2021-09-17 Security fixes release update

freepbx
Tags: #<Tag:0x00007f91cebf2ef0>

(Kapil Gupta) #1

Hi All

We have done a couple of security fixes recently.

Please find the details of fixes and fixed modules version information from the below wiki pages -

https://wiki.freepbx.org/display/FOP/2021-09-15+SQL+Injection+in+Asterisk+Manager+Users+Module
https://wiki.freepbx.org/display/FOP/2021-09-15+XSS+Injection+vulnerability+in+TTS%2C+Blacklist%2C+Bulk+handler+and+UCP+Module
https://wiki.freepbx.org/display/FOP/2021-09-15+XSS+Injection+vulnerability+in+Voicemail+Module

Best Regards
Kapil


Security Vulnerabilities 2021
(Lorne Gaetz) pinned globally #2

16 framework module bug
(Kapil Gupta) #3

For FreePBX-16, We have found some PHP 7.4 compatibility issues so we need to update the framework first from the Freepbx linux CLI before updating security fixes.

fwconsole ma downloadinstall framework --tag=16.0.10.31

Thanks
Kapil


Implode(): Passing glue string after array is deprecated. Swap the parameters
(Jared Busch) #4

While this is likely fine to say for a beta/unreleased setup such as FreePBX 16, this is not something that should ever be possible to even require.

You cannot expect users to do this, ever. Users update via the web interface, and that is it.

Yes, yes, exceptions. I am one. I update everything via a script, but it is still simply a fwconsole ma upgradeall. The modules update process needs to know how to handle things.


(Kapil Gupta) closed #5

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.