You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by bu...@apache.org on 2019/07/29 15:25:26 UTC
svn commit: r1048220 - in /websites/staging/vcl/trunk/content: ./ patches/
patches/patching-CVE-2018.html
Author: buildbot
Date: Mon Jul 29 15:25:26 2019
New Revision: 1048220
Log:
Staging update by buildbot for vcl
Added:
websites/staging/vcl/trunk/content/patches/
websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html
Modified:
websites/staging/vcl/trunk/content/ (props changed)
Propchange: websites/staging/vcl/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Jul 29 15:25:26 2019
@@ -1 +1 @@
-1863949
+1863951
Added: websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html
==============================================================================
--- websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html (added)
+++ websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html Mon Jul 29 15:25:26 2019
@@ -0,0 +1,174 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+ <link href="/css/vcl.css" rel="stylesheet" type="text/css">
+ <link href="/css/code.css" rel="stylesheet" type="text/css">
+ <title>Apache VCL - Patching CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+</head>
+
+<body>
+ <div id="sitetitle">
+ <table width="100%" border="0" cellspacing="0" cellpadding="5">
+ <tr>
+ <td><a href="/index.html"><img src="/img/vcl-logo.png" height="100" align="left" alt="Apache VCL logo"></a></td>
+ <td><a href="http://www.apache.org"><img src="/img/asf-logo.png" align="right" alt="Apache Software Foundation logo"></a></td>
+ </tr>
+ </table>
+ </div>
+
+ <div id="left-column">
+ <div id="navigation">
+ <style type="text/css">
+/* The following code is added by mdx_elementid.py
+ It was originally lifted from http://subversion.apache.org/style/site.css */
+/*
+ * Hide class="elementid-permalink", except when an enclosing heading
+ * has the :hover property.
+ */
+.headerlink, .elementid-permalink {
+ visibility: hidden;
+}
+h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
+<ul>
+<li><a href="/index.html">Information</a><ul>
+<li><a href="/info/features.html">Features</a></li>
+<li><a href="/info/architecture.html">Architecture</a></li>
+<li><a href="/downloads/download.cgi">Download</a></li>
+<li><a href="http://www.apache.org/licenses/">License</a></li>
+<li><a href="http://www.apache.org/security/">Security</a></li>
+</ul>
+</li>
+<li><a href="/docs/index.html">Documentation</a><ul>
+<li><a href="https://cwiki.apache.org/confluence/x/yQdG">Using VCL</a></li>
+<li><a href="https://cwiki.apache.org/confluence/x/ywdG">Administration</a></li>
+<li><a href="/docs/installation.html">Installation</a></li>
+</ul>
+</li>
+<li><a href="https://cwiki.apache.org/confluence/display/VCL/Apache+VCL" target="_blank">Confluence Wiki</a><ul>
+<li></li>
+</ul>
+</li>
+<li><a href="https://issues.apache.org/jira/browse/VCL" target="_blank">Jira Issue Tracking</a><ul>
+<li></li>
+</ul>
+</li>
+<li><a href="/comm/index.html">Community</a><ul>
+<li><a href="/comm/index.html#getInvolved">Getting Involved</a></li>
+<li><a href="/comm/index.html#mail-list">Mailing Lists</a></li>
+<li><a href="/dev/index.html">Development</a><ul>
+<li><a href="/dev/code-documentation.html">Code Documentation</a></li>
+<li><a href="/dev/roadmap.html">Roadmap</a></li>
+</ul>
+</li>
+</ul>
+</li>
+<li><a href="http://www.apache.org">Apache Software Foundation</a><ul>
+<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+</ul>
+</li>
+</ul>
+ </div>
+ <div id="current-event">
+ <a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-125x125.png"/></a>
+ </div>
+ </div>
+
+ <div id="content">
+ <h1 class="title">Patching CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774</h1>
+ <style type="text/css">
+/* The following code is added by mdx_elementid.py
+ It was originally lifted from http://subversion.apache.org/style/site.css */
+/*
+ * Hide class="elementid-permalink", except when an enclosing heading
+ * has the :hover property.
+ */
+.headerlink, .elementid-permalink {
+ visibility: hidden;
+}
+h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
+<p>Please see the <a href="/security.html">security page</a> for more information about these patches.</p>
+<h2 id="downloading">Downloading<a class="headerlink" href="#downloading" title="Permanent link">¶</a></h2>
+<p>Patches for Apache VCL versions 2.2.2, 2.3, 2.3.1, 2.3.2, 2.4.2, and 2.5 are all available in a
+single archive for all three of CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774.</p>
+<ul>
+<li><a href="https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2">CVE-2018-11772.tar.bz2</a>
+ [ <a href="https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.asc">GPG</a> ]
+ [ <a href="https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.sha512">SHA512</a> ]
+ (published on 2019-07-29)</li>
+</ul>
+<h2 id="applying-patches">Applying Patches<a class="headerlink" href="#applying-patches" title="Permanent link">¶</a></h2>
+<p>The patches are only for the web code and therefore only need to be applied to
+that portion of the code. To apply the patches, download the archive to the web
+server running your VCL code. Extract it under /tmp. It will generate a
+directory named CVE-2018-11772 (though it patches all 3 CVEs) with
+subdirectories for each VCL version under that. Then, cd to where your web
+code is (probably something like /var/www/html/vcl). You should be in the
+directory containing index.php, .ht-inc, and js. Four files will be patched.
+So, you'll probably want to make backup copies of them before patching:</p>
+<div class="codehilite"><pre>.ht-inc/blockallocations.php
+.ht-inc/privileges.php
+.ht-inc/vm.php
+js/vm.js
+</pre></div>
+
+
+<p>You can see what version of VCL you have by running</p>
+<div class="codehilite"><pre>grep VCLversion index.php
+</pre></div>
+
+
+<p>Finally, while still in the directory containing index.php, apply the patches
+for your version using a command similar to the following, substituting the
+proper version number.</p>
+<div class="codehilite"><pre>patch -p1 < /tmp/CVE-2018-11772/2.5/VCL-2.5-CVE-2018.patch
+</pre></div>
+
+
+<p>You should see output similar to</p>
+<div class="codehilite"><pre>patching file .ht-inc/blockallocations.php
+patching file .ht-inc/privileges.php
+patching file .ht-inc/vm.php
+patching file js/vm.js
+</pre></div>
+
+
+<p>Patches to php files will take effect immediately - there is no need to
+restart httpd. The patched vm.js file will take effect when users' browsers
+reload it. There is no problem in having a delay in vm.js getting updated in
+users' browsers as it only affects an error message displayed to users if they
+attempt to submit invalid data.</p>
+ </div>
+
+ <div id="footer">
+ <div class="copyright">
+ <p>
+ Copyright © 2019 The Apache Software Foundation, Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
+ <br />
+ Apache and the Apache feather logo are trademarks of The Apache Software Foundation.
+ </p>
+ </div>
+ </div>
+
+</body>
+</html>