Security Vulnerabilities 2021


(Canada) #1

There are 6 modules vulnerable to security threats:
voicemail (Cur v. 14.0.6.16) should be upgraded to v. 14.0.6.25 to fix
security issues: SEC-2021-009
manager (Cur v. 13.0.2.7) should be upgraded to v. 13.0.2.10 to fix security
issues: SEC-2021-010
blacklist (Cur v. 14.0.3) should be upgraded to v. 14.0.5 to fix security
issues: SEC-2021-011
bulkhandler (Cur v. 13.0.23) should be upgraded to v. 13.0.24 to fix
security issues: SEC-2021-011
tts (Cur v. 13.0.13) should be upgraded to v. 13.0.15 to fix security
issues: SEC-2021-011
ucp (Cur v. 14.0.3.18) should be upgraded to v. 14.0.3.21 to fix security
issues: SEC-2021-011

What’s is the best site to read about these vulnerabilities.

I’m a little nervous to update my FreePBX 14 box because the yum updates have fallen quite behind. I think it could break the box. These vulnerabilities have made me paranoid enough, I’m thinking about spinning up a new FreePBX 15 box, updating it all the way, and restoring my nighly. The only thing I have not done before is transfer my Starter package license.

I do have a secondary FreePBX box running, however, I have been unsure of the backup module difference. For instance, on the myFreePBX 14 box, I just dragged ALL of the options for backup to make sure I have everything backed up. On FreePBX 15 If I select this option, all 94 modules:

Is that everything, or do I have to add items to CUSTOM below it?
I want a complete backup of everything, Voicemail, IVR’s literally everything like I do with FreePBX 14, but I’m unsure of what items to choose with the way the new interface works… I looked for an updated manual, but for some reason I can’t find it for freePBX 15.


(Kapil Gupta) #2

Please refer to 2021-09-17 Security fixes release update

thanks


(Canada) #3

As for the other part in regards to FreePBX 15 backup and Restore, I followed this thread:

But it did not provide me with the answers I need.


(Kapil Gupta) #4

Backup & Restore has been completely re-written into Freepbx 15+ systems. Please refer to https://wiki.freepbx.org/pages/viewpage.action?pageId=114852215 to know about new configuration option.


(Canada) #5

Okay I found the wiki:
https://wiki.freepbx.org/pages/viewpage.action?pageId=114852215

It basically seems to imply that if one backs up ALL modules and these two directories, that SHOULD include everything INCLUDING voice records, IVR’s etc. Is this correct, would this be a TRUE full backup. Basically if I do this and include these custom directories, and do a restore later, will I have EVERYHTHING restored?

ASTSPOOLDIR/monitor
ASTETCDIR" to include *_custom.conf

If someone can confirm this really is a full backup that would be great.


(Canada) #6

Okay, this is driving me nutty. In FreePBX 14, if I chose local storage, backups we’re saved to here:
/var/spool/asterisk/backups/BACKUPNAME
image

As you can see this is still the case, however FreePBX 15 insists on having a filestore location, ANY local location I add, when I run the backup I get PERMISSION denied, backup failed. The backup is running, and it DOES get save in the original /var/spool/asterisk/backups/BACKUPNAME, but it NEVER get copied to the local file path I choose, because FreePBX says it dosen’t have permissions to make that directory. I tried, chmod’ing a directory with more rights, no matter what I do FreePBX says it dosen’t have right to the file path and as a result the backup failes, but there is a copy in the default backup directory. Anyway to just tell Backup & Restore to go with /var/spool/asterisk/backups/BACKUPNAME, as it already is?


(Canada) #7

Okay, so I figured out the local backup, one has to let the backup system fully create the local directory.

And just to clarify of I backup ALL modules as well as:
ASTSPOOLDIR/monitor
ASTETCDIR" to include *_custom.conf

This will include the MySQL and Asterisk database, which should be a full backup? I can’t tell from documentation listed here:
https://wiki.freepbx.org/pages/viewpage.action?pageId=114852215


(Jared Busch) #8

The updated backup module in FreePBX 15 doe snot backup the MySQL database.
It backs up the data in the database as json for each module.

The only database information found in a backup file is for the CDR and CEL is selected.


(Jared Busch) #9

WTF? Insists on having? Of course you have to have a file location to save the backup. Just because FreePBX 15 added a way to easily have various options you get mad?

Go in to Settings -> Filestore and make a storage location.

Then go to your backup and choose it. Optionaly append the backup name as part of the path.

There you go.

If you open it up you will see the /files/tmp folder holds the sql data for CEL & CDR. It also apparently holds something for Zulu and SMS, which I am not using.

And the modulejson folder holds the rest.



(Canada) #10

A default one. I have this all worked out. I think I was a little mis-understood. @sorvani I’m not mad. I just saw that they added a filestore location. Which you’re right is a RELLAY good thing. And I see I can use the variable to point to the same place locally, so that’s great too. I just realized I had to let the back up user create the directoty, instead of me creating it in the shell and pointing to the path. I have it all worked out. And thank-you for letting me know that MySQL isn’t being backed up. I have a script for that now.

It’s just different enough from FreePBX 14 that I wasn’t sure if everything was backing up in backup and restore if I chose all the modules, and then the 2 directories stated in the FreePBX 15 wiki for the new backup and restore module. I hope I’m not missing anything else, but I can test a restore and see. Sorry if I offended you. Thank-you for all that you contribute to the community. You were a great help to me when I was starting out with FreePBX. And you still are.


(Jared Busch) #11

You do not need it. You can make it if you want it for other reasons, but the restore function will not use it.


(Canada) #12

Okay, loud and clear, Thank-you.


(Canada) #13

@sorvani, just to clarify, If I backup ALL modules, and this:
ASTSPOOLDIR/monitor
ASTETCDIR" to include *_custom.conf

Would that Be a FULL backup for FreePBX 15, I want everything, All module Data (Extensions, ring groups), voicemails, recording etc. Is there anything else I should add? The documentation seems to indicate this would be a full backup. I just want to make sure I have everything (Like I did for my 14 box), and I am not missing anything.