jfinstrom is talking about the distro which is not the same as freepbx installed on top of linux.
We are waiting for them to release the patches to the yum repository for centos. When you install freepbx on top of centos, it alters centos and tells it to look elsewhere (freepbx) for centos updates.
Sorry, I didn’t mention that I am actually running the distro. I’m by no means an expert here, so I’ve no idea if it reflects a larger issue, or merely my lack of patience and I just need to wait until the update has ‘filtered down the chain’, as it were…
From what I gather from this thread, the update may not be available until tomorrow 9/26.
Thanks. Look forward to seeing it when it is.
I updated one of my machines tonight, but when I tried to yum update bash an older FreePBX Distro (1.813.210.58-1), I was told that there is no update available…
Any suggestions?
There’s a lot of miscommunication and misunderstanding here.
First off, yes, I am talking about the “Schmooze” Distro. Also, of note. Both @jfinstrom and I work for Schmooze. Originally many of you blindly posted multiple topics on/about this without taking the time to look at our banner and follow through to this thread. As of now I have merged all of your posts here for consolidation and locked the other threads (so don’t be offended if you find your thread locked)
At 3pm PST I checked both a 5.211.x distro and a 6.12.x distro. Both have the updated version of bash in the repo.
[root@localhost ~]# cat /etc/schmooze/pbx-version
5.211.65-17
[root@localhost ~]# yum list bash
Installed Packages
bash.i686 4.1.2-15.el6_4 @updates
Available Packages
bash.i686 4.1.2-15.el6_5.1 updates
I just checked again and both have this version. If you are on anything less than 5.211.x I recommend you take the following steps to upgrade your distro.
http://wiki.freepbx.org/display/FD/Updating+FreePBX+Official+Distro
For the 1.8 track (which is not able to go any higher than 1.8) I am not sure at this time.
Did update of the yum update bash . just saw the last line not sure what tha means “Total download size: 887 k
Is this ok [y/N]: Exiting on user Command” not sure if update is ok now ?
thanks
No you skipped the update through a command of your own.
yum update bashOK just run again so the miss approval mistake now complete.Just to confirm is the update for every version including 12 beta ? Thanks
Just tried other and received this reply ?
yum update bash
Loaded plugins: fastestmirror, kmod
Loading mirror speeds from cached hostfile
Setting up Update Process
No Packages marked for Update
Remember folks this is precautionary . I have been scanning an un-updated system and have yet to find a successful attack vector through the web ui. The POC attack vectors are SSH post author, apache CGI, DHCP. Apache CGI is the one we would be most concerned about as the other 2 shouldn’t generally be a high risk unless you have people on your network you Dont trust and/or someone has your ssh credentials. I am scanning a 2.11 system on the FreePBX distro. If you are running something like Elastix with an old FreePBX (2.8,2.9) o would be more concerned as those had some CGI stuff.
Hello all,
OK running SHMZ release 6.5 final distro.
We got the Bash patch yesterday which upgraded us to 4.1.2-15.el6_5.1 (thanks)
My understanding is that the patch for CVE-2014-6271 didn’t fix everything so another patch has been released - bash version should be 4.1.2-15.el6_5.2 (ie fixes CVE-2014-7169).
Is 4.1.2-15.el6_5.2 being rolled out to the distro as per the previous patch?
Tested bash manually as per (argh can’t post links) and still vulnerable.
Our freepbx servers are behind firewalls etc but our internal security scans will no doubt flag up the vulnerability!
Many thanks, Seb
I believe seb50 is correct. There is a second BASH update that was released last night: 4.1.2-15.el6_5.2
From securityblog.redhat.com:
Update 2014-09-26 02:20 UTC
Red Hat has released patched versions of Bash that fix CVE-2014-7169. Information regarding these updates can be found in the errata. All customers are strongly encouraged to apply the update as this flaw is being actively attacked in the wild.
Fedora has also released a patched version of Bash that fixes CVE-2014-7169. Additional information can be found on Fedora Magazine.
Update 2014-09-25 16:00 UTC
Red Hat is aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.
I’m in the 1.818.210.58-1 crowd from the looks of it. So I’m assuming I do nothing for now.
Sorry about posting a new thread back there but I DID search for the bash problem first but not for “CVE-2012-6271”. I may be a Noob, but I DID try before posting a new topic.
Unfortunately it looks like the yum update bash doesn’t work because of my Distro version, which has an unknown solution. I’ll follow the thread for a future fix.
Thank you for the work everyone does here. The forum is great and the efforts are really appreciated.
Ok, just went to Admin --> System Admin and it reports this-
PBX Firmware:4.211.64-7
PBX Service Pack:1.0.0.0
Are you saying this is outdated even though I keep up with the module updates??
You need to run the update scripts.
Keep in mind FreePBX itself can only manage its own modules. This issue IS NOT A FREEPBX MODULE ISSUE it is an OS level issue. You should keep both your OS and FREEPBX up to date.
For anyone rolling their own system or using a OS/Distro from a different vendor should also keep up to date through the methods those OS/Distro’s provide. For example if you are on PIAF you would follow @wardmundy’s post in his forums which advise how to update PIAF systems.
Ok, this may summarize it for everyone else who may still be confused.
I didn’t realize my freepbx was out of date even though all the modules are current. I was on version 4.211.64. There is a link above to the scripts. I ran the script inside centos and it upgraded freepbx to version 5.211.
After after upgrading to 5.211, I notice that as a result the BASH shell was also upgraded.
Jfinstrom says “Keep in mind FreePBX itself can only manage its own modules. This issue IS NOT A FREEPBX MODULE ISSUE it is an OS level issue. You should keep both your OS and FREEPBX up to date.”
But here is the thing you need to realize. Once freepbx is installed on top of a linux OS like centos, it strips out the normal centos repositories and replaces it with freepbx repositories. This is where the confusion is because apparently freepbx is no longer maintaining those repositories as everytime I would run ‘yum update’ it found nothing.
So, long story short, you have to be on the current production version of 5.2 or the beta version of 6 to receive yum updates. updates for freepbx distro 4.2 are apparently not maintained.
If anyone is unclear on how to check their version of freepbx, go to Admin --> System Admin
Tom
Ah! Mine was also a 4.211. Upgrading as i write. Thanks a bunch.
I believe a correction is needed here, Installing FreepBPX on any supported OS or even updating it within FreePBX itself does NOT strip anything from your OS, running the update-scripts is what does that. Please understand the difference between FreePBX and the FreePBX distribution.