Important Emoncms Security Update

After an emoncms security review we have found a security issue in the user module associated with the ‘remember-me’ feature that maintains a persistent login.

We have now fixed the issue and the update is now available in the emoncms stable and master branch, starting from v9.8.18+

This update is also available via the standard EmonPi/EmonBase update procedure, just click on ‘setup > emonPi Update’ in local emoncms to start the update process.

We would recommend updating as soon as possible. If you wish to delay updating, disabling the remember me feature in emoncms settings.php is an interim fix, though less recommended. To disable the remember me feature, set:

$enable_rememberme = false;
In emoncms/settings.php

Best regards


Note: The latest release is now v9.8.25 (8th of December 2017)

Also remember to run “update and check” from the admin page if updating emoncms manually. the emonpi update routine includes this step automatically.

1 Like

Device module

If your using the emoncms device module and have come across an ‘undefined’ error while initialising a device, there is a temporary patch to make it work with the latest version of emoncms, available here:

cd /var/www/emoncms/Modules/device
git checkout set_processlist_patch

We are launching a new version of the device module soon, this patch fixes the initialisation issue until the new version is available.

’Undefined’ error on login attempt

If your updating from a version of emoncms prior to the 22nd of April 2017 (v9.8.3 or below) you may find a ‘Undefined’ error on login attempt. This is due to a missing ‘startingpage’ field in the user table. The database can be updated without login by adding the settings line:

$updatelogin = true;

to the end of your settings.php file and then running database update by going to the following url:


Remember to remove the $updatelogin = true; line once complete.

emoncms v.9.8.21 now shows a more helpful error message in place of ‘undefined’ which should help with debugging certain login/register issues.

The latest version of emoncms is now v9.8.24 merging several bug fixes fixed in the master branch over the last week which are now available in the stable branch, see emoncms release notes:

Am I right in thinking this is only available on the ‘master’ branch and not ‘stable’?
My bad. I checked the tags and it seemed to be 9.7.x on stable. In fact the syntax of the tags has changed so there is no longer a ‘v’ at the start so they no longer sort logically.

I updated my emonPi on Nov 27 (via stable) and it is now v9.8.24.

I know I have said it before, but there should be a separate announcement in the forum for every update. Currently if you go into the forum, you will just see the thread title of v9.8.18 as being the latest. These announcement posts should be Pinned and Locked and any discussion, created as a linked discussion.

I also think that a link on how to upgrade for both stand alone and prebuilt setups should be included in the announcement.

With the move to a separate version file, it should be possible for an instance of Emoncms to be able to have an alert on any page that an update is required.

How do you update emoncms via SSH rather than using the web interface/Admin?

Is it an emonpi image or a self install?

Originally it was an SD image.

The documentation is here but is woefully out of date.

If all you do is run emoncms on the SD card, then I’d be inclined to pick up a new Stretch image, backup the data, put the new image on a new card (so you can roll back if necessary) and then upload the backed up data.

There are some threads here on backing up data; it rather depends on how old your image is and how long since it was updated.

Ok I will try and give that a go, I will pin only the latest release announcement, or if an announcement such as the recent security one is of higher importance leave that pinned as well.

Thx …
Trystan’s latest announcement (release of v9.8.25) includes the all important info …

SSH/Git update procedure example:

cd /var/www/emoncms
git pull

And then remember to check for database updates from the administration page.

Great but can it appear (and stay) at the top of the ‘latest’ page please? I nearly missed this…