@rnmixon wrote:
We just had a security audit and a number of vulnerabilities were flagged on our FreePBX 13 install, related to running an older apache httpd version - 2.2.15. Here's an example:
Apache HTTPD: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167) (apache-httpd-cve-2017-3167)
Description: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.Are there plans to update to a more recent version for the new distro built on FreePBX 14 and SNG7?
In general, is there an easy way to see what RPM versions are in SNG7?
Thank you - Richard
Posts: 6
Participants: 3