More info about security issue SEC-2016-002~004

Hello FreePBX,

Does anyone know where I can find more detailed information about the last security issues.
SEC-2016-002 SEC-2016-003 SEC-2016-004
We updated all modules offcourse, but we want to know what this issue was.
Many thanks for any onformation about this.

http://wiki.freepbx.org/display/FOP/2016-07-18+File+Delete+-+Directory+Traversal+in+Delete+in+Music+on+Hold

http://wiki.freepbx.org/display/FOP/2016-07-18+Multiple+XSS

http://wiki.freepbx.org/display/FOP/2016-07-18+Time+Variant+SHA1+Check+in+User+Manager

Andrew,

Thank you for this detailed information.

Hello everyone,

I saw the Security Issue warning today, so updated all the outdated module immediately, but after applying the config, the warning message still exist. After I tried to restart Asterisk via amportal restart command, but it still says that I need to upgrade them. Can anyone help me? Should I reboot the entire server to apply changes to the system, or it’s only bug of the “System Status” plugin?

By the way, I tried to find modules with exact names, which are displayed in warning (they’re music (Cur v. 12.0.1), userman (Cur v. 12.0.27), framework (Cur v. 12.0.76.3) and ucp (Cur v. 12.0.24) ), but I can’t find them in module list (with exact naming), neither throuth the web GUI, nor via the terminal (with module show like … command). I also tried to update system via yum update, but there’s nothing to update, as i’m doing regular updates to OS.

Please suggest how should I remove this scary red-printed warning message and how could I check whether I already have the latest version of those 4 modules or not (as I can’t find them with those names).

Thanks in advance.

Go to module admin and update all of your modules. Then delete the warning. It does not delete automatically.

Oh, I get it now, so i just need to delete it manually. :slight_smile:

I thought that it must disappear by itself after doing upgrades, as it does normally, after basic updates, informational notification is disappearing automatically. So, as soon as there’s nothing more to update in module admin, I can think that I had all the necessary bug-fixes and can delete this warning message with confidence.

Thanks a lot for your tip.

The warning did disappear without the need to delete, for me anyway.
It worked like this for me:

  • I went to check online, in module manager
  • I checked ‘show only upgradeable’
  • I clicked ‘upgrade all’ then ‘proceed’
  • it did update, then I went to dashboard BEFORE clicking on Reload
  • I got red warnings of having 268 tampered files,
  • i pressed ‘reload’ anyway
  • when it reloaded, the warnings were still there
  • then I went to module admin again and clicked on ‘check online’
  • when checked ‘show only upgradeable’, it has shown empty list, that’s OK,
  • so I went back to dashboard and there were no red warnings any more (only a yellow one I know about)
    that was all…

You are talking about a completely different warning.

OK but,

  • I have had the security issue warning before update,
  • I did not do anything to delete them before or after first update
  • I did not notice for 100% certain whether the security warning was there after first update, but I’m 95% certain it was not there - the tampered files warning sort of took its place
  • after second ‘check online’ in mm, there were NO red warnings in dashboard any more.
    Sorry for not being clear (enough).

The message will go away if you reach the event where the system checks online and it determines that you no longer have security updates. Or you check online manually. Or you delete the message in the GUI. Or you delete the message from the database manually.

The security warnings are also tied to signature warnings. So if you have a signature error (like you did) then the notice would be sent. If you fix said warning (by checking online and reloading like you did) then the message would go away.

For the Original Poster they can just delete the message manually in the GUI. No harm. If they didn’t really update everything then the next nightly check it would tell them

1 Like