-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2018-11773: Apache VCL improper form validation in block allocation management
Severity: Medium Versions Affected: 2.1 through 2.5 Description: Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implementation of that function. The implementation of strtotime at the time the issue was discovered appeared to be resistant to a malicious attack. However, all VCL systems running versions earlier than 2.5.1 should be upgraded or patched. Mitigation: Upgrade to 2.5.1 or apply patches from https://vcl.apache.org/ security.html Credit: This vulnerability was found and reported to the Apache VCL project by ADLab of Venustech. CVE Released: July 29th, 2019 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEI0cOQm0VAdkhDARZSNnzl+fhyFkFAl0/FJgACgkQSNnzl+fh yFnuAQ/+PWco04JQRLGo2PqWxN09anSLX78aty0glDvaTri6kRv6Gt17+lYFVI4v Th8u3hC28iFG15wzKcJiq0b7aRPfiV0+267FitvVE4ewpp5R7eM0QFW69eyehpeu 8CZI/q1qw9x+r1ng52acViC3jRIBygoM8VGwYumPOKkdKSuX9RquIKDP+9MYARL2 /YC5sPbKHJ6elXhWhXX1FGIcvge31Ij2yO+eaDsw0nGX29ftfUWKapg8VhODhLL2 hc8W0pbFwZg65zqLGpeXVVgRm/MOgIzcZ+jJJ1U1cPMYY0FWHbrXjtVxio7xQFrH V7N8P+ZClcSs4FIKAuwdTWW11/waLsRIK0nGylQV0SdGiANGFG6eubsvoy6TG5CP F9QvQw/m/XXhUhIPqE+disfq19odnK1PJfQbyw1+CycbthtXodw0b/vq13r0BBgP feAqDg+4224jTbmA8aivzVnc1rTI4rQtsgZ7dsNKejMwwYM6Z0XDXm34oHkzGPxN NHYy0YrvlhNgc6Q2Xa7foIc8/24o+yusCCeO9E5D7FI/NgTG652tWE+oxJKFJGZK +q9sR4HsRagvbr7Z9Binj75XmJ5/d+W3ZPGqu68USkw5ZAX+r9YxtbSj1uEOKfrq VocmKticvKC96fh3EBakmKsBqs5Oi3tut1UBcKHOAO2XpuI+zds= =oUNe -----END PGP SIGNATURE-----
