Headline
CVE-2020-26566: Releases · Motion-Project/motion
A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request.
Release 4.5.1
Release Notes: 4.5.1
The documentation for the 4.5.1 release can be found in the Motion 4.5.1 Guide
The following summarizes the changes implemented in version 4.5.1
- Fixes
- Fix closing of v4l2 devices
- Fix creation of pid file
- Add check for some mmal headers
- Fix pause when used as command line option
- Fix json pages when there are multiple cameras
- Fix codec for the mpeg4 container
- Fix rotation when used for v4l2 devices
Release 4.5.0
Release Notes: 4.5.0
The documentation for the 4.5.0 release can be found in the Motion 4.5.0 Guide
The following summarizes the changes implemented in version 4.5.0
Fixes
- Fix processing for native_language config option
- Fix MariaDB pkg-config for new name
- Fix cleanup when v4l2 open fails
- Fix sending of stale images to stream
- Fix path used when checking headers
- Fix double free when using extpipe.
- Fix setting of controls for v4l2 devices
- Fix processing for v4l2 devices when stride is not width
- Fix parsing of PGM files
- Fix scale of text when in debug mode
- Fix processing when camera is not initially available
- Fix double free when camera is lost frequently.
- Fix close on exec methods
- Fix processing for preferred codec with new ffmpeg versions
- Fix snapshots when using netcam high
- Fix extra event triggered upon quit
Enhancements/Revisions
- Updated translations
- Remove shared handle processing for sqlite3
- Revise log level for some messages
- Remove unused include module.
- Remove unused H264 palette code
- Do not translate the ignoring IP alert message
- Better processing of netcams that provide single jpg image
- Update documentation on how to use PI camera via libcamerify
- Update documentation on maximum number of cameras shown on web control page.
New Configuration Options
- Replace dbeventid with eventid
Release 4.4.0
Release Notes: 4.4.0
The documentation for the 4.4.0 release can be found in the Motion 4.4.0 Guide
The following summarizes the changes implemented in version 4.4.0
Fixes
- Use default for non ASCII characters in drawing
- Maximum movie time
- Guide updates
Enhancements
- Updated translations
- Lockout on failed authentications
- Hardware decoding for some network cameras
- User specification of ffmpeg options for network cameras
- Change default processing for http cameras.
New Configuration Options
- watchdog_tmo
- watchdog_kill
- pause
- webcontrol_lock_minutes
- webcontrol_lock_attempts
- webcontrol_lock_max_ips
Renamed Configuration Options
- vid_control_params -> video_params
- mmalcam_control_params -> mmalcam_params
Changed Configuration Options
- v4l2_palette use video_params
- input use video_params
- norm use video_params
- frequency use video_params
- netcam_highres use netcam_high_params
- netcam_keepalive use netcam_params
- netcam_proxy use netcam_params
- netcam_tolerant_check use netcam_params
- netcam_use_tcp use netcam_params
- netcam_decoder use netcam_params
- webcontrol_cors_header use webcontrol_header_params
- stream_cors_header use stream_header_params
Release 4.3.2
Release Notes: 4.3.2
The documentation for the 4.3.2 release can be found in the Motion 4.3.2 Guide
The following summarizes the changes implemented in version 4.3.2
- Fixes
- Compiler warnings for newer distos.
- Use MHD function for url decoding
Release 4.3.1
Release Notes: 4.3.1
The documentation for the 4.3.1 release can be found in the Motion 4.3.1 Guide
The following summarizes the changes implemented in version 4.3.1
- Fixes
- Compiler errors with GCC 10
- Overrides to CFLAGS
- Add maintainer mode
- Segfault when invalid camera directory specified
- MariaDB initializations
- Updated guide
Release 4.3.0
Release Notes: 4.3.0
The documentation for the 4.3.0 release can be found in the Motion 4.3.0 Guide
The following summarizes the changes implemented in version 4.3.0
Fixes
- Use default for non ASCII characters in drawing
- Removed poll requirement for MHD
- Implement revised configure and automake
- Updated testing for travis
- Revise MMAL to handle revisions from upstream.
- Fix movie start times
- Set the FPS on v4l2 devices
- Consolidate the JPEG code processing
- Fix substream processing for non modulo 16
- Ignore invalid data sent from rtsp cameras.
- Adjust the netcam handler wait and processing
- Answer incorrect web requests.
- Implement a delay upon excessive reconnect attempts
- Fix filetype specified for snapshots
- Guide updates
- Fix vbr calculation for high frame rates
Enhancements
- Updated translations
- Implement revised directory structure
- Implement optional decoder and encoders
- Allow for distros that use videoio.h
- Revise and enhance the sample service file
- Output to the log the resulting ext pipe command
New Configuration Options
- netcam_decoder
Release 4.2.2
Release Notes: 4.2.2
The documentation for the 4.2.2 release can be found in the Motion 4.2.2 Guide
The following summarizes the changes implemented in version 4.2.2
- Fixes
- FreeBSD Compile
- Webcontrol quit/end
- Add stream_motion option
- Generic tracking option
- Delay stream when starting
- Hostname for IPV6
- Multiple source streams when using passthrough
- Guide update
Release 4.2.1
Release Notes: 4.2.1
The documentation for the 4.2.1 release can be found in the Motion 4.2.1 Guide
The following summarizes the changes implemented in version 4.2.1
- Fixes
- Stream rate calculations
- Static library linking
- Eliminate updates to movie_passthrough via webcontrol
- Thread locking for movie_passthrough
- NULL terminator for EXIF
- Revised logging messages
- Guide update for mobile
Release 4.2
Release Notes: 4.2
The documentation for the 4.2 release can be found in the Motion 4.2 Guide
The following summarizes the changes implemented in version 4.2
- New Configuration Options:
- lightswitch_frames
- movie_passthrough
- native_language
- sql_query_stop
- stream_cors_header
- stream_grey
- stream_preview_method
- stream_tls
- threshold_maximum
- track_generic_move
- vid_control_params
- webcontrol_auth_method
- webcontrol_cert
- webcontrol_cors_header
- webcontrol_key
- webcontrol_tls
- Renamed Configuration Options (old name -> new name)
- lightswitch -> lightswitch_percent
- logfile -> log_file
- ffmpeg_bps -> movie_bps
- ffmpeg_video_codec -> movie_codec
- ffmpeg_duplicate_frames -> movie_duplicate_frames
- extpipe -> movie_extpipe
- use_extpipe -> movie_extpipe_use
- max_movie_time -> movie_max_time
- ffmpeg_output_movies -> movie_output
- ffmpeg_output_debug_movies -> movie_output_motion
- ffmpeg_variable_bitrate -> movie_quality
- rtsp_uses_tcp -> netcam_use_tcp
- exif_text -> picture_exif
- output_pictures -> picture_output
- output_debug_pictures -> picture_output_motion
- quality -> picture_quality
- process_id_file -> pid_file
- switchfilter -> roundrobin_switchfilter
- text_double -> text_scale
- ffmpeg_timelapse_mode -> timelapse_mode
- motion_video_pipe -> video_pipe_motion
- webcontrol_html_output -> webcontrol_interface
- ipv6_enabled -> webcontrol_ipv6
- Depreciated Configuration Options
- brightness (use vid_control_params)
- contrast (use vid_control_params)
- hue (use vid_control_params)
- power_line_frequency (use vid_control_params)
- saturation (use vid_control_params)
- stream_limit
- stream_motion
- substream_port
- Revised functionality
- Distributed configuration files only have a subset of the options (see guide)
- Passthrough movie recording for many IP cameras
- All vl42 control parameters for camera can be set via the vid_control_parms
- Significant changes to webcontrol interface and streams (see guide)
- Additional conversion specifiers
- Functionality for generic tracking cameras
- Additional scaling for text on images
- Multiple language support
- Fixes
- 422p palette support
- ppm file output
- image capture timing for network cameras
- various other bug fixes
- Known Issues:
- Shutdown when out of space (#605)
- Updates to documentation
- Additional building instructions
- Updates to required libraries
- Additional requirement for libmicrohttpd (mandatory)
- Optional gettext for native language support
- Additional requirement for webp (disable with the --without-webp configuration option)
Release 4.1.1
Release Notes: 4.1.1
The documentation for the 4.1.1 release can be found in the Motion 4.1.1 Guide
The following summarizes the changes for 4.1.1
- Fixes:
- Build on musl based systems
- jpeg decompression error processing
- image saving when using highres option
- filename for debug movie correction
Related news
Gentoo Linux Security Advisory 202208-18 - A vulnerability in Motion allows a remote attacker to cause denial of service. Versions less than 4.3.2 are affected.