How to patch the "Zero Day" vulnerability CVE-2015-7547 and CVE-2015-5229 in Xorcom PBX Systems

From Xorcom Wiki
Jump to: navigation, search

Instructions for Resolving the Product Security Vulnerabilities Recently Reported by Red Hat

The stack-based buffer overflow "Zero Day" vulnerability referred to in CVE-2015-7547 and CVE-2015-5229 was published on February 16, 2016. Red Hat Product Security has rated this update as having critical security impact: "A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library."

Please note that CentOS-5 based systems (Elastix v.1.6.x and v.2.x - Xorcom's XR1000/2000/3000, XE2000/3000, TS2000/3000) are not affected.

Below are instructions for patching the problem for Xorcom systems with CompletePBX v.4.x installed, based on the relevant Linux distribution:

  • CentOS-6 based CompletePBX v.4.x: CXR1000/2000/3000, CXE2000/3000, Blue Steel CXT3000/4000, CTS2000/3000, Blue Steel CXTS3000/4000
  • Debian Jessie-based: Spark CXS1000


For All CompletePBX models, except Spark (CXS1000)

Check the currently installed glibc version:

    rpm -q glibc

If the installed package version is less than 2.12-1.166 then the upgrade is required.

1. Make sure that the PBX has Internet access.

2. Run the following commands:

    yum clean all
    yum update glibc

3. Reboot the PBX.


For Spark (CXS1000) Models

Check the currently installed libc6 version:

    dpkg -l libc6

If the installed package version is less than 2.19-18+deb8u3 then the upgrade is required.

1. Make sure that the PBX has Internet access.

2. Run the following commands:

    apt update
    apt install libc6 libc-bin multiarch-support locales

3. Reboot the PBX.