[Qa-jenkins-scm] [jenkins.debian.net] 01/01: mitigate jenkins remote execute 0-day
Helmut Grohne
helmutg at moszumanska.debian.org
Sat Nov 7 16:12:06 UTC 2015
This is an automated email from the git hooks/post-receive script.
helmutg pushed a commit to branch master
in repository jenkins.debian.net.
commit 4d3f5807cc2505d791c72ad88aef42abdfd4bebb
Author: Helmut Grohne <helmut at subdivi.de>
Date: Sat Nov 7 17:08:18 2015 +0100
mitigate jenkins remote execute 0-day
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
It seems that two channels need to be secured. The first is a custom tcp
port which is firewalled anyway. The other part is urls starting with
/cli. Instead of filtering this entry point in jenkins (and thus
breaking bin/abort.sh), we apply the filtering in apache. Thus a local
execute vulnerability remains, but we didn't care about those earlier.
---
hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
index 02dfb52..b5d39a8 100644
--- a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
+++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
@@ -17,6 +17,7 @@ NameVirtualHost *:443
# map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs
ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/
ProxyPass /userContent !
+ ProxyPass /cli !
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
@@ -149,6 +150,7 @@ Use common-debian-service-https-redirect reproducible-builds.org
# map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs
ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/
ProxyPass /userContent !
+ ProxyPass /cli !
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/qa/jenkins.debian.net.git
More information about the Qa-jenkins-scm
mailing list