Software versions for FreePBX 14 and the SNG7 distro

We just had a security audit and a number of vulnerabilities were flagged on our FreePBX 13 install, related to running an older apache httpd version - 2.2.15. Here’s an example:

Apache HTTPD: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167) (apache-httpd-cve-2017-3167)
Description: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.

Are there plans to update to a more recent version for the new distro built on FreePBX 14 and SNG7?

In general, is there an easy way to see what RPM versions are in SNG7?

Thank you - Richard


Was this

taken into account or did they simply checked the version number?

As Tony so eloquently put it the last time something like this came up, ie

that audit does not mean much if how Red Hat handles security backports was not taken into account…

Good luck and have a nice day!


These so called “tools” only every query the version of the binary.

Furthermore nothing in FreePBX uses “ap_get_basic_auth_pw” which is one of the mechanism for basic auth through httpd.

Hi Andrew!

I know…

The OP put so much emphasis on the version numbers that I was sure we were talking of a tool that only query version numbers and does not actually test if the vulnerability is actually there…

There are tools that actually test for vulnerabilities, I get bombarded with emails each time such a test is run on one of the systems at work… We block every single one of those hack attempts and I wish I could act on detecting it’s an hack attempt fail2ban-style but I am not allowed to act on it…

(They would not be able to test for all the vulnerabilities if I blocked them as soon as I detected an hack attempt…)

I worded my sentence like it was a question but I was pretty pretty sure of the answer…

The OP did mention that this was only an example and that there were others but they are more than likely already all addressed with the package we have…

There is a little something I will have to check if there’s a ticket or a newer package for but it’s something that I doubt many people use and you almost need physical access to the system to be able to do anything…

Have a nice day!


Thank you all for taking the time on Friday afternoon to answer. I was definitely skeptical and their focus seemed to be on generating as much paper (OK, as large a PDF) as possible.

It will be interesting to see if they will disclose what actual testing they did, versus grabbing the version number. I (naively) assumed they were checking patch levels.

Thank you - Richard

Always ask for “proof of concept”. Usually they are unable to provide.