summaryrefslogtreecommitdiffstats
path: root/hosts/jenkins/etc/apache2
diff options
context:
space:
mode:
authorHelmut Grohne <helmut@subdivi.de>2015-11-07 17:08:18 +0100
committerHelmut Grohne <helmut@subdivi.de>2015-11-07 17:08:18 +0100
commit4d3f5807cc2505d791c72ad88aef42abdfd4bebb (patch)
tree025591a9a199ae167e28006c3e1fb3c85b471151 /hosts/jenkins/etc/apache2
parente6364055aef2d9d660349e060ec909f08d3943e1 (diff)
downloadjenkins.debian.net-4d3f5807cc2505d791c72ad88aef42abdfd4bebb.tar.xz
mitigate jenkins remote execute 0-day
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli It seems that two channels need to be secured. The first is a custom tcp port which is firewalled anyway. The other part is urls starting with /cli. Instead of filtering this entry point in jenkins (and thus breaking bin/abort.sh), we apply the filtering in apache. Thus a local execute vulnerability remains, but we didn't care about those earlier.
Diffstat (limited to 'hosts/jenkins/etc/apache2')
-rw-r--r--hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net2
1 files changed, 2 insertions, 0 deletions
diff --git a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
index 02dfb529..b5d39a82 100644
--- a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
+++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
@@ -17,6 +17,7 @@ NameVirtualHost *:443
# map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs
ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/
ProxyPass /userContent !
+ ProxyPass /cli !
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
@@ -149,6 +150,7 @@ Use common-debian-service-https-redirect reproducible-builds.org
# map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs
ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/
ProxyPass /userContent !
+ ProxyPass /cli !
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
</VirtualHost>