From 4d3f5807cc2505d791c72ad88aef42abdfd4bebb Mon Sep 17 00:00:00 2001 From: Helmut Grohne Date: Sat, 7 Nov 2015 17:08:18 +0100 Subject: mitigate jenkins remote execute 0-day https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli It seems that two channels need to be secured. The first is a custom tcp port which is firewalled anyway. The other part is urls starting with /cli. Instead of filtering this entry point in jenkins (and thus breaking bin/abort.sh), we apply the filtering in apache. Thus a local execute vulnerability remains, but we didn't care about those earlier. --- hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net | 2 ++ 1 file changed, 2 insertions(+) (limited to 'hosts') diff --git a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net index 02dfb529..b5d39a82 100644 --- a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net +++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net @@ -17,6 +17,7 @@ NameVirtualHost *:443 # map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/ ProxyPass /userContent ! + ProxyPass /cli ! ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ @@ -149,6 +150,7 @@ Use common-debian-service-https-redirect reproducible-builds.org # map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/ ProxyPass /userContent ! + ProxyPass /cli ! ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ -- cgit v1.2.3-54-g00ecf