I agree here. I’ve been a sangoma partner for many years and got not specific notice of this either other than these topic threads. I happened to stumble on the topic because one of my systems was compromised.
I would hope that partners would be getting automatic notifications in these events.
Same. We have over 400 deployments. No notification whatsoever. Thankfully I frequent the forums and noticed about an hour after the post came out.
Hi @hassler I worked on the partner email myself - notifications went out. I’ll look in to your email address to make sure there’s no issue there.
This and the whole Trixie screw up should have been mass emails to all active deployments on record that could have been notified. This is a major security issue and the Trixie screw up can brick systems.
Why were the partners the only ones that warranted such notifications and the rest of the users (paying and not paying) got left in the wind? Major issues like this shouldn’t be a case of one subset of users gets told and another doesn’t.
Funny thing is, the next big marketing push we’ll get emails.
Good feedback, noted, thank you.
Also adding to the brainstorming 
list of meeting people where they are at with some telephony related tools like:
Following the FreePBX security-reporting repository on GitHub to receive notifications when security advisories are published is another way to keep in the loop (join the watchers list!)
EDIT to add the image from GitHub repo of selecting 
All Activity to be “Notified of all notifications on this repository.”
Hi @BlazeStudios we sent a mass mail- I was just speaking specifically about the resellers who were on the list.
Well there seems to be a good amount of people that never got this mass mailing, I’m also on that list.
@BlazeStudios I’m working with marketing to get a better understanding of why some didn’t get the post. Also, Chris mentioned, we can probably come up with some additional solutions.
nor did we get any Email to our system registered address. perhaps @mwhite can advise what the outgoing mail server domain is so we can check for 550 errors, the 2 most expected return no connections in maillog.
With my former employment I tend to be on a lot of lists.
I don’t know which one this went out on “webannounce@” but I did receive it 3 days ago. I think it gets filtered with a lot of other noise so it was not in my main box. Having a “security-noreply” or something related may not be a bad idea because it can be whitelisted and flagged.
@penguinpbx like most things in ICT, and I would agree with what I once read, having been involved with an open source project thats very well known with millions of installs (not a big coder, more a beta tester and minor patch fixerer so I take no credit), anyway the stats thrown around were for every 100K users, 500 might be on github/sourceforge, and 100 might be on said projects forums/newsgroups/mailing lists (voluntary sub to announce) so 99,500 are by their figures per 100K, not even aware their machines probably have been 0wned.
If you want to dispute those figures go for it, but I’d then say, look at fedora or ubuntu, the millions of users they have, canonical once said they have 3K users on their user vol sub’d lists, 3K out of however many million single site installs they claim to have.
The big diff here is, you collect our emails at ID rego time, so you should be able to send mass emails to everyone where everyone gets them, yes, it can take time to send them all out, especially if whatever software you use or the mail servers themselves are not configured correctly, otherwise I’d expect a million emails to take no more than a few hours, thats what we saw when I was 2ic in NOC for a national ISP and needed mass mailouts and we just used mailman on postfix - pssst announce messages don’t need pretty png gif jpg html css fluff, they need the content.
can you hint at the sending address? oss will be useless here because theres a gazillian hits from colocrossing 
thanks @jfinstrom , I confirm no such connections here on either of our mx’s so the mass mail is still borked somewhere, or its still trying to send them out, I’d imagine for reasons we all know you’d be towards the very top of that list so get it earlier..
god… I hope they;re not using sendmail in its default config, it sends each message as a new message one by one, not grouping like postifx does and sends 100 a time
This only affects people with the commercial endpoint module installed does it not? A lot of people don’t use that or any other commercial modules. I guess it still affects people with it installed even if not used, which is unfortunate.
Hello,
I sent you a private reply. Thank you. I also looked at www.freepbx.org, www.sangoma.com and www.sipstation.com and did not see anything on the front pages. Granted it sucks to advertise “hey look we have a problem”, a simple note on the front page to please check this page would have been useful.
Hope you all had a good weekend.
Christian
It sounds like it may create new ampuser users in the DB and also new extensions. If you do a backup/restore you would also restore those users and extensions. So sounds to me like backup/restore could restore some of the things the malicious script does.
You don’t need to create new users and extensions. Just rotate passwords
Received- I don’t think that adding this to freepbx.org is a terrible idea.
Here’s how see it- as long as there’s software, there will be bad actors trying to exploit it. That said, it’s the response that matters. At the end of the day, our teams did a fantastic job of identifying and resolving the is problem. A big thanks to @kgupta + team, @slobera , and @penguinpbx for the work they did. I’d also like to thank others from the community for stepping up, lending a hand, and providing valuable feedback so that we can continue to improve in all areas.
Just set up dozens of new servers and rotate thousands of passwords and then update thousands of phones. Easy. 
