FreePBX 17 debian repository contain ffmpeg package 5.1.4-10.sng12 with multiple vulnerabilities (CVE-2024-7272, CVE-2024-32230 and many others).
Is it safe to upgrade this package to patched version from debian apt repository (comment FreePBX repository, apt update && apt upgrade and uncomment FreePBX repository) ?
You can use the ffmpeg package from Debian, and there is an option on the FreePBX 17 Install Script that installs it (–noaac).
The ffmpeg package from Sangoma repo, which is installed by default, is just required if you need to play sound files coded with the AAC CODEC. If that is not your case, you can use the ffmpeg package from Debian.
There is a better way to do this via APT pinning.
Append to file /etc/apt/preferences.d/99sangoma-fpbx-repository this:
Package: ffmpeg
Pin: origin deb.freepbx.org
Pin-Priority: 1
and then execute
apt update && apt upgrade
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.