Ucp module - won't upgrade to 17.0.7?

FreePBX Security
, , ,
1

All of my PBXes report they are running ucp 17.0.4.31 and are up to date after a

fwconsole ma upgradeall

But I’m getting emails saying that UCP should be upgraded to 17.0.7, which I see addresses

Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface · Advisory · FreePBX/security-reporting · GitHub

fwconsole ma upgradeall
No repos specified, using: [standard,extended,commercial] from last GUI settings

Up to date.
Updating Hooks…Done

fwconsole ma list | grep ucp
| ucp | 17.0.4.31 | Enabled | AGPLv3+ | Sangoma |

I can download 17.0.7 with wget.
wget https://mirror.freepbx.org/modules/packages/ucp/ucp-17.0.7.tgz
–2026-06-10 15:40:30-- https://mirror.freepbx.org/modules/packages/ucp/ucp-17.0.7.tgz
Resolving mirror.freepbx.org (mirror.freepbx.org)… 172.66.168.146, 104.20.22.216
Connecting to mirror.freepbx.org (mirror.freepbx.org)|172.66.168.146|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4444977 (4.2M) [application/octet-stream]
Saving to: ‘ucp-17.0.7.tgz’

ucp-17.0.7.tgz 100%[===============================================================================>] 4.24M --.-KB/s in 0.1s

2026-06-10 15:40:30 (33.4 MB/s) - ‘ucp-17.0.7.tgz’ saved [4444977/4444977]

Why do all of my PBXes insist that they are up to date?

Should I do a downloadinstall to upgrade UCP on all the PBXes?

2

Thank you for the heads up. Confirmed there is a glitch with download of ucp 17.0.7 – was hoping to publish on the matter in more detail but still waiting on upstream CVE issuance after two requests across three business days.

To add some context… the flood of reports coming in due to AI is testing the limits of many security issue handling infrastructures, from top to bottom. As you may see in our security reports’ History sections (often authored by YT) and individual repo change logs, the FreePBX team is continuing to work through large, complicated, decade old problems – some of the cobwebs spanning across multiple modules and requiring coordinated solutions.

3

Software companies have my sympathy right now. Thank you for all of your hard work.

Microsoft on this week’s Patch Tuesday released patches affecting more CVEs than were addressed by them in all of 2018.

Well, MS doesn’t have my sympathy. Other companies do, though.

4

Sympathy extended to Microsoft customers however, I hope. :winking_face_with_tongue: We are in that boat, for better or for worse.

5

Nothing is safe, and duplicate reports are plentiful.

6

I tried upgrading one PBX, and it seems to have successfully downloaded and installed 17.0.7.

Is all of this some of the ten years of issues that have to be unravelled?

ted [email protected]: this package is deprecated please use GitHub - xmppjs/xmpp.js: XMPP for JavaScript · GitHub
npm WARN deprecated [email protected]: You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly m igrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.
npm WARN deprecated
npm WARN deprecated (For a CapTP with native promises, see @endo/eventual-send and @endo/captp)
npm WARN deprecated [email protected]: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028).
npm WARN deprecated [email protected]: Use uuid module instead
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: this package is deprecated please use https://www.npmjs.com/package/@xmpp/client

added 185 packages, and audited 186 packages in 9s

12 vulnerabilities (3 low, 4 moderate, 3 high, 2 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible, run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run npm audit for details.

7

Yes the 17.0.7 versioning issue was resolved.

But the npm issue is separate matter from that (although it is some older code related issue, agreed.)