Author: buildbot Date: Mon Jul 29 15:25:26 2019 New Revision: 1048220 Log: Staging update by buildbot for vcl
Added: websites/staging/vcl/trunk/content/patches/ websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html Modified: websites/staging/vcl/trunk/content/ (props changed) Propchange: websites/staging/vcl/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Mon Jul 29 15:25:26 2019 @@ -1 +1 @@ -1863949 +1863951 Added: websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html ============================================================================== --- websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html (added) +++ websites/staging/vcl/trunk/content/patches/patching-CVE-2018.html Mon Jul 29 15:25:26 2019 @@ -0,0 +1,174 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<!-- + + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE- 2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> + + <link href="/css/vcl.css" rel="stylesheet" type="text/css"> + <link href="/css/code.css" rel="stylesheet" type="text/css"> + <title>Apache VCL - Patching CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +</head> + +<body> + <div id="sitetitle"> + <table width="100%" border="0" cellspacing="0" cellpadding="5"> + <tr> + <td><a href="/index.html"><img src="/img/vcl-logo.png" height="100" align="left" alt="Apache VCL logo"></a></td> + <td><a href="http://www.apache.org"><img src="/img/asf-logo.png" align="right" alt="Apache Software Foundation logo"></a></td> + </tr> + </table> + </div> + + <div id="left-column"> + <div id="navigation"> + <style type="text/css"> +/* The following code is added by mdx_elementid.py + It was originally lifted from http://subversion.apache.org/style/site.css */ +/* + * Hide class="elementid-permalink", except when an enclosing heading + * has the :hover property. + */ +.headerlink, .elementid-permalink { + visibility: hidden; +} +h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style> +<ul> +<li><a href="/index.html">Information</a><ul> +<li><a href="/info/features.html">Features</a></li> +<li><a href="/info/architecture.html">Architecture</a></li> +<li><a href="/downloads/download.cgi">Download</a></li> +<li><a href="http://www.apache.org/licenses/">License</a></li> +<li><a href="http://www.apache.org/security/">Security</a></li> +</ul> +</li> +<li><a href="/docs/index.html">Documentation</a><ul> +<li><a href="https://cwiki.apache.org/confluence/x/yQdG">Using VCL</a></li> +<li><a href="https://cwiki.apache.org/confluence/x/ywdG">Administration</a></li> +<li><a href="/docs/installation.html">Installation</a></li> +</ul> +</li> +<li><a href="https://cwiki.apache.org/confluence/display/VCL/Apache+VCL" target="_blank">Confluence Wiki</a><ul> +<li></li> +</ul> +</li> +<li><a href="https://issues.apache.org/jira/browse/VCL" target="_blank">Jira Issue Tracking</a><ul> +<li></li> +</ul> +</li> +<li><a href="/comm/index.html">Community</a><ul> +<li><a href="/comm/index.html#getInvolved">Getting Involved</a></li> +<li><a href="/comm/index.html#mail-list">Mailing Lists</a></li> +<li><a href="/dev/index.html">Development</a><ul> +<li><a href="/dev/code-documentation.html">Code Documentation</a></li> +<li><a href="/dev/roadmap.html">Roadmap</a></li> +</ul> +</li> +</ul> +</li> +<li><a href="http://www.apache.org">Apache Software Foundation</a><ul> +<li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li> +<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> +</ul> +</li> +</ul> + </div> + <div id="current-event"> + <a href="https://www.apache.org/events/current-event.html"><img src="https://www.apache.org/events/current-event-125x125.png"/></a> + </div> + </div> + + <div id="content"> + <h1 class="title">Patching CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774</h1> + <style type="text/css"> +/* The following code is added by mdx_elementid.py + It was originally lifted from http://subversion.apache.org/style/site.css */ +/* + * Hide class="elementid-permalink", except when an enclosing heading + * has the :hover property. + */ +.headerlink, .elementid-permalink { + visibility: hidden; +} +h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style> +<p>Please see the <a href="/security.html">security page</a> for more information about these patches.</p> +<h2 id="downloading">Downloading<a class="headerlink" href="#downloading" title="Permanent link">¶</a></h2> +<p>Patches for Apache VCL versions 2.2.2, 2.3, 2.3.1, 2.3.2, 2.4.2, and 2.5 are all available in a +single archive for all three of CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774.</p> +<ul> +<li><a href="https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2">CVE-2018-11772.tar.bz2</a> + [ <a href="https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.asc">GPG</a> ] + [ <a href="https://www.apache.org/dist/vcl/patches/CVE-2018-11772/CVE-2018-11772.tar.bz2.sha512">SHA512</a> ] + (published on 2019-07-29)</li> +</ul> +<h2 id="applying-patches">Applying Patches<a class="headerlink" href="#applying-patches" title="Permanent link">¶</a></h2> +<p>The patches are only for the web code and therefore only need to be applied to +that portion of the code. To apply the patches, download the archive to the web +server running your VCL code. Extract it under /tmp. It will generate a +directory named CVE-2018-11772 (though it patches all 3 CVEs) with +subdirectories for each VCL version under that. Then, cd to where your web +code is (probably something like /var/www/html/vcl). You should be in the +directory containing index.php, .ht-inc, and js. Four files will be patched. +So, you'll probably want to make backup copies of them before patching:</p> +<div class="codehilite"><pre>.ht-inc/blockallocations.php +.ht-inc/privileges.php +.ht-inc/vm.php +js/vm.js +</pre></div> + + +<p>You can see what version of VCL you have by running</p> +<div class="codehilite"><pre>grep VCLversion index.php +</pre></div> + + +<p>Finally, while still in the directory containing index.php, apply the patches +for your version using a command similar to the following, substituting the +proper version number.</p> +<div class="codehilite"><pre>patch -p1 < /tmp/CVE-2018-11772/2.5/VCL-2.5-CVE-2018.patch +</pre></div> + + +<p>You should see output similar to</p> +<div class="codehilite"><pre>patching file .ht-inc/blockallocations.php +patching file .ht-inc/privileges.php +patching file .ht-inc/vm.php +patching file js/vm.js +</pre></div> + + +<p>Patches to php files will take effect immediately - there is no need to +restart httpd. The patched vm.js file will take effect when users' browsers +reload it. There is no problem in having a delay in vm.js getting updated in +users' browsers as it only affects an error message displayed to users if they +attempt to submit invalid data.</p> + </div> + + <div id="footer"> + <div class="copyright"> + <p> + Copyright © 2019 The Apache Software Foundation, Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. + <br /> + Apache and the Apache feather logo are trademarks of The Apache Software Foundation. + </p> + </div> + </div> + +</body> +</html>