根据更新日志,几天前发布了一个安全更新:
主管(3.0b2-1ubuntu0.1)可信安全;紧急程度=中等
- 安全更新:通过 XML-RPC 进行任意代码注入
- debian/patches/CVE-2017-11610.patch:在supervisor/test/test_xmlrc.py、supervisor/xmlrcp.py 中的 XML-RPC 调度中禁用对象遍历。
- CVE-2017-11610
-- Leonidas S. Barbosa 2018 年 5 月 17 日星期四 15:59:12 -0300
这是我已经安装的包:
$ dpkg -p supervisorO
Package: supervisor
Priority: extra
Section: admin
Installed-Size: 1485
Maintainer: Ubuntu Developers <[email protected]>
Architecture: all
Version: 3.0b2-1
Depends: python, python-meld3, python-pkg-resources (>= 0.6c7)
Size: 313972
Description: A system for controlling process state
Supervisor is a system for controlling and maintaining process state,
similar to what init does, but not intended as an init replacement.
.
It will manage individual processes or groups of processes that
need to be started and stopped in order, and it is possible to
control individual process state via an rpc mechanism, thus allowing
ordinary users to restart processes.
Original-Maintainer: Qijiang Fan <[email protected]>
Homepage: http://supervisord.org/
以下是我更新的方式以及过程:
$ sudo apt-get install supervisor
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
supervisor
1 upgraded, 0 newly installed, 0 to remove and 33 not upgraded.
Need to get 244 kB of archives.
After this operation, 67.6 kB disk space will be freed.
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe supervisor all 3.0b2-1ubuntu0.1 [244 kB]
Fetched 244 kB in 0s (281 kB/s)
(Reading database ... 73862 files and directories currently installed.)
Preparing to unpack .../supervisor_3.0b2-1ubuntu0.1_all.deb ...
Stopping supervisor: supervisord.
Unpacking supervisor (3.0b2-1ubuntu0.1) over (3.0b2-1) ...
Processing triggers for ureadahead (0.100.0-16) ...
ureadahead will be reprofiled on next reboot
Setting up supervisor (3.0b2-1ubuntu0.1) ...
Starting supervisor: invoke-rc.d: initscript supervisor, action "start" failed.
dpkg: error processing package supervisor (--configure):
subprocess installed post-installation script returned error exit status 1
E: Sub-process /usr/bin/dpkg returned an error code (1)
此时该服务尚未运行。
但手动启动仍然有效:sudo service supervisor start
我在以下位置找到了它dpkg.log
:
2018-05-22 10:18:19 startup archives unpack
2018-05-22 10:18:19 upgrade supervisor:all 3.0b2-1 3.0b2-1ubuntu0.1
2018-05-22 10:18:19 status half-configured supervisor:all 3.0b2-1
2018-05-22 10:18:20 status unpacked supervisor:all 3.0b2-1
2018-05-22 10:18:20 status half-installed supervisor:all 3.0b2-1
2018-05-22 10:18:20 status triggers-pending ureadahead:amd64 0.100.0-16
2018-05-22 10:18:20 status half-installed supervisor:all 3.0b2-1
2018-05-22 10:18:20 status half-installed supervisor:all 3.0b2-1
2018-05-22 10:18:20 status unpacked supervisor:all 3.0b2-1ubuntu0.1
2018-05-22 10:18:20 status unpacked supervisor:all 3.0b2-1ubuntu0.1
2018-05-22 10:18:20 trigproc ureadahead:amd64 0.100.0-16 0.100.0-16
2018-05-22 10:18:20 status half-configured ureadahead:amd64 0.100.0-16
2018-05-22 10:18:20 status installed ureadahead:amd64 0.100.0-16
2018-05-22 10:18:20 startup packages configure
2018-05-22 10:18:20 configure supervisor:all 3.0b2-1ubuntu0.1 <none>
2018-05-22 10:18:20 status unpacked supervisor:all 3.0b2-1ubuntu0.1
2018-05-22 10:18:20 status unpacked supervisor:all 3.0b2-1ubuntu0.1
2018-05-22 10:18:20 status unpacked supervisor:all 3.0b2-1ubuntu0.1
2018-05-22 10:18:20 status unpacked supervisor:all 3.0b2-1ubuntu0.1
2018-05-22 10:18:20 status half-configured supervisor:all 3.0b2-1ubuntu0.1
我也查看了主管日志,但没有发现任何确凿的证据:
2018-05-22 10:18:19,944 WARN received SIGTERM indicating exit request
2018-05-22 10:18:19,947 INFO waiting for laravel-daemon-es-posts_00, laravel-daemon-es-comments_00, laravel-horizon_00 to die
2018-05-22 10:18:22,008 INFO stopped: laravel-horizon_00 (exit status 0)
2018-05-22 10:18:23,014 INFO waiting for laravel-daemon-es-posts_00, laravel-daemon-es-comments_00 to die
2018-05-22 10:18:23,066 INFO stopped: laravel-daemon-es-posts_00 (terminated by SIGKILL)
2018-05-22 10:18:23,066 INFO stopped: laravel-daemon-es-comments_00 (terminated by SIGKILL)
2018-05-22 10:18:39,745 CRIT Supervisor running as root (no user in config file)
2018-05-22 10:18:39,745 WARN Included extra file "/etc/supervisor/conf.d/laravel.conf" during parsing
2018-05-22 10:18:39,764 INFO RPC interface 'supervisor' initialized
2018-05-22 10:18:39,764 CRIT Server 'unix_http_server' running without any HTTP authentication checking
2018-05-22 10:18:39,765 INFO daemonizing the supervisord process
2018-05-22 10:18:39,765 INFO supervisord started with pid 9923
2018-05-22 10:18:40,771 INFO spawned: 'laravel-daemon-es-posts_00' with pid 9933
2018-05-22 10:18:40,773 INFO spawned: 'laravel-daemon-es-comments_00' with pid 9934
2018-05-22 10:18:40,775 INFO spawned: 'laravel-horizon_00' with pid 9935
2018-05-22 10:18:44,523 INFO success: laravel-daemon-es-posts_00 entered RUNNING state, process has stayed up for > than 3 seconds (startsecs)
2018-05-22 10:18:44,523 INFO success: laravel-daemon-es-comments_00 entered RUNNING state, process has stayed up for > than 3 seconds (startsecs)
2018-05-22 10:18:44,523 INFO success: laravel-horizon_00 entered RUNNING state, process has stayed up for > than 3 seconds (startsecs)
我制造了一个人工空间间隙,在那里停下来观察情况,然后手动启动它。
我做错了什么吗?我通常只是执行,sudo apt-get upgrade
但是我已经从同事那里听说了这个问题,但她没有记录具体细节,所以我用一台测试机来执行这个。
谢谢!
答案1
好吧,我遇到了同样的问题,卸载/重新安装解决了这个问题。如果你需要在多台机器上运行它,apt-get remove supervisor --yes && apt-get install supervisor --yes
这很有帮助。
编辑:所以结论是,他们以某种方式搞砸了更新,而你这边没有错。
编辑2:这个漏洞似乎已经为人所知。有几个错误报告已经