The Memory Remains 1.36.38

• Fix Secondary Order SQL Infection in via Stored Event Name and Cause Fields. Fixes GHSA-r6gm-478g-f2c4

• Fix formatters for 64bit values. Fixes #4580

• Add libjson-xs-perl to deps in the hopes of fixing noble dependency issues

• Only set timezone if it is set in config.

• Add defaults for Type and Scheme in perl Storage object code to prevent warnings in logs due to undefined values

• Set tz in Date::Manip so that returned unixdate from '-1 hour' is in the current timezone, not UTC

• Fix default zone creation to account for monitor rotation

  When creating a new monitor with Orientation set to ROTATE_90 or
  ROTATE_270, the default "All" zone dimensions are now correctly swapped
  to match the rotated image dimensions. This prevents zm_zone.cpp from
  reporting that zones extend outside of image dimensions and having to
  fix them at runtime.

  Fixes issue where monitors created with Rotate Right or Rotate Left
  would generate warnings like:
  "Zone 1/All for monitor X extends outside of image dimensions,
  (0,0), (3839,2159) != (2160,3840), fixing"

• FIx %ld is used for time_t Fixes #4516

• Improve handling of ZM_DB_TYPE

• Only set auto_reconnect if mysql. mariadb uses a different name, and it is all deprecated anyways.

• Add libpcre2-posix2 for focal

• Merge v4l2 fixes due to breakage in kernel 6.17

Full Changelog: 1.36.37...1.36.38

Seek and Destroy 1.38.1

ZoneMinder 1.38.1 Release Notes

This is a maintenance release that includes bug fixes, performance improvements, and enhancements to ZoneMinder 1.38.

Key Highlights

🎯 ONVIF Improvements

• New unified ONVIF control module - Replaces four separate vendor-specific implementations with a single, more robust module
• Automatic SSL verification fallback for cameras with self-signed certificates
• Improved clock drift handling - Configurable timestamp validity window (10-600 seconds) to handle time differences between ZoneMinder and cameras
• Better authentication - Fixes for "not authorized" errors caused by clock synchronization issues in ONVIF Event Listener
• Direct protocol testing mode - zmcontrol.pl now supports --protocol flag for testing control modules without database access
• Enhanced event listener support - Better handling of ONVIF events and subscription renewals

🚀 Performance Optimizations

• Event thread improvements - Uses condition variables instead of sleep for faster response to decoded frames
• Decoder optimizations - Better queue management and flushing when decoding is no longer needed
• Persistent blend buffer - Eliminates per-frame allocations in image blending (significant performance gain)
• Optimized pixel operations - Faster color merging and highlight detection algorithms
• Binary search for event seeking - Dramatically faster seek operations in event playback

🐛 Critical Bug Fixes

• Event naming race condition - Fixed events being renamed during recording
• Memory leaks - Fixed leaks in Event_Tag, blend operations, and hardware frame transfers
• Tag filtering - Fixed "No Tag" (0) and "Any Tag" (-1) filter logic
• Timezone handling - Proper handling of camera vs. server time zones in event streams
• SSL verification - Automatic retry without verification for Go2RTC, Janus, and ONVIF connections

🔧 Stability Improvements

• Thread safety - Fixed race conditions in analysis, decoder, and event threads
• Proper cleanup - Events now properly signal termination and wait for threads
• Better error handling - Improved handling of codec errors, network failures, and resource exhaustion
• Shared memory fixes - Correct attachment counting and cleanup

Detailed Changes

Core Engine

• Fixed decoder queue flushing when decoding mode changes
• Improved packet notification system for faster inter-thread communication
• Better handling of on-demand decoding modes (KEYFRAMES, KEYFRAMESONDEMAND)
• Fixed last_write_time updates even when not decoding to prevent monitor stall detection false positives
• Event threads now use wait_for() instead of sleep for sub-millisecond response times
• Fixed Event destructor to properly stop and join threads before cleanup

Camera Support

• FfmpegCamera: Fixed secondary stream credential application
• LocalCamera: Better error messages for missing /dev devices (systemd PrivateDevices check)
• LibVNC: Fixed memory allocation error handling
• LibVLC: Added null pointer checks before stopping player
• Added MPEG4 decoder support
• Fixed RTSP stream timeout handling

Control Systems

• AxisV2: Complete rewrite with credential guessing, binary search optimizations, and configuration get/set support
• Dahua: SSL verification with automatic fallback
• Uniview: LAPI JSON API support, configuration management, better network probing
• ONVIF: Unified module replacing vendor-specific implementations
• Reolink/TapoC520WS: Fixed brightness case sensitivity bug and missing sendCmd calls
• All control modules now support direct protocol testing mode

Web Interface & API

• Fixed tag filter SQL for special values (0 = No Tag, -1 = Any Tag)
• Better handling of Events_Tags table LEFT JOIN null comparison issues
• Improved event name updates to preserve user changes during recording

Database

• Added migration zm_update-1.38.1.sql to increase ONVIF_Options column from 64 to 255 characters
• Fixed Event_Tag constructor to handle null assigned_by values
• Async database updates in Event destructor to avoid blocking

Build System

• Minimum CMake version raised to 3.12
• Fixed include directory handling (now uses ZM_INCLUDE_DIRS list)
• Fixed ZM_STRIP_NEON definition
• Better handling of add_definitions() vs target_compile_definitions()
• Fixed Perl executable detection (${PERL_EXECUTABLE} instead of hardcoded perl)
• Removed duplicate code in CMakeLists.txt

Configuration & Logging

• Fixed zm_config.cpp whitespace trimming logic
• ConfigItem copy constructor now properly copies all fields
• Better database command detection (supports MariaDB-native commands like mariadb and mariadb-dump)
• Improved logging in multi-server configurations
• Fixed version mismatch handling in zmpkg.pl to warn instead of fatal error

Scripts & Tools

• zmcontrol.pl: New --protocol mode for direct control module testing without database
• zmupdate.pl: Uses findDbCommand() for MariaDB compatibility
• zmcamtool.pl: Uses findDbCommand() for mysqldump
• zmonvif-probe.pl: Added events command to check ONVIF event support

Miscellaneous

• Expanded MacVendors.json with many more camera vendor MAC address prefixes
• Fixed zm_buffer.h null pointer check
• Fixed numerous typos in comments and debug messages
• Better error messages throughout the codebase
• Improved AGENTS.md developer documentation

Platform-Specific Changes

RedHat/Fedora/Rocky Linux

• Updated spec file to use mariadb-connector-c-devel instead of mariadb-devel
• Added cjson-devel build dependency
• Changed to fedora:43 from fedora:rawhide in CI
• Added arp-scan and iproute dependencies
• Fixed systemd conflicts in container builds
• Added explicit paths for network tools to avoid systemd PrivateDevices issues
• Removed static library packaging per Fedora guidelines

CI/CD

• Removed obsolete CI workflows (Debian Bullseye/Bookworm, Ubuntu Focal, CentOS 8)
• Renamed package build workflows for clarity
• Updated Fedora build matrix

Upgrade Notes

1. Database Migration: Run zmupdate.pl to apply schema changes (ONVIF_Options column expansion)
2. ONVIF Users: If you have custom ONVIF control configurations, you may want to switch to the new unified "ONVIF" control type for better reliability
3. Clock Drift Issues: If experiencing ONVIF authentication failures, add timestamp_validity=120 (or higher) to ONVIF Options field
4. Control Testing: Use new zmcontrol.pl --protocol ONVIF --address user:pass@ip --command get_config for diagnostics

Contributors

This release includes contributions from the ZoneMinder development team and community members who reported bugs, tested fixes, and provided feedback.

---

Full Changelog: 1.38.0...1.38.1

Seek and Destroy 1.38.0

ZoneMinder 1.38.x Release Notes

TL;DR - Key Highlights

• 🔐 Role-Based Access Control - Enterprise-grade permission system with user roles
• 🎥 Modern Streaming - WebRTC, Go2RTC, RTSP2Web support with hardware acceleration
• ⚙️ Monitor Function Redesign - Granular control with separate Capturing, Analysing, and Recording settings
• 📡 Enhanced Protocols - ONVIF Events, MQTT, Amcrest API integration
• 🏷️ Event Tagging - Flexible labeling and organization system
• 📊 Server Monitoring - Real-time CPU, memory, and performance metrics
• 🌍 Geolocation - Geographic tracking for events and servers
• ⚡ Hardware Encoding - GPU acceleration for video encoding

Overview

ZoneMinder 1.38.x represents a major evolution from version 1.36.x, introducing significant architectural improvements, new streaming capabilities, enhanced security features, and extensive monitoring enhancements. This release focuses on modernizing the platform with support for contemporary streaming protocols, implementing enterprise-grade access control, and improving performance and scalability.

Major Feature Areas

1. Advanced User Access Control & Security

Role-Based Access Control (RBAC)

• Introduced comprehensive role-based permission system with reusable role templates
• New database tables: User_Roles, Role_Groups_Permissions, Role_Monitors_Permissions
• Replaced legacy comma-separated monitor ID strings with normalized permission tables
• Fine-grained permissions for both monitor groups and individual monitors

Enhanced User Management

• Added user profile fields: Name, Email, Phone
• User-specific montage layouts for personalized dashboards
• Improved security controls with private and system configuration flags

2. Modern Streaming & Multi-Protocol Support

WebRTC Integration

• Janus WebRTC Gateway support with audio streaming capabilities
• Go2RTC protocol support for alternative streaming
• RTSP2Web streaming with WebRTC/MSE/HLS options
• Configurable codec selection and stream profiles

Hardware-Accelerated Encoding

• Hardware acceleration support for video encoding (GPU encoding)
• New encoder configuration options: EncoderHWAccelName and EncoderHWAccelDevice
• Human-readable codec names replacing integer-based codec selection
• Optimized encoding for reduced CPU usage

3. Monitor Function Redesign

One of the most significant architectural changes in 1.38.x is the redesign of the monitor Function field into three independent control parameters. This provides much more granular control over monitor behavior.

Legacy Function Field (1.36.x and earlier)

The traditional Function field was a single enum that controlled all aspects of a monitor's operation:

• None - Monitor disabled
• Monitor - Capture video only (no recording, no motion detection)
• Modect - Motion detection with recording on motion
• Record - Continuous recording without motion detection
• Mocord - Continuous recording with motion detection
• Nodect - Recording on external trigger, no built-in motion detection

New Granular Control (1.38.x)

The Function field has been split into three independent settings, allowing fine-grained control:

Capturing enum (None/Ondemand/Always)

• Controls whether the monitor captures video from the camera
• None - No video capture (monitor effectively disabled)
• Ondemand - Capture only when needed (e.g., when viewing live or triggered by events)
• Always - Continuous video capture from the camera

Analysing enum (None/Always)

• Controls whether motion detection and analysis is performed
• None - No motion detection or analysis (equivalent to Monitor or Record modes)
• Always - Perform motion detection and analysis (equivalent to Modect or Mocord modes)

Recording enum (None/OnMotion/Always)

• Controls when video is saved to disk
• None - No recording (live viewing only)
• OnMotion - Record only when motion is detected or triggered
• Always - Continuous recording

Migration from Legacy Functions

The database automatically migrates old Function values to the new settings:

• None → Capturing: None, Analysing: None, Recording: None
• Monitor → Capturing: Always, Analysing: None, Recording: None
• Modect → Capturing: Always, Analysing: Always, Recording: OnMotion
• Record → Capturing: Always, Analysing: None, Recording: Always
• Mocord → Capturing: Always, Analysing: Always, Recording: Always
• Nodect → Capturing: Always, Analysing: None, Recording: OnMotion

Benefits of the New Design

• More flexible monitor configurations (e.g., analyze but don't record, or record without analysis)
• Better resource management by independently controlling capture, analysis, and storage
• Clearer separation of concerns for troubleshooting
• Foundation for future enhancements like conditional recording policies
• Easier to understand monitor behavior at a glance

4. Enhanced Camera Integration

Extended Protocol Support

• ONVIF Event Listener for direct camera event notifications
• Amcrest API support for Amcrest-branded cameras
• MQTT integration for IoT device communication and message handling

Camera Management

• Camera manufacturer and model database integration

5. Advanced Event Management

Event Tagging System

• Flexible event labeling with custom tags
• Many-to-many relationship between events and tags
• Improved event organization and filtering

Event Automation & Triggers

• Event start and end command execution
• Multiple event close modes: system, time, duration, idle, alarm-based
• Section length warnings for long recordings
• Filter execution intervals for scheduled automation

Event Metadata & Analytics

• Event data extensibility with custom metadata storage
• Geolocation tracking (latitude/longitude) for events
• Enhanced event reporting system with historical analytics

6. Performance & Infrastructure

Server Monitoring

• Comprehensive server statistics tracking
• CPU usage monitoring (User, Nice, System, Idle percentages)
• Memory and swap utilization metrics
• Timestamped performance data collection

Optimization Features

• Monitor startup delay to stagger initialization and reduce system load
• Enhanced status tracking with update timestamps
• Analysis image channel optimization (Full Color vs. Y-Channel) (reduces cpu use)
• Improved monitor soft delete with logical deletion flags
• Monitor importance levels (Normal/Less/Not) for stream prioritization
• Wall clock timestamp synchronization when doing passthrough

7. Display & User Interface

Montage Enhancements

• Expanded grid layouts: 1/2/4/5/6/7/8/9/10/12/16 Wide configurations
• User-specific montage layouts with personalized views
• options to locate/hide status information to fully use space

Playback Improvements

• Default player selection for preferred streaming client
• Enhanced video playback controls
• Improved event viewing experience
• Optimal mjpeg scaling to reduce cpu/bandwidth use while maintaining fidelity

** New file explorer view **

• limited to defined storage areas

** Watch and Cycle views merged **

• PTZ controls improved, with toggling of visibility

8. Storage & Recording

Granular Recording Control

With the redesign of the monitor Function field (see section 3), recording behavior is now controlled independently through the Recording, Capturing, and Analysing settings. This provides much greater flexibility:

• Recording modes: None/OnMotion/Always
• Capturing modes: None/Ondemand/Always
• Analysis modes: None/Always

This allows configurations that weren't possible with the old Function field, such as:

• Capture and analyze without recording (for alerting only)
• Record without analysis (for compliance/archival)
• On-demand capture with triggered recording

Email Notifications

• Email format options: Individual or Summary
• Improved event notification formatting
• Configurable alert delivery

9. Geographic & Metadata Features

Geolocation Support

• Geographic coordinates for monitors, events, and servers
• Location-based event tracking and analysis

10. Development & Integration

Database Schema Evolution

The 1.37.x series includes approximately 79 database schema updates from 1.37.1 through 1.37.79, each introducing targeted improvements and new capabilities. Key architectural changes include:

• Migration from string-based configuration to normalized relational tables
• Introduction of extensible metadata storage systems
• Enhanced foreign key relationships for referential integrity
• Improved indexing for query performance

Upgrade Considerations

Breaking Changes

• Permission system migration from comma-separated strings to normalized tables
• Some configuration parameters have been renamed or restructured
• Monitor soft delete may require updates to custom scripts that query monitor data

Compatibility

• Version 1.36.x is still supported alongside 1.38.x (see SECURITY.md)
• Database upgrades are handled automatically via update scripts
• Backup your database before upgrading

System Requirements

• Hardware acceleration features require compatible GPU and drivers
• WebRTC streaming may require additional server configuration
• MQTT integration requires MQTT broker setup

Community & Support

For detailed documentation, visit: https://zoneminder.readthedocs.org

• Issue Tracker: https://github.com/ZoneMinder/ZoneMinder/issues
• Forums: https://forums.zoneminder.com
• Slack: https://zoneminder-chat.slack.com/
• Discord: https://discord.gg/tHYyP9k66q

Acknowledgments

This release represents the collaborative effort of the ZoneMinde...

The Memory Remains 1.36.37

Changes since 1.36.36

• Fix building against FFmpeg 8.0
• Warn=>Debug for first_dts logging
• Fix for setting directory permissions in newer debian
• Use libpcre2 instead of deprecated libpcre3
• Updates to do_debian_package.sh
• In zmaudit.pl die if we fail to resurrect an event. Delete events with id 0
• Drop various foreign keys around Events table. We do this in 1.37 for performance/locking reasons. We are doing it here for zmrecover.pl
• Add EXPLAIN output to filter debug
• docs readthedocs fixes
• Add net-tools for arp, pkexec, libuuid and remove libjson-xs-perl to debian dependencies
• Small fix for Apache virtual server configuration instructions.
• deprecate packpack based builds
• Fix for zmrecover.pl due to LinkPath using a 2 digit year not 4 in Deep Storage
• Improve the error message to indicate mysql library instead of client binaries
• Fix for API events
• Add deps for oracular, noble, trixie
• Update telemetry url, add timezone to data
• Correct escaping of \n\r and ' characters when escaping config entries on javascript side

Full Changelog: 1.36.36...1.36.37

The Memory Remains 1.36.36

Changes since 1.36.35

• Fixup deletePath. Handle links, and report failures. Fix escaping the filename and put it in quotes in case it has spaces. Fixes #4446
• add build support for debian trixie
• Check for existence of modal before including it.
• Trim any trailing / from storage path. Can cause problems Fixes #4371
• Remove 100 limit on response to events index in api. Handle there not being a next or prev neighbour.
• Fix deprecated AVCodecContext::channel_layout to use ch_layout
• Fix sorting by Storage in events
• Make events list sortable by Storage
• Fix adding rotation when not needed.
• Use translated yes instead of 'yes'. Fixes #4270
• Populate status of monitors with Function=None to "Not Running"
• Use validJsStr to escape things needed for config entries. Fixes GHSA-c7hj-fxh6-8g8j
• Handle when an invalid ServerId is specified in the Monitor
• Add support for Ubuntu oracular
• Remove code that converts to mono audio
• WHen encoding use AV_TIME_BASE_Q for output stream as well. Always calculate duration from pts instead of from potential input frame duration.
• Add Support for the AV1 Codec
• If ffmpeg can't figure out the sie of the stream, default to what we entered in monitor.
• Add readthedocs.yaml from master will hopefully fix docs building which has been broken for some time.
• Fixes to stream scaling
• Montage: Fix width and height not persisting. Check for valid value instead of validInt because we have px on the end. Clear cookie if not valid
• Fix lack of support for rotation in ffmpeg 5.1 onwards
• Update bootstrap-table to 1.23.5
• Fix not being able to sort by EndDateTime Fixes #4190
• Allow deselecting of all Monitor IDS
• Disable reorder queue if doing encoding
• Remove the modal content so that when choosing another group or new we get that instead of the first content
• destroying then re-applying chosen for some reason auto-selects all options. Fix the problem by fixing the table width with css so that the underlying select is already 100%.
• Set any tables in a modal to 100% so that they fill the modal.
• If no group id don't do sql lookup
• Give an id to the newGroup[MonitorIds] select can look it up more efficiently when applying chosen rules
• Don't bother making the UpdatedOn file NOT NULL by update. We don't actually care. Fixes #4180
• Don't warn about no locale set, that is normal
• Clean out duplicated datetimeformatter stuff that happens in config.php
• Check for validity of locale. Handle fatal crash when setting datetiemformatter when an invalid locale is used. Fixes #4179
• Add missing n breaking Date Formatter use
• Add support for no sort field. No longer default to StartDateTime (makes filter sql more efficient)
• Only require Date::Manip if using strtotime
• Make NULL be case-insensitive in filters
• Add checking of keyframeinterval to Ready()
• Only calculate keyframe interval using video stream
• Fix again the infinite loop in counting keyframes
• Count keyframes on queuePacket so that analysis Ready() will start when out of order packets are present
• Handle change of res/colours in zms by reloading the monitor object.
• Fix crash due to trying to access event->StartTime when there is no event
• Revert change of tot_score and avg_score to unsigned ints. Make them ints so that comparison with other scores is ok

The Memory Remains 1.36.35

Changes since 1.36.34

• Merge in auto package building using github ci
• On upgrade, always attempt re-applying the last db update. This helps when running proposed ppa
• Only use fps_report_interval for the logging of fps updates. Always update the db. This fixes cameras being listed as offline despite being fine due to a very long fps update interval
• Track Monitor_Status and FPS logging times separately. Update db every 10seconds.
• Don't output the boundary if we aren't streaming. Single jpegs don't need it and something was complaining about it
• Only output 403 status if not nph
• add MariaDB to docs
• • more ffmpeg5 deprecations
• Handle ffmpeg6 deprecating (renaming) pkt_duration
• ffmpeg7 fixes
• add logging of stream index in debug code
• Remove deprecated reconnect setting for mysql
• Auto reconnect when mysql is lost
• Replace deprecated mysql_ssl_set with mysql_options()
• Add getting the connection id from mysql and log it in zmDbDo. This is so that when mysql reports a dropped connection, we can figure out which process it was.
• Add debugging of db failures
• If an invalid port is specified, don't actually start the rtp threads. They don't get used in RTP/RTSP. Fixes [#3759]
• Default end_time to start_time on event creation so that we don't get a negative duration
• Don't start max score at -1 as that is not a valid value for the db.
• Add support for DateTime and Server advsearch filters
• Remove reorder_queue_size from output options to prevent logging
• Add event->Duration and use it when considering min_section_length because the first keyframe may have been quite a while ago and we can end up closing an empty event.
• Remove default of NOW from UpdatedOn in Monitor_Status field because old mysql can't handle it. Explicilty set it in zmc. Fixes [#4155]
• Use htmlspecialchars on Message to prevent Stored Cross-Site Scripting. Fixes GHSA-rqxv-447h-g7jx
• Fix crash in api when auth is turned off and you try to log in
• Add End Date Time and None as options for sorting in filters, which allows us to create more efficient SQL queries.
• Fix labelling for defaultCodec, as it is used for event viewing, not live view.
• Only show location tab when GEOLOCATION is turned on
• Fix zone edit image jumping around when status is alert
• Handle change of res/colours in zms by reloading the monitor object.
• Count keyframes on queuePacket so that analysis Ready() will start recording when there are enough packets in queue.
• Make NULL be case-insensitive in filter rules

Full Changelog: 1.36.34...1.36.35

A lot of back ports from 1.37. One security vulnerability fix. The main thrust was the mysql and ffmpeg deprecations. All users are encouraged to upgrade.

Updating the sort field on your filters can have a significant effect on mysql cpu/ram use. For example the Update Disk Space filter defaults to sorting by StartDateTime or ID which makes mysql not use the index on EndDateTime and DiskSpace. Since we don't care about the order we act on results, we don't need to sort at all. So on a large database this query can go from hitting every row in the table, to almost none.

The Memory Remains 1.36.34

Changes since 1.36.33

• fix mouseEvent property names, allowing zooming into recorded events
• Handle ffmpeg5 channel deprecations
• add debian Add bookworm support
• add Help text for OPTIONS_ALARMMAXFPS
• remove Remove chowning /usr/share/zoneminder from docs.
• docs: Spelling, fix missing db in database create for bullseye, add bookworm instructions
• Clean up help text for ZM_LOG_DEBUG_FILE to not say that it can include a directory. It should be JUST a filename.
• Do not allow directory names in ZM_LOG_DEBUG_FILE. Only log to ZM_LOG_DIR
• Load the ZM::Event using the Event Model data instead of loading by Id which goes back to db for performance (API faster)
• If no next bulk frame use Event data to estimate the delta to supply an image
• remove duplicate event save when updating Disk Space
• Allow caching of images in view=image
• Improve logging wrt insufficient permissions
• Update fail2ban.rules
• Don't show bandwidth options if there are none to choose from
• Update redhat build docs
• Fix missing auth_relay on alarm xhr
• Make objdetect modals 65% width to make it easier to see
• Don't exit on segfault, perhaps allowing graceful shutdown
• Switch from utf8 to utf8mb4 so that collation works
• Handle failure to db query more gracefully
• Transform date string to int to satisfy newer php
• Add auth_relay to control command
• ONVIF: Handle RateControl being undef
• Restrict mid to a cardinal value. Fixes GHSA-9cmr-7437-v9fj
• in detaintPath also strip :// because php:// is a way to inject code
• Only allow Events Columns for sort. Fixes GHSA-2qp3-fwpv-mc96. Fixes GHSA-9cmr-7437-v9fj
• Use https proxy instead of http since we now access an https url
• Fix Auto Unarchive not deselecting
• define count. Fixes #3799
• Add quotes around dbUser and dbPass to prevent command injection in zmcamtool.pl and zmupdate.pl
• If group is empty, return false for canview so that it doesn't appear in dropdowns etc.
• Only show groups that we can view
• Revert change to cookie and cookie expire to fix loss of bootstrap table preferences. Add samesite
• Info to Debug for login.
• API: Always return an array in getCredentialsDeprecated
• API: Don't try to do auth if auth is turned off
• When ZM_AUTH_HASH_IPS is off, don't use remote ip in storing auth hash in session. If ips are constantly changing it breaks.
• API: Don't assume findByEventidAndType actually returns a frame. If we are only recoridng, then there will be no alarm frames in the db
• Make view does not exist an error instead of fatal
• Handle ffmpeg 7 deprecations
• Set fps and bandwidth to 0 on start and stop of zmc.
• When editing buffer settings, ensure that MaxImageBuffers > PreEventCount.
• Use either version or version.txt. Fixes #3798
• clear packet images even when there is an event, because we send it to the event, which will use the images and so we don't need them anymore. ALso free analysis images even when not passthrough.
• Set default value for rows per page using WEB_EVENTS_PER_PAGE. Fixes #3728
• When save cookies via PHP >= 7.3.0, add handling of the "path" value in the options (session.php)
• Change save button to a regular button that calls validateForm and don't set form.subit to validateForm. ValidateForm will now alert and switch tabs to better inform what the incorrect value is. Built-in validation doesn't work due to tabs and the invalid input not being focusable
• Add UpdatedOn field to Monitor_Status and update it when updating Monitor_Status
• Delete Monitor_Status records that havn't been updated in over a minute
• Sanitise displayinterval,speed and scale parameters. Fixes GHSA-pjjm-3qxp-6hj8
• Sanitise filter[Id] when parsing filter. Fixes GHSA-6rrw-66rf-6g5f
• Move code to shutdown the process properly into exit_zms and use it when auth fails. The stops a segfault.
• Limit scale to 16x mainly to put an upper bound on the amount of ram we might use.
• Limit scale in montagereview to 1.1 to prevent requesting images larger than 100%
• Add dependencies for ubuntu noble
• Redo the event thread. Instead of analysis adding packets to an event specific queue, just pass in the iterator and let the event thread do it's own locking. This allows us to free ram in packet in the event, and not segfault.
• move image_count to shared mem. Use it in monitorstream to detect when last_write_time % buffer_count hasn't changed, but there is in fact a new image. Should improve streaming when ImageBufferCount<=3. Should allow = 2.
• Reset last_capture_image_count in connect so that we don't get negative fps reports and possible floating point exceptions
• Don't log failure to get packet. Can only happen when stopping the packetqueue.
• Handle non increasing timestamps from ffmpeg
• Use last duration instead of 1 when adjusting dts when non-monotonic. Some googling indicates this might be a better approach. What I am seeing with a tapo C520WS agrees.
• Update charset header in ja_jp.php from Shift_JIS to UTF-8
• Always re-apply the latest update. Mainly because sometimes Isaac forgets to add the zm_update file when bumping versions, also in release branches, we increment version before release. zm_update scripts are always supposed to be re-runnable.
• Limit segfaults to 1
• Put swap file File::find into an eval because it can die in zmaudit.pl
• Put back code that looks for iterators when cleaning packet queue. event thread can now have an iterator that follows analysis
• Sometimes the initial keyframe packet will have AV_NOPTS for pts and dts. When this happenes, set last_dts to -1 instead of 0, so that when the next packet comes in and sets the first_dts value, the resulting dts will be 0 which is > -1.
• Update debian.rst, enable autostart of ZM at boot
• If the css in cookie is invalid, clear it so that the logs don't fill up with the warnings
• Don't log error when ignoring action if it is an ajax request
• Handle more than one level of output buffering when cleaning and ending them so we can send the video file so we don't run out of ram. Fixes #4110

Full Changelog: 1.36.33...1.36.34

The Memory Remains 1.36.33

Changes since 1.36.32

• Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
• Add object-src CSP directive to help prevent XSS
• db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
• use detaintPath on modal to prevent including other files instead of real modals
• Check for valid date in minTime and maxTime to prevent SQL attack
• Introduce check_datetime function to validate dates
• Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
• Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
• Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
• test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
• Move actions process to after the unauth check to prevent actions happening when unathentication
• Fix detaintPath not stripping sequences like ..././
• Escape <> in log messages to prevent html shenanigans. Fixes [#3596]
• Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
• Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes [#3510]
• Use reload instead of restart on zone save
• Add reload to monitor zmcControl
• Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes [#3643]
• Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
• Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
• fix format endtime on events list on watch view
• Include command line in debug output when generating images
• Fix missing/corrupted pre-alarm frames in recording. Fixes #3656
• Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes [#3657]
• Allow viewing of events whose Monitor[Function]=None
• Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes [#3655]
• Apply chosen styles to dropdowns in Options, allowing text search
• Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
• fixes for freebsd
• Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
• Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes [#3488]
• Add 2>&1 to command to delete event dir so that we get error messages logged.
• Move code from Event to Storage to implement delete_path()
• Use ajax() instead of getJSON with no timeout when deleting events.
• Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
• Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
• Improve info when moving event to show source and Dest paths
• Remove dead code from report_event_audit.js
• Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
• Add styles to table headers to left align them to match the body

Vulnerabilities address by this release

GHSA-h5m9-6jjc-cgmw CVE-2023-26036
GHSA-6c72-q9mw-mwx9 CVE-2023-26032
GHSA-65jp-2hj3-3733 CVE-2023-26037
GHSA-44q8-h2pw-cc9g CVE-2023-26039
GHSA-wrx3-r8c4-r24w CVE-2023-2603
GHSA-72rg-h4vf-29gr CVE-2023-26035
GHSA-222j-wh8m-xjrx CVE-2023-26034
GHSA-68vf-g4qm-jr6v CVE-2023-25825

Full Changelog: 1.36.32...1.36.33

The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/

Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.

All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.

The Memory Remains 1.36.32

Changes since 1.36.31

• More properly fix the alarm status api changing. The previous hack broke doing alarm on/off.
• fix handle of SQL generation of IN array when array is empty. Just always return false.
• Fix test for null in Object::find
• Make inputs on filter action table 100%
• Fix Warning when monitor is not visible
• Switch to utf8mb4 to support 4 byte unicode Fixes [#3514]
• Make search input the same size as other toolbar elements
• Remove deprecated CAMBOZOLA references
• Update Monitor symlinking, improving deleting old link when changing name
• Fix zone deleting and fix an extra comma in default coordinates
• Add libswscale6 and libswresample4 dependencies for ubuntu kinetic
• Remove return type from session class methods. not supported in php5.4. Fixes breakage on centos7. Fixes [#3622]
• Fix recalculating Event Disk Space a second time when updating.
• Set xhrFields: withCredentials: true so that we send cookies with our streaming xhr requests so that we pick up new auth hashes
• Add Access-Control-Allow-Credentials: true so that we can pass cookies along with xhr requests.
• Add Cause, Notes and EndDateTime to available columns in events list on watch view
• Make button on Filter Debug modal be Close instead of Cancel
• Handle empty but defined REQUEST[action]
• replace php Memcached with Apc on Fedora
• Allow MonitorName as default sort field as well as Monitor
• Try out just using connkey as the semaphore key instead of ftok in ajax streaming requests
• Turn back on error_reporting, just don't display the error in json ajax requests.
• Check for return value of openEvent. Fixes crash when openEvent fails
• Fix infinite recursion in montagereview
• Add error message when minTime >= maxTime in montagereview
• Fix crash in zmfilter DiskSpace Update when Event doesn't exist
• Make .form-group styles export page specific because they are affecting layout in modals
• Cleanup the state modal. Fix form post
• Set web backend db connection to utf8 Fixes [#3631]
• implode the output from zmu to fix php complaint abou array to string
• convert strings into integers before doing math as of php 8.2 Fixes Unsupported operand types: string - int

Full Changelog: 1.36.31...1.36.32

The Memory Remains 1.36.31

Changes since 1.36.30

• Fix failed login due to remoteAddr not being populated in session after regeneration
• Use REQUEST instead of SESSION to store the post login redirect because we clear the session on login. Fixes [#3517]
• Turn off logging of deprecation notices so that we work with php8.2

Full Changelog: 1.36.30...1.36.31