\u5f53\u6211\u4eec\u914d\u7f6e\u4e86\u4e00\u53f0Rocky 9 Linux\u7cfb\u7edf\u670d\u52a1\u5668\uff0c\u8fd0\u884c\u4e00\u6bb5\u65f6\u95f4\u540e\uff0c\u5355\u4f4d\u7684\u7f51\u7edc\u7ba1\u7406\u5458\u63d0\u793a\u7cfb\u7edf\u6709\u9ad8\u5371\u5b89\u5168\u6f0f\u6d1e\uff0c\u9700\u8981\u8fdb\u884c\u5347\u7ea7\u3002\u6211\u4eec\u4e00\u822c\u5bf9\u5916\u5f00\u542f\u4e86httpd\u548csshd\u670d\u52a1\uff0c\u9ed8\u8ba4\u7684Rocky 9 Linux\u7cfb\u7edf\u4f1a\u88ab\u626b\u63cf\u5230OpenSSL\u3001Apache\u548cOpenSSH\u7684\u5b89\u5168\u6f0f\u6d1e\u3002\u6b64\u5916\u4e00\u822c\u4e5f\u8981\u8003\u8651ICMP timestamp\u8bf7\u6c42\u54cd\u5e94\u6f0f\u6d1e\u3002<\/p>\n\n\n\n
OpenSSL\u5b89\u5168\u6f0f\u6d1e\u63cf\u8ff0\u793a\u4f8b\uff1a<\/p>\n\n\n\n
OpenSSL \u5b89\u5168\u6f0f\u6d1e(CVE-2023-5363)\n\nOpenSSL\u662fOpenSSL\u56e2\u961f\u7684\u4e00\u4e2a\u5f00\u6e90\u7684\u80fd\u591f\u5b9e\u73b0\u5b89\u5168\u5957\u63a5\u5c42\uff08SSLv2\/v3\uff09\u548c\u5b89\u5168\u4f20\u8f93\u5c42\uff08TLSv1\uff09\u534f\u8bae\u7684\u901a\u7528\u52a0\u5bc6\u5e93\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u591a\u79cd\u52a0\u5bc6\u7b97\u6cd5\uff0c\u5305\u62ec\u5bf9\u79f0\u5bc6\u7801\u3001\u54c8\u5e0c\u7b97\u6cd5\u3001\u5b89\u5168\u6563\u5217\u7b97\u6cd5\u7b49\u3002 OpenSSL 3.1\u7248\u672c\u548c3.0\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u673a\u5bc6\u6027\u53d7\u5230\u5f71\u54cd\u3002<\/pre>\n\n\n\nOpenSSL\u4e5f\u662fLinux\u7cfb\u7edf\u5fc5\u987b\u5e26\u7684\u8f6f\u4ef6\uff0c\u9700\u8981\u5728\u5b98\u7f51<\/a>\u4e0a\u4e0b\u8f7d\u8f6f\u4ef6\u6700\u65b0\u7248<\/a>\u8fdb\u884c\u5b89\u88c5\uff0c\u64cd\u4f5c\u5982\u4e0b\uff1a<\/p>\n\n\n\n
# \u68c0\u6d4bopenssl\u7248\u672c\nopenssl version -a\n# Rocky 9.2 Linux\u81ea\u5e26\u7684openssl\u7248\u672c\u4e3a3.0.7\uff0c\u4e0d\u6ee1\u8db3\u8981\u6c42\u3002\u4ee5\u4e0b\u64cd\u4f5c\u66f4\u65b0\u52303.3.2\u7248\u672c\u3002\n\n# \u4e0b\u8f7d\u5e76\u5b89\u88c5openssl\u8f6f\u4ef6\uff0c\u6ce8\u610f\u8981\u5c06\u8f6f\u4ef6\u5b89\u88c5\u5230\/usr\u76ee\u5f55\nwget https:\/\/github.com\/openssl\/openssl\/releases\/download\/openssl-3.3.2\/openssl-3.3.2.tar.gz\ntar zxf openssl-3.3.2.tar.gz\ncd openssl-3.3.2\/\n.\/Configure --prefix=\/usr && make -j 40 && sudo make install\ncd .. && rm -rf openssl-3.3.2\/\n\n# \u4e0b\u8f7d\u5e76\u5b89\u88c5openLDAP\u8f6f\u4ef6\uff0c\u6ce8\u610f\u5c06\u8f6f\u4ef6\u5b89\u88c5\u5230\/usr\u76ee\u5f55\n# \u82e5\u4e0d\u91cd\u65b0\u7f16\u8bd1\u5b89\u88c5openLDAP\u8f6f\u4ef6\uff0c\u5219\u7cfb\u7edf\u4f1a\u62a5\u9519\uff0csudo\u547d\u4ee4\u65e0\u6cd5\u4f7f\u7528\n# \u6ce8\u610f\u8981\u5b89\u88c5\u548c\u7cfb\u7edf\u4e4b\u524d\u76f8\u540c\u7248\u672c\u7684openLDAP\uff0c\u5426\u5219\u4f9d\u7136\u62a5\u9519\uff0c\u5728Rocky 9\u7cfb\u7edf\u4e2d\u4f7f\u75282.4\u7248\u672c\nwget https:\/\/www.openldap.org\/software\/download\/OpenLDAP\/openldap-release\/openldap-2.4.59.tgz\ntar zxf openldap-2.4.59.tgz\ncd openldap-2.4.59\n.\/configure --prefix=\/usr && make -j 40\n# \u7531\u4e8e\u66f4\u65b0\u4e86openssl\uff0csudo\u547d\u4ee4\u65e0\u6cd5\u4f7f\u7528\uff0c\u9700\u8981\u5148\u4f7f\u7528\u5bc6\u7801\u5207\u6362\u5230root\u7528\u6237\u8fdb\u884c\u5b89\u88c5\nsu root\nmake install\ncd .. && rm -rf openldap-2.4.59\/\n# \u5b89\u88c5\u5b8c\u6bd5\u540e\uff0c\u8981\u8bbe\u7f6e\u6b63\u786e\u7684libldap\u5e93\u6587\u4ef6\u7684\u8f6f\u94fe\u63a5\ncd \/lib64\nln -sf libldap-2.4.so.2.11.7 libldap-2.4.so.2\nln -sf libldap-2.4.so.2.11.7 libldap-2.4.so.2.0.200\nln -sf libldap-2.4.so.2.11.7 libldap.so\nln -sf libldap-2.4.so.2.11.7 libldap.so.2\n\n# \u867d\u7136\u65b0\u7f16\u8bd1\u5b89\u88c5openLDAP\u8f6f\u4ef6\u540e\uff0csudo\u547d\u4ee4\u53ef\u4ee5\u6210\u529f\u6267\u884c\uff0c\u4f46\u662f\/lib64\/libcurl.so.4\u4f9d\u7136\u62a5\u9519\n# \u5bf9curl\u8f6f\u4ef6\u91cd\u65b0\u7f16\u8bd1\u5b89\u88c5\uff0c\u6ce8\u610f\u5c06\u8f6f\u4ef6\u5b89\u88c5\u5230\/usr\u76ee\u5f55\nwget https:\/\/curl.se\/download\/curl-7.76.0.tar.gz\ntar zxf curl-7.76.0.tar.gz\ncd curl-7.76.0\/\n.\/configure --prefix=\/usr && make -j 40 && sudo make install\ncd .. && rm -rf curl-7.76.0<\/code><\/pre>\n\n\n\n\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u63d0\u5347OpenSSL\u7248\u672c\u540e\uff0c\u6240\u6709\u9700\u8981\u4f9d\u8d56\u4e8e\u8be5\u8f6f\u4ef6\u7684\u5176\u5b83\u8f6f\u4ef6\u53ef\u80fd\u90fd\u9700\u8981\u91cd\u65b0\u5b89\u88c5\uff0c\u4f8b\u5982curl\u3001OpenLDAP\u548cOpenSSH\u7b49\u3002<\/p>\n\n\n\n
2. \u89e3\u51b3OpenSSH\u5b89\u5168\u6f0f\u6d1e<\/h2>\n\n\n\n
OpenSSH\u5b89\u5168\u6f0f\u6d1e\u63cf\u8ff0\u793a\u4f8b\uff1a<\/p>\n\n\n\n
OpenSSH \u5b89\u5168\u6f0f\u6d1e(CVE-2023-38408)\n\nOpenSSH\uff08OpenBSD Secure Shell\uff09\u662f\u52a0\u62ff\u5927OpenBSD\u8ba1\u5212\u7ec4\u7684\u4e00\u5957\u7528\u4e8e\u5b89\u5168\u8bbf\u95ee\u8fdc\u7a0b\u8ba1\u7b97\u673a\u7684\u8fde\u63a5\u5de5\u5177\u3002\u8be5\u5de5\u5177\u662fSSH\u534f\u8bae\u7684\u5f00\u6e90\u5b9e\u73b0\uff0c\u652f\u6301\u5bf9\u6240\u6709\u7684\u4f20\u8f93\u8fdb\u884c\u52a0\u5bc6\uff0c\u53ef\u6709\u6548\u963b\u6b62\u7a83\u542c\u3001\u8fde\u63a5\u52ab\u6301\u4ee5\u53ca\u5176\u4ed6\u7f51\u7edc\u7ea7\u7684\u653b\u51fb\u3002 OpenSSH 9.3p2<\/strong>\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8essh-agent\u7684PKCS11\u529f\u80fd\u5b58\u5728\u5b89\u5168\u95ee\u9898\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u8fdc\u7a0b\u4ee3\u7801\u3002<\/pre>\n\n\n\n\u7531\u4e8eLinux\u7cfb\u7edf\u670d\u52a1\u5668\u5fc5\u987b\u8981\u5f00\u542fsshd\u670d\u52a1\uff0c\u4ee5\u5229\u4e8essh\u8fde\u63a5\u670d\u52a1\u5668\u8fdb\u884c\u8fd0\u884c\u64cd\u4f5c\u3002\u56e0\u6b64\uff0c\u53ea\u80fd\u901a\u8fc7\u63d0\u9ad8OpenSSH\u8f6f\u4ef6\u7684\u7248\u672c\u8fdb\u884c\u89e3\u51b3\u3002\u901a\u8fc7\u8bbf\u95eeOpenSSH\u5b98\u7f51<\/a>\uff0c\u627e\u5230\u8f6f\u4ef6\u5728\u4e2d\u56fd\u7684\u955c\u50cf\u7ad9\u70b9<\/a>\u4e0b\u8f7d\u8f6f\u4ef6\u3002OpenSSH\u8f6f\u4ef6\u7684\u5e38\u89c4\u7248\u672c\u975e\u5e38\u5c0f\uff0c\u53ea\u6709Makefile\uff0c\u9002\u7528\u4e8eBSD\u9879\u76ee\uff0c\u53ef\u80fd\u4e0d\u592a\u5229\u4e8eLinux\u7cfb\u7edf\u4e0a\u7684\u5b89\u88c5\u3002\u63a8\u8350\u4e0b\u8f7d\u9002\u5408Linux\u7cfb\u7edf\u7684p1\u7248\u672c\uff08Portable Release\uff09\uff0c\u6709configure\u547d\u4ee4\uff0c\u5b89\u88c5\u66f4\u65b9\u4fbf\u3002\u64cd\u4f5c\u5982\u4e0b\uff1a<\/p>\n\n\n\n
# \u68c0\u6d4bopenssh\u7248\u672c\nssh -V\nsshd -V\n# Rocky 9.2 Linux\u81ea\u5e26\u7684openssh\u7248\u672c\u4e3a8.7p1\uff0c\u4e0d\u6ee1\u8db3\u8981\u6c42\u3002\u4ee5\u4e0b\u64cd\u4f5c\u66f4\u65b0\u52309.9p1\u7248\u672c\u3002\n\n# \u5148\u5907\u4efd\u5df2\u6709\u7684sshd\u914d\u7f6e\u6587\u4ef6\u5939\nsudo cp -a \/etc\/ssh\/ \/etc\/ssh.bak\n\n# \u4e0b\u8f7d\u5e76\u5b89\u88c5openssh\uff0c\u6ce8\u610f\u8981\u5c06\u8f6f\u4ef6\u5b89\u88c5\u5230\/usr\u76ee\u5f55\nwget https:\/\/mirrors.aliyun.com\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-9.9p1.tar.gz\ntar zxf openssh-9.9p1.tar.gz\ncd openssh-9.9p1\/\n.\/configure --prefix=\/usr && make -j 40 && sudo make install\ncd .. && rm -rf openssh-9.9p1\n\n# \u91cd\u542fsshd\u670d\u52a1\nsudo systemctl restart sshd.service<\/code><\/pre>\n\n\n\n3. \u89e3\u51b3Apache\u5b89\u5168\u6f0f\u6d1e<\/h2>\n\n\n\n
Apache\u5b89\u5168\u6f0f\u6d1e\u63cf\u8ff0\u793a\u4f8b\uff1a<\/p>\n\n\n\n
Apache HTTP Server \u5b89\u5168\u6f0f\u6d1e(CVE-2022-36760)\n\nApache HTTP Server\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90\u7f51\u9875\u670d\u52a1\u5668\u3002\u8be5\u670d\u52a1\u5668\u5177\u6709\u5feb\u901f\u3001\u53ef\u9760\u4e14\u53ef\u901a\u8fc7\u7b80\u5355\u7684API\u8fdb\u884c\u6269\u5145\u7684\u7279\u70b9\u3002 Apache HTTP Server 2.4\u7248\u672c\u81f32.4.54\u4e4b\u524d\u7248\u672c\u5b58\u5728\u73af\u5883\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ecemod_proxy_ajp\u51fd\u6570\u4e2d\u53d1\u73b0\u5305\u542bHTTP\u8bf7\u6c42\u8d70\u79c1\u6f0f\u6d1e\u3002<\/pre>\n\n\n\n\u5f53\u4e0d\u9700\u8981\u670d\u52a1\u5668\u5bf9\u5916\u63d0\u4f9b\u7f51\u7ad9\u670d\u52a1\u65f6\uff0c\u76f4\u63a5\u5173\u95edhttpd\u670d\u52a1\u5373\u53ef\u3002\u4f7f\u7528root\u6743\u9650\u6267\u884c\u5982\u4e0b\u547d\u4ee4<\/p>\n\n\n\n
sudo systemctl disable httpd.service\n# \u6267\u884c\u8be5\u547d\u4ee4\u7981\u6b62\u5f00\u673a\u542f\u52a8httpd\u670d\u52a1\n\nsudo systemctl stop httpd.service\n# \u6267\u884c\u8be5\u547d\u4ee4\u5173\u95edhttpd\u670d\u52a1<\/code><\/pre>\n\n\n\n\u4e5f\u53ef\u4ee5\u8003\u8651\u66f4\u65b0Apache\u8f6f\u4ef6\u5230\u6700\u65b0\u7248\u672c\uff0c\u5728Apache\u5b98\u7f51<\/a>\uff0c\u627e\u5230httpd\u4e0b\u8f7d\u7f51\u5740<\/a>\u4e0b\u8f7d\u8f6f\u4ef6\u5b89\u88c5\u5305\u8fdb\u884c\u5b89\u88c5\u3002\u64cd\u4f5c\u5982\u4e0b\uff1a<\/p>\n\n\n\n
# \u68c0\u6d4bApache\u8f6f\u4ef6\u7248\u672c\nhttpd -v\n# Rocky 9.2 Linux\u81ea\u5e26\u7684Apache\u7248\u672c\u4e3a2.4.53\uff0c\u4e0d\u6ee1\u8db3\u8981\u6c42\u3002\u4ee5\u4e0b\u64cd\u4f5c\u66f4\u65b0\u52302.4.62\u7248\u672c\u3002\n\n# \u5148\u5907\u4efd\u5df2\u6709\u7684httpd\u914d\u7f6e\u6587\u4ef6\u5939\ncp -a \/etc\/httpd \/etc\/httpd.bak\n\n# \u5148\u5b89\u88c5APR\u548cAPR-util\u7ec4\u4ef6\nsudo dnf install -y expat expat-devel\nwget https:\/\/downloads.apache.org\/apr\/apr-1.7.5.tar.gz\ntar zxf apr-1.7.5.tar.gz\ncd apr-1.7.5\/\n.\/configure --prefix=\/usr && make -j 40 && sudo make install\ncd .. && rm -rf apr-1.7.5\/\nwget https:\/\/downloads.apache.org\/apr\/apr-util-1.6.3.tar.gz\ntar zxf apr-util-1.6.3.tar.gz\ncd apr-util-1.6.3\/\n.\/configure --prefix=\/usr --with-apr=\/usr\/ && make -j 40 && sudo make install\ncd .. && rm -rf apr-util-1.6.3\n\n# \u4e0b\u8f7d\u5e76\u5b89\u88c5Apache\u8f6f\u4ef6\uff0c\u6ce8\u610f\u8981\u5c06\u8f6f\u4ef6\u5b89\u88c5\u5230\/usr\u76ee\u5f55\nwget https:\/\/downloads.apache.org\/httpd\/httpd-2.4.62.tar.gz\ntar zxf httpd-2.4.62.tar.gz\ncd httpd-2.4.62\/\n.\/configure --prefix=\/usr && make -j 40 && sudo make install\n# \u66f4\u65b0httpd\u7684ssl\u5e93\u6587\u4ef6\nmv \/etc\/httpd\/modules\/mod_ssl.so \/etc\/httpd\/modules\/mod_ssl.so.bak\ncp modules\/ssl\/.libs\/mod_ssl.so \/etc\/httpd\/modules\/\ncd .. && rm -rf httpd-2.4.62\/\n\n# \u4fee\u6539\u914d\u7f6e\u6587\u4ef6\/etc\/httpd\/conf.d\/ssl.conf\uff0c\u4f7f\u7528\u66f4\u597d\u7684SSL\u52a0\u5bc6\u8bbe\u7f6e\n# \u82e5\u4f7f\u7528Rochy 9 Linux\u9ed8\u8ba4\u7684ssl.conf\u914d\u7f6e\uff0c\u4f1a\u5bfc\u81f4httpd\u65e0\u6cd5\u91cd\u542f\nperl -p -i -e 's\/.*SSLProtocol.*\/SSLProtocol all -SSLv2 -SSLv3\/' \/etc\/httpd\/conf.d\/ssl.conf\nperl -p -i -e 's\/.*SSLProxyProtocol.*\/SSLProxyProtocol all -SSLv2 -SSLv3\/' \/etc\/httpd\/conf.d\/ssl.conf\nperl -p -i -e 's\/.*SSLHonorCipherOrder.*\/SSLHonorCipherOrder on\/' \/etc\/httpd\/conf.d\/ssl.conf\nperl -p -i -e 's\/.*SSLCipherSuite.*\/SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!DSS\/' \/etc\/httpd\/conf.d\/ssl.conf\nperl -p -i -e 's\/.*SSLProxyCipherSuite.*\/SSLProxyCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!DSS\/' \/etc\/httpd\/conf.d\/ssl.conf\n\n# \u91cd\u542fhttpd\u670d\u52a1\nsudo systemctl restart httpd.service<\/code><\/pre>\n\n\n\n\u5bf9\u4e8ehttpd\u7684SSL\u914d\u7f6e\u6587\u4ef6\/etc\/httpd\/conf.d\/ssl.conf\uff0c\u5176\u4e3b\u8981\u7684\u53c2\u6570\u89e3\u91ca\u5982\u4e0b\uff1a<\/p>\n\n\n\n
# \u5141\u8bb8\u6240\u6709\u534f\u8bae\uff0c\u4f46\u7981\u7528\u6709\u6f0f\u6d1e\u7684SSLv2\u548cSSLv3\nSSLProtocol all -SSLv2 -SSLv3\nSSLProxyProtocol all -SSLv2 -SSLv3\n\n# \u4e25\u683c\u6309\u7167\u52a0\u5bc6\u5957\u4ef6\u7684\u987a\u5e8f\u8fdb\u884c\u534f\u5546\nSSLHonorCipherOrder on\n\n# \u5f3a\u5236\u4f7f\u7528\u9ad8\u5f3a\u5ea6\u52a0\u5bc6\u7b97\u6cd5\uff1aHIGH: \u9009\u62e9\u9ad8\u5f3a\u5ea6\u52a0\u5bc6\u7b97\u6cd5\u3002!aNULL: \u7981\u6b62\u533f\u540d\u8ba4\u8bc1\u3002!eNULL: \u7981\u6b62\u7a7a\u5bc6\u7801\u3002!EXPORT: \u7981\u6b62\u5f31\u5bfc\u51fa\u5bc6\u7801\u3002!DES: \u7981\u6b62DES\u7b97\u6cd5\u3002!RC4: \u7981\u6b62RC4\u7b97\u6cd5\u3002!MD5: \u7981\u6b62MD5\u54c8\u5e0c\u7b97\u6cd5\u3002!PSK: \u7981\u6b62\u9884\u5171\u4eab\u5bc6\u94a5\u3002!SRP: \u7981\u6b62SRP\u8ba4\u8bc1\u3002!DSS: \u7981\u6b62DSS\u7b7e\u540d\u7b97\u6cd5\u3002\nSSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!DSS<\/pre>\n\n\n\n4. \u89e3\u51b3ICMP timestamp\u8bf7\u6c42\u54cd\u5e94\u6f0f\u6d1e<\/h2>\n\n\n\n
ICMP timestamp\uff08ICMP\u65f6\u95f4\u6233\uff09\u662f\u4e00\u79cd\u7f51\u7edc\u534f\u8bae\uff0c\u7528\u4e8e\u83b7\u53d6\u8fdc\u7a0b\u4e3b\u673a\u7684\u7cfb\u7edf\u65f6\u95f4\u3002\u867d\u7136\u5b83\u5728\u67d0\u4e9b\u60c5\u51b5\u4e0b\u662f\u6709\u7528\u7684\uff0c\u4f46\u5b83\u4e5f\u53ef\u80fd\u88ab\u6076\u610f\u5229\u7528\u3002\u56e0\u6b64\uff0c\u8bb8\u591a\u7f51\u7edc\u7ba1\u7406\u5458\u90fd\u4f1a\u9009\u62e9\u5728\u9632\u706b\u5899\u4e0a\u8fc7\u6ee4\u6389\u8fd9\u79cd\u7c7b\u578b\u7684\u6d41\u91cf\u3002<\/p>\n\n\n\n
# \u963b\u6b62ICMP timestamp\u8bf7\u6c42\nfirewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp --icmp-type timestamp-request -m comment --comment \"deny ICMP timestamp\" -j DROP\n\n# \u963b\u6b62ICMP timestamp\u54cd\u5e94\nfirewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type timestamp-reply -m comment --comment \"deny ICMP timestamp\" -j DROP\n\n# \u91cd\u65b0\u52a0\u8f7d\u9632\u706b\u5899\nfirewall-cmd --reload\n\n# \u67e5\u770b\u9632\u706b\u5899\u89c4\u5219\nfirewall-cmd --direct --get-all-rules<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u5f53\u6211\u4eec\u914d\u7f6e\u4e86\u4e00\u53f0Rocky 9 Linux\u7cfb\u7edf\u670d\u52a1\u5668\uff0c\u8fd0\u884c\u4e00\u6bb5\u65f6\u95f4\u540e\uff0c\u5355\u4f4d\u7684\u7f51\u7edc … \u7ee7\u7eed\u9605\u8bfb