| Title: Patching CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774 |
| Notice: Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| . |
| http://www.apache.org/licenses/LICENSE-2.0 |
| . |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| |
| Please see the [security page](/security.html) for more information about these patches. |
| |
| ## Downloading |
| Patches for Apache VCL versions 2.2.2, 2.3, 2.3.1, 2.3.2, 2.4.2, and 2.5 are all available in a |
| single archive for all three of CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774. |
| |
| * [CVE-2018-11772.tar.bz2](https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2) |
| [ [GPG](https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.asc) ] |
| [ [SHA512](https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.sha512) ] |
| (published on 2019-07-29) |
| |
| ## Applying Patches |
| The patches are only for the web code and therefore only need to be applied to |
| that portion of the code. To apply the patches, download the archive to the web |
| server running your VCL code. Extract it under /tmp. It will generate a |
| directory named CVE-2018-11772 (though it patches all 3 CVEs) with |
| subdirectories for each VCL version under that. Then, cd to where your web |
| code is (probably something like /var/www/html/vcl). You should be in the |
| directory containing index.php, .ht-inc, and js. Four files will be patched. |
| So, you'll probably want to make backup copies of them before patching: |
| |
| :::Text |
| .ht-inc/blockallocations.php |
| .ht-inc/privileges.php |
| .ht-inc/vm.php |
| js/vm.js |
| |
| You can see what version of VCL you have by running |
| |
| :::Text |
| grep VCLversion index.php |
| |
| Finally, while still in the directory containing index.php, apply the patches |
| for your version using a command similar to the following, substituting the |
| proper version number. |
| |
| :::Text |
| patch -p1 < /tmp/CVE-2018-11772/2.5/VCL-2.5-CVE-2018.patch |
| |
| You should see output similar to |
| |
| :::Text |
| patching file .ht-inc/blockallocations.php |
| patching file .ht-inc/privileges.php |
| patching file .ht-inc/vm.php |
| patching file js/vm.js |
| |
| Patches to php files will take effect immediately - there is no need to |
| restart httpd. The patched vm.js file will take effect when users' browsers |
| reload it. There is no problem in having a delay in vm.js getting updated in |
| users' browsers as it only affects an error message displayed to users if they |
| attempt to submit invalid data. |
