1587 (knnniggett)
Fixes #1584. I've just copied the relevant functions from ffmpeg sour… #1585 (connortechnology)
fixed wrong doc root #1583 (zhuykovkb)
quote the password #1581 (connortechnology)
Update file sock for multiserver #1579 (peruchi)
Minor API doc error fixes #1578 (erelson)
fix error in calling zmaControl #1577 (connortechnology)
include polygons for the other zones. #1576 (connortechnology)
Use av_dict_parse_string to create AVDictionary of options #1567 (SteveGilvarry)
Control script for Keekoon cameras. #1566 (gerdesj)
Enable local and travis ccache #1565 (SteveGilvarry)
reduce noise on "zmupdate.pl" invocation #1559 (onlyjob)
spellcheck/codespell #1558 (onlyjob)
custom banner text on web console #1556 (knnniggett)
Implement suggested wait for MySQL start #1549 (SteveGilvarry)
Improve Docker features #1511 (TJC)
Fix filter actions #1505 (connortechnology)
add option to show monitor ID on console #1503 (connortechnology)
Add support for MySQL Port / Unix Socket #1498 (josh4trunks)
introduce htmlselect as an alternative to buildselect #1475 (connortechnology)

* This Change Log was automatically generated by github_changelog_generator

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The Unforgiven