FreePBX | Register | Issues | Wiki | Portal | Support

Modules vulnerable to security threats have been automatically updated


(John Jarrett) #1

I am using FreePBX Distro 14.0.5.2 and I received emails about the vulnerable modules and when I logged in the above showed up as well… which is really cool. The Apply config button was visable and I hit Apply.

In my Dashboard, it continues to advise me that the vulnerable module was auto upgraded and I cannot get rid of. I hit the - (minus) sign and a refresh or going back from another page and it still shows up.

I went to 'resolve" which takes me Module Admin and nothing is new to update since it apparently auto updated. I also tried a fwconsole ma upgrade framework since that was the vulnerable module and nothing was available since it was already updated.

How do i get rid of this allegedly fixed vulnerability warning from my Dashboard?


Modules vulnerable to security threats have been automatically updated stuck on dashboard
(Andrew Nagy) #3

This is a bug. You should report it.


(Sentinel) #4

confirmed. Same issue here.


(John Jarrett) #5

Okey Dokey! Will do and Thanks!!!

John


(John Jarrett) #6

Just an FYI, this morning when I logged into my FreePBX to get versions for the bug report, it was perfectly fine… no warning shown.

Did create a bug report.


(Jared Busch) #7

link it next time, to make it easiler for others to also reply.

https://issues.freepbx.org/browse/FREEPBX-18650

Added some screenshots and comments myself.


(Andrew Nagy) #8

I see there is some confusion in the ticket

Firstly setting your system to email only will still allow it to update vulnerable modules. If you don’t want that then you need to go to advanced settings and disable it. But you will still be vulnerable unless you upgrade manually (this is normally referred to as opt-in)

Secondly this notice is correct. It fixes users who have installed the distro and then in 24 hours their systems updated for the security issue in May (which is really just cross site scripting vulnerabilities which are not major) and as a result dashboard exploded. If we didn’t bump this then people will keep reporting Pico feed errors. Right now we are at 40 duplicate bug reports of an issue that was fixed in September.

Thirdly. For as long as I can remember. Any and all module installations and updates will set the apply config button to on. I don’t think the updates need to tell you why you need to hit that button as any module update will make you hit it so that items are symlinked and updated correctly.


(John Jarrett) #9

Hi Andrew…

All I was seeking was a way to delete the warning after I saw it and acted upon it by hitting the Apply instead of waiting 24 hours for a cron job to delete it.

Did I do something I shouldn’t have?

John


(Andrew Nagy) #10

No I am responding in general to the comments in the ticket you opened that are not your own.


#11

I am getting this warning as well and I did click on apply configuration. Restarted FreePBX still showing message and updates says no updates but the message persists.

Are you saying the message will clear in 24hrs automatically?


(Andrew Nagy) #12

I am saying this is a bug. Please wait until a work week for a fix. Thanks.


(Itzik) #13

I went to module admin, hit “Check Online” then went back to the dashboard, hit the Minus icon, refreshed, and it does not re-appear.


(Moe Hammond) #14

Yep same thing for me, but with this I have another weird symptom. Calls outside of network used to work just fine (Two way audio) but then now it works only one way.

I am also getting the error “critical Errors found” and Invalid Websocket Transport for Zulu


(Itzik) #15

This is usually a NAT issue, and I think you should create a new topic for that, as it’s unrelated to this subject.


(Jared Busch) #16

There was no need to hit “Check Online” at all. the module was already updated. Clicking the minus would have removed the message.


(John Jarrett) #17

In your case that worked. The reason I wrote this post was the fact that when I hit the minus button the warning did not disappear. Nothing I did made the notification remove itself. Time took care of the issue in my case as might apparently have for others.
Therefore the post that such was a bug from one of the developers and to report it.


(Itzik) #18

Original Post:


(Moe Hammond) #19

I have done thorough debugging, restarted firewall, configured static outbound nat, restarted freepbx nothing worked. only one way RTP stream and nothing coming from FreePBX after this update … it only occurred after this update not before.

Anyway I will create a new post. Thanks for your help