initial creation of patch page for CVE-2018
git-svn-id: https://svn.apache.org/repos/asf/vcl/site/trunk@1863951 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/content/patches/patching-CVE-2018.mdtext b/content/patches/patching-CVE-2018.mdtext
new file mode 100644
index 0000000..023ad59
--- /dev/null
+++ b/content/patches/patching-CVE-2018.mdtext
@@ -0,0 +1,70 @@
+Title: Patching CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ .
+ http://www.apache.org/licenses/LICENSE-2.0
+ .
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+Please see the [security page](/security.html) for more information about these patches.
+
+## Downloading
+Patches for Apache VCL versions 2.2.2, 2.3, 2.3.1, 2.3.2, 2.4.2, and 2.5 are all available in a
+single archive for all three of CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774.
+
+* [CVE-2018-11772.tar.bz2](https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2)
+ [ [GPG](https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.asc) ]
+ [ [SHA512](https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.sha512) ]
+ (published on 2019-07-29)
+
+## Applying Patches
+The patches are only for the web code and therefore only need to be applied to
+that portion of the code. To apply the patches, download the archive to the web
+server running your VCL code. Extract it under /tmp. It will generate a
+directory named CVE-2018-11772 (though it patches all 3 CVEs) with
+subdirectories for each VCL version under that. Then, cd to where your web
+code is (probably something like /var/www/html/vcl). You should be in the
+directory containing index.php, .ht-inc, and js. Four files will be patched.
+So, you'll probably want to make backup copies of them before patching:
+
+ :::Text
+ .ht-inc/blockallocations.php
+ .ht-inc/privileges.php
+ .ht-inc/vm.php
+ js/vm.js
+
+You can see what version of VCL you have by running
+
+ :::Text
+ grep VCLversion index.php
+
+Finally, while still in the directory containing index.php, apply the patches
+for your version using a command similar to the following, substituting the
+proper version number.
+
+ :::Text
+ patch -p1 < /tmp/CVE-2018-11772/2.5/VCL-2.5-CVE-2018.patch
+
+You should see output similar to
+
+ :::Text
+ patching file .ht-inc/blockallocations.php
+ patching file .ht-inc/privileges.php
+ patching file .ht-inc/vm.php
+ patching file js/vm.js
+
+Patches to php files will take effect immediately - there is no need to
+restart httpd. The patched vm.js file will take effect when users' browsers
+reload it. There is no problem in having a delay in vm.js getting updated in
+users' browsers as it only affects an error message displayed to users if they
+attempt to submit invalid data.
\ No newline at end of file
