Freepbx14 vulnerabilities

HakimzyanovA · December 11, 2019, 6:49am

Hello.
I have instance of freepbx14 from sangoma distro. I was scanned it throw vulners.com and was found multiply vulnerabilities with score 10, such as https://vulners.com/info/RHSA-2019:2091.
I was checked systemd version and it was vulnurable:

yum info systemd
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Installed Packages
Name : systemd
Arch : x86_64
Version : 219
Release : 62.el7_6.7
Size : 23 M
Repo : installed
From repo : sng-updates

But “yum update” say “No packages marked for update”.
How I can fix it?

cynjut · December 11, 2019, 6:07pm

To my eye, you have two choices.

Strike out on your own and update the packages yourself. Some, like system, should update fine. Others, like PHP, will kill your system as sure as I’m typing, leaving you to figure out what errors are causing you to not be able to process.
Put the results in a file and upload that to a Feature Request ticket, It’s likely that the Sangoma team is already looking at your list and have a path forward to solve the issues, or have looked at similar notifications and have mitigated the issues to a safe level.

A third, unenumerated possibility would be for you to try one-at-a-time to upgrade the vulnerabilities yourself and report the successes up in Feature Request form one at a time.

FreePBX is a system of systems, so many of the pieces are anchored to older software until they can be upgraded, at which point, the entire system gets tested and updates are published. You can help by report successes and failures to Sangoma.

jfinstrom · December 11, 2019, 6:58pm

@mbignotti @mattf
This may be in progress but I agree open a ticket @ https://issues.freepbx.org

mattf · December 11, 2019, 7:53pm

I agree! Thanks for looking into it, and feel free to open a feature request/improvement ticket on the tracker.

Matt

jsmith · December 12, 2019, 8:27pm

The systemd 219-62.el7_6.7 RPM is certainly available for the FreePBX 14 distro.

[root@freepbx ~]# yum list systemd
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Installed Packages
systemd.x86_64                                                                                                           219-62.el7_6.7                                                                                                           @sng-updates

HakimzyanovA · December 13, 2019, 4:33am

version < 219-67.el7 was vulnurable

unison · December 14, 2019, 6:40pm

I feel your pain.

We are a PBXAct customer, and from all accounts there is nothing for PBXAct after version 13.

Unfortunately this has us now looking at moving to another solution - as not been able to resolve vulnerability and keep the software supported isn’t an acceptable solution, especially when Sangoma can’t provide any roadmap for PBXAct!

jsmith · December 17, 2019, 4:14pm

It looks like I confused the versions “62” and “67” in my head – so sorry for the confusion here. There is indeed an updated version of systemd coming… I’ll reach out to the team inside Sangoma that works on distro updates and try to find out how much longer they expect this to take.

moussa854 · December 17, 2019, 4:42pm

The OP mentioned that the scan discovered multiply vulnerabilities on FreePBX 14 but only mentioned one, it will be nice if Sangoma run the scan on FreePBX 13, 14 and 15 and see what comes up and try to work on these vulnerabilities.

system · December 24, 2019, 4:42pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.