After an emoncms security review we have found a security issue in the user module associated with the ‘remember-me’ feature that maintains a persistent login.
We have now fixed the issue and the update is now available in the emoncms stable and master branch, starting from v9.8.18+
This update is also available via the standard EmonPi/EmonBase update procedure, just click on ‘setup > emonPi Update’ in local emoncms to start the update process.
We would recommend updating as soon as possible. If you wish to delay updating, disabling the remember me feature in emoncms settings.php is an interim fix, though less recommended. To disable the remember me feature, set:
$enable_rememberme = false;
In emoncms/settings.php
Best regards
Trystan
Note: The latest release is now v9.8.25 (8th of December 2017)
If your using the emoncms device module and have come across an ‘undefined’ error while initialising a device, there is a temporary patch to make it work with the latest version of emoncms, available here: https://github.com/emoncms/device/tree/set_processlist_patch
cd /var/www/emoncms/Modules/device
git checkout set_processlist_patch
We are launching a new version of the device module soon, this patch fixes the initialisation issue until the new version is available.
If your updating from a version of emoncms prior to the 22nd of April 2017 (v9.8.3 or below) you may find a ‘Undefined’ error on login attempt. This is due to a missing ‘startingpage’ field in the user table. The database can be updated without login by adding the settings line:
$updatelogin = true;
to the end of your settings.php file and then running database update by going to the following url:
http://localhost/emoncms/admin/db
Remember to remove the $updatelogin = true; line once complete.
The latest version of emoncms is now v9.8.24 merging several bug fixes fixed in the master branch over the last week which are now available in the stable branch, see emoncms release notes:
Am I right in thinking this is only available on the ‘master’ branch and not ‘stable’?
{edit}
My bad. I checked the tags and it seemed to be 9.7.x on stable. In fact the syntax of the tags has changed so there is no longer a ‘v’ at the start so they no longer sort logically.
I know I have said it before, but there should be a separate announcement in the forum for every update. Currently if you go into the forum, you will just see the thread title of v9.8.18 as being the latest. These announcement posts should be Pinned and Locked and any discussion, created as a linked discussion.
I also think that a link on how to upgrade for both stand alone and prebuilt setups should be included in the announcement.
With the move to a separate version file, it should be possible for an instance of Emoncms to be able to have an alert on any page that an update is required.
If all you do is run emoncms on the SD card, then I’d be inclined to pick up a new Stretch image, backup the data, put the new image on a new card (so you can roll back if necessary) and then upload the backed up data.
There are some threads here on backing up data; it rather depends on how old your image is and how long since it was updated.
Ok I will try and give that a go, I will pin only the latest release announcement, or if an announcement such as the recent security one is of higher importance leave that pinned as well.
