Patching CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774
Please see the security page for more information about these patches.
Downloading¶
Patches for Apache VCL versions 2.2.2, 2.3, 2.3.1, 2.3.2, 2.4.2, and 2.5 are all available in a single archive for all three of CVE-2018-11772, CVE-2018-11773, and CVE-2018-11774.
- CVE-2018-11772.tar.bz2 [ GPG ] [ SHA512 ] (published on 2019-07-29)
Applying Patches¶
The patches are only for the web code and therefore only need to be applied to that portion of the code. To apply the patches, download the archive to the web server running your VCL code. Extract it under /tmp. It will generate a directory named CVE-2018-11772 (though it patches all 3 CVEs) with subdirectories for each VCL version under that. Then, cd to where your web code is (probably something like /var/www/html/vcl). You should be in the directory containing index.php, .ht-inc, and js. Four files will be patched. So, you'll probably want to make backup copies of them before patching:
.ht-inc/blockallocations.php .ht-inc/privileges.php .ht-inc/vm.php js/vm.js
You can see what version of VCL you have by running
grep VCLversion index.php
Finally, while still in the directory containing index.php, apply the patches for your version using a command similar to the following, substituting the proper version number.
patch -p1 < /tmp/CVE-2018-11772/2.5/VCL-2.5-CVE-2018.patch
You should see output similar to
patching file .ht-inc/blockallocations.php patching file .ht-inc/privileges.php patching file .ht-inc/vm.php patching file js/vm.js
Patches to php files will take effect immediately - there is no need to restart httpd. The patched vm.js file will take effect when users' browsers reload it. There is no problem in having a delay in vm.js getting updated in users' browsers as it only affects an error message displayed to users if they attempt to submit invalid data.