Freepbx14 vulnerabilities

Hello.
I have instance of freepbx14 from sangoma distro. I was scanned it throw vulners.com and was found multiply vulnerabilities with score 10, such as https://vulners.com/info/RHSA-2019:2091.
I was checked systemd version and it was vulnurable:

yum info systemd
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Installed Packages
Name : systemd
Arch : x86_64
Version : 219
Release : 62.el7_6.7
Size : 23 M
Repo : installed
From repo : sng-updates

But “yum update” say “No packages marked for update”.
How I can fix it?

To my eye, you have two choices.

  1. Strike out on your own and update the packages yourself. Some, like system, should update fine. Others, like PHP, will kill your system as sure as I’m typing, leaving you to figure out what errors are causing you to not be able to process.

  2. Put the results in a file and upload that to a Feature Request ticket, It’s likely that the Sangoma team is already looking at your list and have a path forward to solve the issues, or have looked at similar notifications and have mitigated the issues to a safe level.

A third, unenumerated possibility would be for you to try one-at-a-time to upgrade the vulnerabilities yourself and report the successes up in Feature Request form one at a time.

FreePBX is a system of systems, so many of the pieces are anchored to older software until they can be upgraded, at which point, the entire system gets tested and updates are published. You can help by report successes and failures to Sangoma.

@mbignotti @mattf
This may be in progress but I agree open a ticket @ https://issues.freepbx.org

I agree! Thanks for looking into it, and feel free to open a feature request/improvement ticket on the tracker.

Matt

The systemd 219-62.el7_6.7 RPM is certainly available for the FreePBX 14 distro.

[[email protected] ~]# yum list systemd
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
Installed Packages
systemd.x86_64                                                                                                           219-62.el7_6.7                                                                                                           @sng-updates
1 Like

version < 219-67.el7 was vulnurable

I feel your pain.

We are a PBXAct customer, and from all accounts there is nothing for PBXAct after version 13.

Unfortunately this has us now looking at moving to another solution - as not been able to resolve vulnerability and keep the software supported isn’t an acceptable solution, especially when Sangoma can’t provide any roadmap for PBXAct!

It looks like I confused the versions “62” and “67” in my head – so sorry for the confusion here. There is indeed an updated version of systemd coming… I’ll reach out to the team inside Sangoma that works on distro updates and try to find out how much longer they expect this to take.

1 Like

The OP mentioned that the scan discovered multiply vulnerabilities on FreePBX 14 but only mentioned one, it will be nice if Sangoma run the scan on FreePBX 13, 14 and 15 and see what comes up and try to work on these vulnerabilities.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.