Any idea on a release date for a patched kernel version?
uname -r
3.10.0-1127.19.1.el7.x86_64
[root@pbx sandy]# yum update kernel
Loaded plugins: fastestmirror, versionlock
Loading mirror speeds from cached hostfile
sng-base | 3.6 kB 00:00
sng-epel | 2.9 kB 00:00
sng-extras | 2.9 kB 00:00
sng-pkgs | 3.4 kB 00:00
sng-sng7php74 | 3.4 kB 00:00
sng-updates | 2.9 kB 00:00
No packages marked for update
Well what OS are you running? Those little things are helpful.
My bad:
cat /etc/os-release
NAME=“Sangoma Linux”
VERSION=“7 (Core)”
ID=“sangoma”
ID_LIKE=“centos rhel fedora”
VERSION_ID=“7”
PRETTY_NAME=“Sangoma Linux 7 (Core)”
ANSI_COLOR=“0;31”
CPE_NAME=“cpe:/o:sangoma:sng:7::server:utf8”
HOME_URL=“https://distro.sangoma.net/”
BUG_REPORT_URL=“https://issues.sangoma.net/”
CENTOS_MANTISBT_PROJECT=“Sangoma-7”
CENTOS_MANTISBT_PROJECT_VERSION=“7”
REDHAT_SUPPORT_PRODUCT=“sangoma”
REDHAT_SUPPORT_PRODUCT_VERSION=“7”
You’re on an EOL OS. SNG7 is EOL and isn’t getting updates.
Is there an OS upgrade path that’s fairly easy?
No, there isn’t. FreePBX v17 now uses Debian 12 you would have to do a complete new install. Basically FreePBX v16 and lower are running on EOL OSes that cannot be patched.
Ok gives me something to do, thx
Remember you can do a backup of your current system, restore it to the v17 system and move any licenses after you’ve finished the migration.
I will do that. I am sure I will have to update the IP somewhere but I’ll figure that out when I get to it.
Relevant topic with more details on the CVE: Copy Fail - CVE-2026-31431 and FreePBX
Webinar to help with upgrades to v17:
Thanks I’ve already set up a Debian 12VPS server and installed Freepbx but I will definitely take a look at this video and of course I still need to back up the other system and get that over here and working
Anyone know how to move commercial licenses from one deployment on a server to the new Debian 12 on a different server and deployment? They have 25 year life.
“Remember you can do a backup of your current system, restore it to the v17 system and move any licenses after you’ve finished the migration.”
The same process as always. You do a Zend Release on the current system and then associate the new system with that system id
I have never done that so let me see if I can find some detail online..
I posted this in another thread, but I’m in the same boat. Can’t likely install FPBX v17 until next month. For now, I believe this blacklists the module from loading with the kernel when the system starts up. Haven’t tried it yet, since the Internet at large doesn’t have access to the FPBX server so the risk would be rather limited I’m thinking.
grep CONFIG_CRYPTO_USER_API /boot/config-$(uname -r) # This shows =y, so loaded with the kernel
grubby --update-kernel=ALL --args=“initcall_blacklist=algif_aead_init”
reboot
cat /proc/cmdline | grep initcall_blacklist # to verify that it’s been blacklisted.
Thanks. Yea, I migrated to V17 on another server, seems to have gone well but I have not tested it yet, waiting until the weekend. Someone suggested this as an interim step but I did not try it:
#!/bin/bash
set -euo pipefail
LOG="/root/pbx-security-hardening.log"
echo "===== PBX Security Hardening Started: $(date) =====" | tee -a "$LOG"
# --------------------------------------------------
# 1. Kernel hardening (SAFE sysctl only)
# --------------------------------------------------
echo "[*] Applying kernel hardening sysctls..." | tee -a "$LOG"
cat > /etc/sysctl.d/99-pbx-security.conf <<EOF
# Kernel info leak reduction
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
# ptrace protection (prevents process injection)
kernel.yama.ptrace_scope = 1
# filesystem hardening
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# network hardening
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
EOF
sysctl --system | tee -a "$LOG"
# --------------------------------------------------
# 2. Disable unused services (safe on PBX)
# --------------------------------------------------
echo "[*] Disabling unnecessary services..." | tee -a "$LOG"
for svc in cups avahi-daemon rpcbind nfs-server; do
systemctl disable --now $svc 2>/dev/null || true
done
# --------------------------------------------------
# 3. Fail2Ban sanity check
# --------------------------------------------------
echo "[*] Checking Fail2Ban status..." | tee -a "$LOG"
fail2ban-client status | tee -a "$LOG" || true
# --------------------------------------------------
# 4. SIP exposure warning check
# --------------------------------------------------
echo "[*] Checking exposed SIP port..." | tee -a "$LOG"
if ss -lunp | grep -q ":5060"; then
echo "[!] SIP port 5060 is LISTENING - ensure firewall restricts it to provider IPs" | tee -a "$LOG"
fi
# --------------------------------------------------
# 5. Apache security baseline check
# --------------------------------------------------
echo "[*] Ensuring Apache security baseline..." | tee -a "$LOG"
grep -q "SSLProtocol" /etc/httpd/conf.d/ssl.conf && \
echo "[OK] SSL config present" | tee -a "$LOG" || \
echo "[WARN] SSL config may need review" | tee -a "$LOG"
# --------------------------------------------------
# 6. Asterisk process visibility check
# --------------------------------------------------
echo "[*] Asterisk process status..." | tee -a "$LOG"
ps aux | grep asterisk | grep -v grep | tee -a "$LOG"
# --------------------------------------------------
# 7. Summary
# --------------------------------------------------
echo "===== HARDENING COMPLETE =====" | tee -a "$LOG"
echo "IMPORTANT:" | tee -a "$LOG"
echo "- This does NOT patch kernel CVEs (CentOS 7 limitation)" | tee -a "$LOG"
echo "- Primary protection is firewall + SIP restriction" | tee -a "$LOG"
echo "- Migration to Debian 12 / FreePBX 17 is strongly recommended" | tee -a "$LOG"
went well, was a learning curve on the postfix email setup, plus I changed hostnames and smtp to SES from gmail, so took me a while to get email working after receiving a fax or voice mail, seems to work now. Thx.