Author: buildbot Date: Mon Jul 29 15:20:31 2019 New Revision: 1048217 Log: Staging update by buildbot for vcl
Added: websites/staging/vcl/trunk/content/security.html Modified: websites/staging/vcl/trunk/content/ (props changed) Propchange: websites/staging/vcl/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Mon Jul 29 15:20:31 2019 @@ -1 +1 @@ -1863944 +1863947 Added: websites/staging/vcl/trunk/content/security.html ============================================================================== --- websites/staging/vcl/trunk/content/security.html (added) +++ websites/staging/vcl/trunk/content/security.html Mon Jul 29 15:20:31 2019 @@ -0,0 +1,203 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<!-- + + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE- 2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + + <link href="/css/vcl.css" rel="stylesheet" type="text/css"> + <link href="/css/code.css" rel="stylesheet" type="text/css"> + <title>Apache VCL - Apache VCL Security</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +</head> + +<body> + <div id="sitetitle"> + <table width="100%" border="0" cellspacing="0" cellpadding="5"> + <tr> + <td><a href="/index.html"><img src="/img/vcl-logo.png" height="100" align="left" alt="Apache VCL logo"></a></td> + <td><a href="http://www.apache.org"><img src="/img/asf-logo.png" align="right" alt="Apache Software Foundation logo"></a></td> + </tr> + </table> + </div> + + <div id="left-column"> + <div id="navigation"> + <style type="text/css"> +/* The following code is added by mdx_elementid.py + It was originally lifted from http://subversion.apache.org/style/site.css */ +/* + * Hide class="elementid-permalink", except when an enclosing heading + * has the :hover property. + */ +.headerlink, .elementid-permalink { + visibility: hidden; +} +h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style> +<ul> +<li><a href="/index.html">Information</a><ul> +<li><a href="/info/features.html">Features</a></li> +<li><a href="/info/architecture.html">Architecture</a></li> +<li><a href="/downloads/download.cgi">Download</a></li> +<li><a href="http://www.apache.org/licenses/">License</a></li> +<li><a href="http://www.apache.org/security/">Security</a></li> +</ul> +</li> +<li><a href="/docs/index.html">Documentation</a><ul> +<li><a href="https://cwiki.apache.org/confluence/x/yQdG">Using VCL</a></li> +<li><a href="https://cwiki.apache.org/confluence/x/ywdG">Administration</a></li> +<li><a href="/docs/installation.html">Installation</a></li> +</ul> +</li> +<li><a href="https://cwiki.apache.org/confluence/display/VCL/Apache+VCL" target="_blank">Confluence Wiki</a><ul> +<li></li> +</ul> +</li> +<li><a href="https://issues.apache.org/jira/browse/VCL" target="_blank">Jira Issue Tracking</a><ul> +<li></li> +</ul> +</li> +<li><a href="/comm/index.html">Community</a><ul> +<li><a href="/comm/index.html#getInvolved">Getting Involved</a></li> +<li><a href="/comm/index.html#mail-list">Mailing Lists</a></li> +<li><a href="/dev/index.html">Development</a><ul> +<li><a href="/dev/code-documentation.html">Code Documentation</a></li> +<li><a href="/dev/roadmap.html">Roadmap</a></li> +</ul> +</li> +</ul> +</li> +<li><a href="http://www.apache.org">Apache Software Foundation</a><ul> +<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li> +<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> +</ul> +</li> +</ul> + </div> + <div id="current-event"> + <a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-125x125.png"/></a> + </div> + </div> + + <div id="content"> + <h1 class="title">Apache VCL Security</h1> + <style type="text/css"> +/* The following code is added by mdx_elementid.py + It was originally lifted from http://subversion.apache.org/style/site.css */ +/* + * Hide class="elementid-permalink", except when an enclosing heading + * has the :hover property. + */ +.headerlink, .elementid-permalink { + visibility: hidden; +} +h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style> +<h1 id="h1-security-issues">h1 Security Issues<a class="headerlink" href="#h1-security-issues" title="Permanent link">¶</a></h1> +<p>The Apache Software Foundation takes security issues seriously and has a +<a href="https://www.apache.org/security/">security team</a> that helps Apache projects work through security +issues. If you discover any potential vulnerabilities in Apache VCL, please report them to +<a href="mailto:secur...@apache.org">secur...@apache.org</a>.</p> +<h1 id="h2-known-security-issues">h2 Known Security Issues<a class="headerlink" href="#h2-known-security-issues" title="Permanent link">¶</a></h1> +<p>Here is a list of known security issues with Apache VCL along with the versions affected, versions +in which they were fixed, and information on patching vulnerable versions.</p> +<h1 id="h3-cve-2018-11772">h3 CVE-2018-11772<a class="headerlink" href="#h3-cve-2018-11772" title="Permanent link">¶</a></h1> +<ul> +<li>Announced: July 29th, 2019</li> +<li>Affected versions: versions 2.1 through 2.5</li> +<li>Fixed in version: 2.5.1</li> +<li><a href="/patches/patching-CVE-2018.html">Installing patches</a></li> +<li>Problem type: SQL injection</li> +<li> +<p>Description:</p> +<p>Apache VCL versions 2.1 through 2.5 do not properly validate cookie input when determining what +node (if any) was previously selected in the privilege tree. The cookie data is then used in an +SQL statement. This allows for an SQL injection attack. Access to this portion of a VCL system +requires admin level rights. Other layers of security seem to protect against malicious attack. +However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. +This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech.</p> +</li> +</ul> +<h1 id="h3-cve-2018-11773">h3 CVE-2018-11773<a class="headerlink" href="#h3-cve-2018-11773" title="Permanent link">¶</a></h1> +<ul> +<li>Announced: July 29th, 2019</li> +<li>Affected versions: versions 2.1 through 2.5</li> +<li>Fixed in version: 2.5.1</li> +<li><a href="/patches/patching-CVE-2018.html">Installing patches</a></li> +<li>Problem type: improper form validation</li> +<li> +<p>Description:</p> +<p>Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a +submitted block allocation. The form data is then used as an argument to the php built in +function strtotime. This allows for an attack against the underlying implementation of that +function. The implementation of strtotime at the time the issue was discovered appeared to be +resistant to a malicious attack. However, all VCL systems running versions earlier than 2.5.1 +should be upgraded or patched. This vulnerability was found and reported to the Apache VCL +project by ADLab of Venustech.</p> +</li> +</ul> +<h1 id="h3-cve-2018-11774">h3 CVE-2018-11774<a class="headerlink" href="#h3-cve-2018-11774" title="Permanent link">¶</a></h1> +<ul> +<li>Announced: July 29th, 2019</li> +<li>Affected versions: versions 2.1 through 2.5</li> +<li>Fixed in version: 2.5.1</li> +<li><a href="/patches/patching-CVE-2018.html">Installing patches</a></li> +<li>Problem type: SQL Injection</li> +<li> +<p>Description:</p> +<p>Apache VCL versions 2.1 through 2.5 do not properly validate form input when adding and +removing VMs to and from hosts. The form data is then used in SQL statements. This allows for +an SQL injection attack. Access to this portion of a VCL system requires admin level rights.<br /> +Other layers of security seem to protect against malicious attack. However, all VCL systems +running versions earlier than 2.5.1 should be upgraded or patched. This vulnerability was +found and reported to the Apache VCL project by ADLab of Venustech.</p> +</li> +</ul> +<h1 id="h3-cve-2013-0267">h3 CVE-2013-0267<a class="headerlink" href="#h3-cve-2013-0267" title="Permanent link">¶</a></h1> +<ul> +<li>Announced: May 6th, 2013</li> +<li>Affected versions: versions 2.1, 2.2, 2.2.1, 2.3, 2.3.1</li> +<li>Fixed in version: 2.2.2, 2.3.2</li> +<li>Problem type: improper input validation</li> +<li> +<p>Description:</p> +<p>Some parts of VCL did not properly validate input data. This problem was present both in the +Privileges portion of the web GUI and in the XMLRPC API.</p> +<p>A malicious user having a minimal level of administrative rights could +manipulate the data submitted by the web GUI or submit non-standard data to +the API to gain additional administrative rights.</p> +<p>The API functions that are vulnerable were introduced in 2.3.1. Some of those +API functions can also be exploited to perform a DOS attack on the site to +remove access from other users and to perform an XSS attack to gain elevated +privileges.</p> +<p>The vulnerabilities were found by an Apache VCL developer doing a code review.</p> +</li> +</ul> + </div> + + <div id="footer"> + <div class="copyright"> + <p> + Copyright © 2019 The Apache Software Foundation, Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. + <br /> + Apache and the Apache feather logo are trademarks of The Apache Software Foundation. + </p> + </div> + </div> + +</body> +</html>