Send Motion-user mailing list submissions to
motion-user@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/motion-user
or, via email, send a message with subject or body 'help' to
motion-user-requ...@lists.sourceforge.net
You can reach the person managing the list at
motion-user-ow...@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Motion-user digest..."
Today's Topics:
1. Re: motion security patch release 3.4.2 (Damian)
2. Re: motion security patch release 3.4.2 (tosiara)
3. Re: motion security patch release 3.4.2 (Damian)
4. Re: motion security patch release 3.4.2 (tosiara)
5. Re: motion security patch release 3.4.2 (MrDave)
----------------------------------------------------------------------
Message: 1
Date: Mon, 26 Oct 2020 16:27:10 +0100
From: Damian <motion-u...@arcsin.de>
To: motion-user@lists.sourceforge.net
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID: <1055ebae-be5f-e303-b592-41af67711...@arcsin.de>
Content-Type: text/plain; charset=utf-8
> Let me know if you have any notes or questions.
If I am not mistaken, the bug has been introduced after 4.1.1, so Debian
buster is safe, correct?
------------------------------
Message: 2
Date: Mon, 26 Oct 2020 17:57:39 +0200
From: tosiara <tosi...@gmail.com>
To: Motion discussion list <motion-user@lists.sourceforge.net>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID:
<cachtdwtqn5qadkbg1dptypyhvrezs7wuodpvjezf_esf-ut...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
The first affected release is 4.2
4.1.1 release is not affected, but you must make sure which version you are
running. If it is 4.1.1 from Github release - it is not affected by the
bug. If it is some 4.1.1 snapshot, it may have got the change merged,
depends which git hash it is exactly.
On Mon, Oct 26, 2020 at 5:28 PM Damian via Motion-user <
motion-user@lists.sourceforge.net> wrote:
>
> > Let me know if you have any notes or questions.
>
> If I am not mistaken, the bug has been introduced after 4.1.1, so Debian
> buster is safe, correct?
>
>
>
> _______________________________________________
> Motion-user mailing list
> Motion-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Mon, 26 Oct 2020 17:10:01 +0100
From: Damian <motion-u...@arcsin.de>
To: Motion discussion list <motion-user@lists.sourceforge.net>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID: <cf5d3bb7-8a9a-cac6-1d6c-b44895e21...@arcsin.de>
Content-Type: text/plain; charset=utf-8
> The first affected release is 4.2
> 4.1.1 release is not affected, but you must make sure which version you are
> running. If it is 4.1.1 from Github release - it is not affected by the
> bug. If it is some 4.1.1 snapshot, it may have got the change merged,
> depends which git hash it is exactly.
I believe they use tagged releases. The release-4.1.1 timestamp does not
match the time in debian/changelog, but Buster's version does not
contain #658 yet.
------------------------------
Message: 4
Date: Mon, 26 Oct 2020 18:13:30 +0200
From: tosiara <tosi...@gmail.com>
To: Motion discussion list <motion-user@lists.sourceforge.net>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID:
<CACHTdwQ2msSvvdhnvhcoaWSZ9EdqkHgfBY=0tgdi-5l9xsp...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Just in case, I have checked Buster's version -
http://deb.debian.org/debian/pool/main/m/motion/motion_4.1.1.orig.tar.gz
It is not affected
On Mon, Oct 26, 2020 at 6:10 PM Damian via Motion-user <
motion-user@lists.sourceforge.net> wrote:
> > The first affected release is 4.2
> > 4.1.1 release is not affected, but you must make sure which version you
> are
> > running. If it is 4.1.1 from Github release - it is not affected by the
> > bug. If it is some 4.1.1 snapshot, it may have got the change merged,
> > depends which git hash it is exactly.
>
> I believe they use tagged releases. The release-4.1.1 timestamp does not
> match the time in debian/changelog, but Buster's version does not
> contain #658 yet.
>
>
>
> _______________________________________________
> Motion-user mailing list
> Motion-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 5
Date: Mon, 26 Oct 2020 11:15:59 -0600
From: MrDave <motionmrd...@gmail.com>
To: motion-user@lists.sourceforge.net
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID: <4fcd7f66-7c5f-8c0c-1c7b-525d37f49...@gmail.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
To be clear.? This issue has existed in Motion since at least 2006 so
all subsequent versions since 2006 would have this issue.
Prior to 4.1, this issue was isolated to the web control. Starting with
4.2, the offending function was also used for the stream ports.
To work around this issue for the stream port, use the following within
the configuration file:
stream_preview_method 99
This is an undocumented option that invokes the historical code.
Dave
On 10/26/2020 10:13 AM, tosiara wrote:
> Just in case, I have checked Buster's version -
> http://deb.debian.org/debian/pool/main/m/motion/motion_4.1.1.orig.tar.gz
> It is not affected
>
> On Mon, Oct 26, 2020 at 6:10 PM Damian via Motion-user
> <motion-user@lists.sourceforge.net
> <mailto:motion-user@lists.sourceforge.net>> wrote:
>
> > The first affected release is 4.2
> > 4.1.1 release is not affected, but you must make sure which
> version you are
> > running. If it is 4.1.1 from Github release - it is not affected
> by the
> > bug. If it is some 4.1.1 snapshot, it may have got the change
> merged,
> > depends which git hash it is exactly.
>
> I believe they use tagged releases. The release-4.1.1 timestamp
> does not
> match the time in debian/changelog, but Buster's version does not
> contain #658 yet.
>
>
>
> _______________________________________________
> Motion-user mailing list
> Motion-user@lists.sourceforge.net
> <mailto:Motion-user@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>
>
>
> _______________________________________________
> Motion-user mailing list
> Motion-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------
Subject: Digest Footer
_______________________________________________
Motion-user mailing list
Motion-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/motion-user
------------------------------
End of Motion-user Digest, Vol 172, Issue 19
********************************************
