diff options
author | Helmut Grohne <helmut@subdivi.de> | 2015-11-07 17:08:18 +0100 |
---|---|---|
committer | Helmut Grohne <helmut@subdivi.de> | 2015-11-07 17:08:18 +0100 |
commit | 4d3f5807cc2505d791c72ad88aef42abdfd4bebb (patch) | |
tree | 025591a9a199ae167e28006c3e1fb3c85b471151 /hosts/jenkins/etc | |
parent | e6364055aef2d9d660349e060ec909f08d3943e1 (diff) | |
download | jenkins.debian.net-4d3f5807cc2505d791c72ad88aef42abdfd4bebb.tar.xz |
mitigate jenkins remote execute 0-day
https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli
It seems that two channels need to be secured. The first is a custom tcp
port which is firewalled anyway. The other part is urls starting with
/cli. Instead of filtering this entry point in jenkins (and thus
breaking bin/abort.sh), we apply the filtering in apache. Thus a local
execute vulnerability remains, but we didn't care about those earlier.
Diffstat (limited to 'hosts/jenkins/etc')
-rw-r--r-- | hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net index 02dfb529..b5d39a82 100644 --- a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net +++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net @@ -17,6 +17,7 @@ NameVirtualHost *:443 # map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/ ProxyPass /userContent ! + ProxyPass /cli ! ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ </VirtualHost> @@ -149,6 +150,7 @@ Use common-debian-service-https-redirect reproducible-builds.org # map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/ ProxyPass /userContent ! + ProxyPass /cli ! ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ </VirtualHost> |