Send Motion-user mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/motion-user
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Motion-user digest..."
Today's Topics:
1. Re: Negative impact on wifi connectivity (MrDave)
2. Re: Negative impact on wifi connectivity (Damian)
3. motion security patch release 3.4.2 (tosiara)
4. Re: motion security patch release 3.4.2 (chuck elliot)
5. Re: motion security patch release 3.4.2 (tosiara)
----------------------------------------------------------------------
Message: 1
Date: Sun, 25 Oct 2020 16:44:05 -0600
From: MrDave <[email protected]>
To: [email protected]
Subject: Re: [Motion-user] Negative impact on wifi connectivity
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
OK. This rules out direct interaction with the wifi device being the cause.
The next path would be to use the v4l2 via netcam option.? This option
invokes invokes an entirely different method to open the device by using
the ffmpeg libraries.
On 10/25/2020 3:36 PM, Damian via Motion-user wrote:
>> The webcontrol and stream are implemented in Motion using the
>> libmicrohttpd library.? You can deactivate it from being started by
>> specifying the webcontrol_port and stream_port to zero.? This would
>> at least help in identification of whether it in that library or if
>> it is with opening of the USB camera.
>
> Deactivated them now, the issue still exists.
>
>
> _______________________________________________
> Motion-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
------------------------------
Message: 2
Date: Mon, 26 Oct 2020 07:17:53 +0100
From: Damian <[email protected]>
To: [email protected]
Subject: Re: [Motion-user] Negative impact on wifi connectivity
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
> The next path would be to use the v4l2 via netcam option.? This option
> invokes invokes an entirely different method to open the
> device by using the ffmpeg libraries.
I have to test this some other time. Right now the reception is too good. Must
be open doors or something. However I can say that
the cpu load is much higher with v4l2 via netcam_url. On the Zero W the single
core is at 100% all the time and the load average
is around 2. There seems to be an additional thread compared to a native v4l
setup.
------------------------------
Message: 3
Date: Mon, 26 Oct 2020 11:52:11 +0200
From: tosiara <[email protected]>
To: Motion discussion list <[email protected]>
Subject: [Motion-user] motion security patch release 3.4.2
Message-ID:
<cachtdwqzh7ygkpdadnxblla85a9y5jnrrfi47dhox0bgtve...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi,
Please be aware that there is an update published on Github that resolves a
medium severity denial of service vulnerability that has been recently
found in motion. The motion process would crash and require a manual after
receiving a specially crafted http request.
The patch has been applied to both master branch and 4.3 release branch.
Deb packages built and also published in Github releases. SHA256 sums are
signed with tosiara's github gpg key.
CVE: CVE-2020-26566
Github security advisory: GHSA-6f7x-grw7-fw24
Mitigation: if you are not able to update yet, the only mitigation is to
disable stream and webcontrol ports by setting them to 0 in your
motion.conf. Note that the issue occurs prior to authentication, so setting
a password on the stream and the webcontrol would not help.
Let me know if you have any notes or questions.
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 4
Date: Mon, 26 Oct 2020 10:20:32 +0000
From: chuck elliot <[email protected]>
To: [email protected]
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Presumably limiting web and stream control to localhost would mean
and attacker would need host access to mount this attack so would
be a partial mitigation? Perhaps a web/stream-control ACL might be
added in future?
Regards,
CE.
On 26/10/2020 9:52 am, tosiara wrote:
> Hi,
>
> Please be aware that there is an update published on Github that
> resolves a medium severity denial of service vulnerability that has
> been recently found in motion. The motion process would crash and
> require a manual after receiving a specially crafted http request.
>
> The patch has been applied to both master branch and 4.3 release
> branch. Deb packages built and also published in Github releases.
> SHA256 sums are signed with tosiara's github gpg key.
>
> CVE: CVE-2020-26566
> Github security advisory: GHSA-6f7x-grw7-fw24
>
> Mitigation: if you are not able to update yet, the only mitigation is
> to disable stream and webcontrol ports by setting them to 0 in your
> motion.conf. Note that the issue occurs prior to authentication, so
> setting a password on the stream and the webcontrol would not help.
>
> Let me know if you have any notes or questions.
>
>
> _______________________________________________
> Motion-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 5
Date: Mon, 26 Oct 2020 12:33:23 +0200
From: tosiara <[email protected]>
To: [email protected], Motion discussion list
<[email protected]>
Subject: Re: [Motion-user] motion security patch release 3.4.2
Message-ID:
<CACHTdwTzxMWy_=azwcmKiTJ=hmQbW8kgjpa7jxi=+exrxj4...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
The default config restricts stream and webcontrol ports to localhost, so
it is a partial mitigation that comes out of the box. In that case a remote
attacker would need to use additional techniques to perform a request to
localhost, but it is still possible (ex, CSRF). The only full mitigations
are either patch to 3.4.2, or completely disable ports
On Mon, Oct 26, 2020 at 12:21 PM chuck elliot <[email protected]> wrote:
> Presumably limiting web and stream control to localhost would mean
>
> and attacker would need host access to mount this attack so would
>
> be a partial mitigation? Perhaps a web/stream-control ACL might be
>
> added in future?
>
> Regards,
>
> CE.
>
>
> On 26/10/2020 9:52 am, tosiara wrote:
>
> Hi,
>
> Please be aware that there is an update published on Github that resolves
> a medium severity denial of service vulnerability that has been recently
> found in motion. The motion process would crash and require a manual after
> receiving a specially crafted http request.
>
> The patch has been applied to both master branch and 4.3 release branch.
> Deb packages built and also published in Github releases. SHA256 sums are
> signed with tosiara's github gpg key.
>
> CVE: CVE-2020-26566
> Github security advisory: GHSA-6f7x-grw7-fw24
>
> Mitigation: if you are not able to update yet, the only mitigation is to
> disable stream and webcontrol ports by setting them to 0 in your
> motion.conf. Note that the issue occurs prior to authentication, so setting
> a password on the stream and the webcontrol would not help.
>
> Let me know if you have any notes or questions.
>
>
> _______________________________________________
> Motion-user mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/motion-userhttps://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
>
> _______________________________________________
> Motion-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/motion-user
> https://motion-project.github.io/
>
> Unsubscribe: https://lists.sourceforge.net/lists/options/motion-user
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------
Subject: Digest Footer
_______________________________________________
Motion-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/motion-user
------------------------------
End of Motion-user Digest, Vol 172, Issue 17
********************************************
