Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
gjl2004yn
jumpserver
提交
df193162
J
jumpserver
项目概览
gjl2004yn
/
jumpserver
与 Fork 源项目一致
从无法访问的项目Fork
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
J
jumpserver
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
df193162
编写于
1月 18, 2021
作者:
F
fit2bot
提交者:
GitHub
1月 18, 2021
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
chore: 修改readme 英文版本 (#5448)
* chore: 修改readme 英文版本 Co-authored-by:
ibuler
<
ibuler@qq.com
>
上级
646f0a56
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
118 addition
and
6 deletion
+118
-6
README.md
README.md
+2
-0
README_EN.md
README_EN.md
+116
-6
未找到文件。
README.md
浏览文件 @
df193162
...
...
@@ -4,6 +4,8 @@
[
![Django
](
https://img.shields.io/badge/django-2.2-brightgreen.svg?style=plastic
)
](https://www.djangoproject.com/)
[
![Docker Pulls
](
https://img.shields.io/docker/pulls/jumpserver/jms_all.svg
)
](https://hub.docker.com/u/jumpserver)
-
[
ENGLISH
](
https://github.com/jumpserver/jumpserver/blob/master/README_EN.md
)
## 紧急BUG修复通知
JumpServer发现远程执行漏洞,请速度修复
...
...
README_EN.md
浏览文件 @
df193162
## Jumpserver
![
Total visitor
](
https://visitor-count-badge.herokuapp.com/total.svg?repo_id=jumpserver
)
![
Visitors in today
](
https://visitor-count-badge.herokuapp.com/today.svg?repo_id=jumpserver
)
[
![Python3
](
https://img.shields.io/badge/python-3.6-green.svg?style=plastic
)
](https://www.python.org/)
[
![Django
](
https://img.shields.io/badge/django-2.1-brightgreen.svg?style=plastic
)
](https://www.djangoproject.com/)
[
![Ansible
](
https://img.shields.io/badge/ansible-2.4.2.0-blue.svg?style=plastic
)
](https://www.ansible.com/)
[
![Paramiko
](
https://img.shields.io/badge/paramiko-2.4.1-green.svg?style=plastic
)
](http://www.paramiko.org/)
[
![Django
](
https://img.shields.io/badge/django-2.2-brightgreen.svg?style=plastic
)
](https://www.djangoproject.com/)
[
![Docker Pulls
](
https://img.shields.io/docker/pulls/jumpserver/jms_all.svg
)
](https://hub.docker.com/u/jumpserver)
----
## CRITICAL BUG WARNING
JumpServer found a critical bug for pre auth and info leak, You should fix quickly.
Thanks for reactivity of Alibaba Hackerone bug bounty program report us this bug
**Vulnerable version:**
```
< v2.6.2
< v2.5.4
< v2.4.5
= v1.5.9
```
**Safe version:**
```
>= v2.6.2
>= v2.5.4
>= v2.4.5
= v1.5.9 (Unstander version, so no change)
```
**Fix method:**
Upgrade to save version
**Quick temporary fix method:(recommend)**
Modify nginx config file, disable vulnerable api
```
/api/v1/authentication/connection-token/
/api/v1/users/connection-token/
```
Nginx config path
```
# Community old version
/etc/nginx/conf.d/jumpserver.conf
# Enterpise old version
jumpserver-release/nginx/http_server.conf
# New version
jumpserver-release/compose/config_static/http_server.conf
```
Modify nginx config
```
### On the server location top, or before of /api and /
location /api/v1/authentication/connection-token/ {
return 403;
}
location /api/v1/users/connection-token/ {
return 403;
}
### Add two location above
location /api/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://core:8080;
}
...
```
Then restart nginx
```
docker deployment:
$ docker restart jms_nginx
rpm or other deployment:
$ systemctl restart nginx
```
**Fix verify**
```
$ wget https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_bug_check.sh
# bash jms_bug_check.sh HOST
$ bash jms_bug_check.sh demo.jumpserver.org
漏洞已修复 (fixed)
漏洞未修复 (vulnerable)
```
**Attack detection**
Download the check script under the directory logs than the gunicorn on
```
$ pwd
/opt/jumpserver/core/logs
$ ls gunicorn.log
gunicorn.log
$ wget 'https://github.com/jumpserver/jumpserver/releases/download/v2.6.2/jms_check_attack.sh'
$ bash jms_check_attack.sh
系统未被入侵 (safe)
系统已被入侵 (attacked)
```
--------------------------
----
-
[
中文版
](
https://github.com/jumpserver/jumpserver/blob/master/README
_EN
.md
)
-
[
中文版
](
https://github.com/jumpserver/jumpserver/blob/master/README.md
)
Jumpserver is the first fully open source bastion in the world, based on the GNU GPL v2.0 open source protocol. Jumpserver is a professional operation and maintenance audit system conforms to 4A specifications.
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录