Recommended VICIdial Security Upgrade Notice: April 2022

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Recommended VICIdial Security Upgrade Notice: April 2022

Postby mflorell » Tue Apr 19, 2022 8:13 am

Please read this carefully as it contains important information regarding the security of your VICIdial system.

Due to the recent discovery of several new security risks in the admin and agent web interface code, we have rolled out an update to the VICIdial code-base. These vulnerabilities have been patched and we have added additional code that further secures the web-facing portions of VICIdial. Any system that is at SVN revision 3583 or greater already has these changes(March 7, 2022). If your system is below that version, we strongly recommend that you upgrade VICIdial to address these concerns.

Instructions for how to connect to our public SVN server to get the latest code are available here:
http://wiki.vicidial.org/doku.php?id=svn

You can also find recent snapshots of the svn code available here:
https://www.vicidial.org/svn_trunk_nightly/

If you have a VICIhost account with us, know that we have already upgraded all servers and there is nothing that needs to be done on your end.

This Upgrade Notice covers several separate CVEs that have been submitted by several different people and organizations over the last few months, and those CVEs will be published in the near future by the people and organizations that reported them. All of these vulnerabilities involve PHP specifically, most of them require authenticated user access to your VICIdial system to exploit. Most of these exploits involved incomplete PHP input variable filtering. As a result of these reports, we spent several weeks reviewing every PHP script in the VICIdial codebase for input variables and filtering. We also made some security changes to make the system more secure by default.

If you have any questions about this notice, please contact us or reply to this post.
mflorell
Site Admin
 
Posts: 18383
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Recommended VICIdial Security Upgrade Notice: April 2022

Postby bronson » Thu Jul 21, 2022 11:20 am

Hi Matt, does the most recent Vicibox iso at http://www.vicibox.com/server/index.html contain the most recent SVN?
bronson
 
Posts: 96
Joined: Thu Oct 14, 2021 10:34 am

Re: Recommended VICIdial Security Upgrade Notice: April 2022

Postby mflorell » Fri Jul 22, 2022 6:27 am

When you install VICIbox, it will download the latest svn/trunk code, so YES, it will have this.
mflorell
Site Admin
 
Posts: 18383
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: Recommended VICIdial Security Upgrade Notice: April 2022

Postby bronson » Fri Jul 22, 2022 12:06 pm

mflorell wrote:When you install VICIbox, it will download the latest svn/trunk code, so YES, it will have this.


Perfect, thanks you!
bronson
 
Posts: 96
Joined: Thu Oct 14, 2021 10:34 am

Re: Recommended VICIdial Security Upgrade Notice: April 2022

Postby kashyapking » Sat Aug 19, 2023 1:15 pm

Thanks for information.
I suggest when we can do vicibox-install command, we can use --legacy option to enable legacy mode,
and this option will give latest version of svn which is available or we can choose specific version if we want to install.
So, it will be easier to find latest version of svn via this option to install vicibox on server.

Hope this helps!
Vicibox10 | Version: 2.14b0.5 | SVN Version: 3743 | DB Schema Version: 1690 | Asterisk Version: 13.38.2-vici
visit us @ https://www.kingasterisk.com | skype: kingasterisk | wa @ +17864142610
kashyapking
 
Posts: 22
Joined: Fri Aug 18, 2023 11:32 am

Re: Recommended VICIdial Security Upgrade Notice: April 2022

Postby carpenox » Sat Aug 19, 2023 10:22 pm

The latest SVN is installed by ViciBox 10 or now 11 automatically, you can install a specific version you want by using the following commands:
cd /usr/src/astguiclient/trunk
svn up -r 3550 (or whatever revision you want)
But then you'll have the problem of matching the db schema. Refer to this guide for help - https://dialer.one/useful-commands-to-m ... l-servers/
Alma Linux 9.4 | SVN Version: 3889 | DB Schema Version: 1721 | Asterisk 18.21.1 | PHP8
www.dialer.one -:- 1-833-DIALER-1 -:- https://linktr.ee/CyburDial -:- WA: +19549477572
GC: https://join.skype.com/ujkQ7i5lV78O | DC: https://discord.gg/DVktk6smbh
carpenox
 
Posts: 2418
Joined: Wed Apr 08, 2020 2:02 am
Location: St Petersburg, FL


Return to General Discussion

Who is online

Users browsing this forum: Google [Bot] and 15 guests