Page 1 of 1

Recommended VICIdial Security Upgrade Notice: April 2022

PostPosted: Tue Apr 19, 2022 8:13 am
by mflorell
Please read this carefully as it contains important information regarding the security of your VICIdial system.

Due to the recent discovery of several new security risks in the admin and agent web interface code, we have rolled out an update to the VICIdial code-base. These vulnerabilities have been patched and we have added additional code that further secures the web-facing portions of VICIdial. Any system that is at SVN revision 3583 or greater already has these changes(March 7, 2022). If your system is below that version, we strongly recommend that you upgrade VICIdial to address these concerns.

Instructions for how to connect to our public SVN server to get the latest code are available here:
http://wiki.vicidial.org/doku.php?id=svn

You can also find recent snapshots of the svn code available here:
https://www.vicidial.org/svn_trunk_nightly/

If you have a VICIhost account with us, know that we have already upgraded all servers and there is nothing that needs to be done on your end.

This Upgrade Notice covers several separate CVEs that have been submitted by several different people and organizations over the last few months, and those CVEs will be published in the near future by the people and organizations that reported them. All of these vulnerabilities involve PHP specifically, most of them require authenticated user access to your VICIdial system to exploit. Most of these exploits involved incomplete PHP input variable filtering. As a result of these reports, we spent several weeks reviewing every PHP script in the VICIdial codebase for input variables and filtering. We also made some security changes to make the system more secure by default.

If you have any questions about this notice, please contact us or reply to this post.

Re: Recommended VICIdial Security Upgrade Notice: April 2022

PostPosted: Thu Jul 21, 2022 11:20 am
by bronson
Hi Matt, does the most recent Vicibox iso at http://www.vicibox.com/server/index.html contain the most recent SVN?

Re: Recommended VICIdial Security Upgrade Notice: April 2022

PostPosted: Fri Jul 22, 2022 6:27 am
by mflorell
When you install VICIbox, it will download the latest svn/trunk code, so YES, it will have this.

Re: Recommended VICIdial Security Upgrade Notice: April 2022

PostPosted: Fri Jul 22, 2022 12:06 pm
by bronson
mflorell wrote:When you install VICIbox, it will download the latest svn/trunk code, so YES, it will have this.


Perfect, thanks you!

Re: Recommended VICIdial Security Upgrade Notice: April 2022

PostPosted: Sat Aug 19, 2023 1:15 pm
by kashyapking
Thanks for information.
I suggest when we can do vicibox-install command, we can use --legacy option to enable legacy mode,
and this option will give latest version of svn which is available or we can choose specific version if we want to install.
So, it will be easier to find latest version of svn via this option to install vicibox on server.

Hope this helps!

Re: Recommended VICIdial Security Upgrade Notice: April 2022

PostPosted: Sat Aug 19, 2023 10:22 pm
by carpenox
The latest SVN is installed by ViciBox 10 or now 11 automatically, you can install a specific version you want by using the following commands:
cd /usr/src/astguiclient/trunk
svn up -r 3550 (or whatever revision you want)
But then you'll have the problem of matching the db schema. Refer to this guide for help - https://dialer.one/useful-commands-to-m ... l-servers/