[CVE-2018-11773] Apache VCL improper form validation in block allocation management

[Josh Thompson <jf...@apache.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2018-11773: Apache VCL improper form validation in block allocation 
management

Severity: Medium

Versions Affected: 2.1 through 2.5

Description: Apache VCL versions 2.1 through 2.5 do not properly validate form 
input when processing a submitted block allocation. The form data is then used 
as an argument to the php built in function strtotime. This allows for an 
attack against the underlying implementation of that function. The 
implementation of strtotime at the time the issue was discovered appeared to 
be resistant to a malicious attack. However, all VCL systems running versions 
earlier than 2.5.1 should be upgraded or patched.

Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/
security.html

Credit: This vulnerability was found and reported to the Apache VCL project by 
ADLab of Venustech.

CVE Released: July 29th, 2019
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEI0cOQm0VAdkhDARZSNnzl+fhyFkFAl0/FJgACgkQSNnzl+fh
yFnuAQ/+PWco04JQRLGo2PqWxN09anSLX78aty0glDvaTri6kRv6Gt17+lYFVI4v
Th8u3hC28iFG15wzKcJiq0b7aRPfiV0+267FitvVE4ewpp5R7eM0QFW69eyehpeu
8CZI/q1qw9x+r1ng52acViC3jRIBygoM8VGwYumPOKkdKSuX9RquIKDP+9MYARL2
/YC5sPbKHJ6elXhWhXX1FGIcvge31Ij2yO+eaDsw0nGX29ftfUWKapg8VhODhLL2
hc8W0pbFwZg65zqLGpeXVVgRm/MOgIzcZ+jJJ1U1cPMYY0FWHbrXjtVxio7xQFrH
V7N8P+ZClcSs4FIKAuwdTWW11/waLsRIK0nGylQV0SdGiANGFG6eubsvoy6TG5CP
F9QvQw/m/XXhUhIPqE+disfq19odnK1PJfQbyw1+CycbthtXodw0b/vq13r0BBgP
feAqDg+4224jTbmA8aivzVnc1rTI4rQtsgZ7dsNKejMwwYM6Z0XDXm34oHkzGPxN
NHYy0YrvlhNgc6Q2Xa7foIc8/24o+yusCCeO9E5D7FI/NgTG652tWE+oxJKFJGZK
+q9sR4HsRagvbr7Z9Binj75XmJ5/d+W3ZPGqu68USkw5ZAX+r9YxtbSj1uEOKfrq
VocmKticvKC96fh3EBakmKsBqs5Oi3tut1UBcKHOAO2XpuI+zds=
=oUNe
-----END PGP SIGNATURE-----