DOS Vulnerability in Asterisk chan_skinny CVE-2017-17090

Recently Asterisk have posted 2 security advisories of CVE-2017-17090 (AST-2017-013) and AST-2017-012.
The fixes for these advisory require Asterisk 13.18.3 and 13.18.4 respectively.
I am running the latest FreePBX patch 10.13.66-22; however, this version come with the latest Asterisk of 13.18.0.
I am wondering if FreePBX team has any plan to provide the next update for the version 10 with newer Asterisk?

Thank you,

Asterisk 13.18.3 is published now for the 10.13 distro. You can update with a yum update or asterisk-version-switch

Base on the article, the FreePBX patch 10.13.66-22 is latest for FreePBX v.10. And coming with this 10.13.66-22 is the Asterisk 13.18.0.

I followed your advise to run the yum update and head into a warning of unfinished transaction.
I therefore ran the yum-complete-transaction in order to check for the unfinished transaction and receive the following.

Package Arch Version Repository Size

audit-libs x86_64 2.2-4.el6_5 @anaconda-PBX-201403180405.x86_64/6.5 170 k
avahi-libs x86_64 0.6.25-12.el6_5.3 @anaconda-PBX-201403180405.x86_64/6.5 112 k
bash x86_64 4.1.2-15.el6_5.2 @anaconda-PBX-201403180405.x86_64/6.5 3.0 M
bfa-firmware noarch @anaconda-PBX-201403180405.x86_64/6.5 6.9 M
bind-libs x86_64 32:9.8.2-0.23.rc1.el6_5.1 @anaconda-PBX-201403180405.x86_64/6.5 2.2 M
binutils x86_64 @anaconda-PBX-201403180405.x86_64/6.5 9.4 M
ca-certificates noarch 2014.1.98-65.0.el6_5 @anaconda-PBX-201403180405.x86_64/6.5 2.9 M
cairo x86_64 1.8.8-3.1.el6 @anaconda-PBX-201403180405.x86_64/6.5 779 k
coreutils x86_64 8.4-31.el6_5.2 @anaconda-PBX-201403180405.x86_64/6.5 12 M
coreutils-libs x86_64 8.4-31.el6_5.2 @anaconda-PBX-201403180405.x86_64/6.5 5.4 k
cpp x86_64 4.4.7-4.el6 @anaconda-PBX-201403180405.x86_64/6.5 9.5 M
crda x86_64 1.1.1_2010.11.22-1.el6 …
@anaconda-PBX-201403180405.x86_64/6.5 2.4 M
system-config-firewall-base noarch 1.2.27-5.el6 @anaconda-PBX-201403180405.x86_64/6.5 2.3 M
tzdata noarch 2014h-1.el6 @updates 1.8 M
udev x86_64 147-2.51.el6 @anaconda-PBX-201403180405.x86_64/6.5 1.2 M
util-linux-ng x86_64 2.17.2-12.14.el6_5 @anaconda-PBX-201403180405.x86_64/6.5 5.7 M
wanpipe x86_64 @pbx1 62 M
xz x86_64 4.999.9-0.3.beta.20091007git.el6 @anaconda-PBX-201403180405.x86_64/6.5 476 k
xz-libs x86_64 4.999.9-0.3.beta.20091007git.el6 @anaconda-PBX-201403180405.x86_64/6.5 209 k

Transaction Summary

Remove 171 Package(s)

Installed size: 522 M

Looking at the install size of 522M, this seems to be a major update to the FreePBX system.

I am not familiar with this yum update method.
I only worked with the script update method before with FreePBX.

Is there a script update method to update the system like once posted here

Thank you.

Just utilize asterisk-version-switch instead.

The asterisk-version-switch shows me there are Asterisk 11, 13, and 14 as options to switch to.
I am currently on version 13, version 14 is currently in beta.
This is the outcome from the command:

Pick the Asterisk Version you would like to change to.
Press 1 and the Enter key for Asterisk 11
Press 2 and the Enter key for Asterisk 13
Press 3 and the Enter key for Asterisk 14 (Currently in beta)
Press 9 and the Enter key to exit and not change your Asterisk Version

Select 13.

I did exactly this and the Asterisk remain the same at 13.18.0 which is the version affected by the security advisory.
This page is still showing FreePBX 10.13.66-22 as the latest version of FreePBX 10
Is this in fact the latest version of FreePBX10?

Thank you.

1 Like

Yes we have the version online for at least 10.13.66-18

Connected to Asterisk 13.18.3

[[email protected] ~]# cat /etc/schmooze/pbx-version
1 Like

I reran the asterisk version switch again and it did upgrade to 13.18.3.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.