- Affects users of webservers not using .htaccess:
Moved php files outside of public html directory (Apache was protected
by .htaccess)
Some files could be accessed directly, leaking some information, like
the version in about.inc.php but not statistics because it doesn't have
DB access.
- Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input
Fix unescaped variables in ajax_search.php
to new (if you see messages with keywords like "Severity: %severity" you
need to do this) - at present there's a built-in converter but this won't
stay around forever.
- fix the local change to uses crontab's new -n feature instead of cronic
in the sample additions for /etc/crontab. it had extra whitespace between
the username and the command which is not permitted syntax.
repeated below.
(upstream's normal setup these days is to provide only their own code
and rely on composer to fetch the dependencies. this isn't suitable for
OS packaging so I'm pregenerating a separate distfile with dependencies
instead. unfortunately the hook to copy across existing config to the
.env file is done from composer, so that doesn't work for us, so you
have to copy it yourself.)
Updating from 1.39 or earlier
=============================
As of 1.40, LibreNMS now uses the Laravel framework which requires some
additional setup. Upstream has code to copy this across from an existing
configuration initially, but it's not functional in this packaged
environment.
Generate an APP_KEY:
# cd /var/www/librenms
# doas -u _librenms /usr/local/bin/php-7.0 artisan key:generate
Copy this to the clipboard, then edit /var/www/librenms/.env and fill in the
relevant details.
It may also be necessary to raise max_connections in /etc/my.cnf;
https://community.librenms.org/t/new-requirements-for-1-40/4057
suggests doubling this value.
of scripts to fetch via composer - the port switches to a locally produced
tar with pre-fetched dependencies, a port cannot go to the net and fetch
files at build time.
- replace more hardcoded php binary names with ${MODPHP_BIN}, unbreaks some
scripts as we include the PHP release branch in the string (php-5.6 etc).
- drop php-mysql dependency, no longer required.
