Patching CVE-2024-53678 and CVE-2024-53679

Please see the security page for more information about these patches.

Downloading

Patches for Apache VCL version 2.5.1 are available in a single archive for both CVE-2024-53678 and CVE-2024-53679.

• VCL-CVE-2024.tar.bz2 [ GPG ] [ SHA512 ] (published on 2025-03-24)

Applying Patches

The patches are only for the web code and therefore only need to be applied to that portion of the code. To apply the patches, download the archive to the web server running your VCL code. Extract it under /tmp. It will generate a directory named VCL-CVE-2024. Then, cd to where your web code is (probably something like /var/www/html/vcl). Next, go into the subdirectory .ht-inc. You should be in the directory containing blockallocations.php, privileges.php, and lots of other .php files. blockallocations.php and privileges.php will be patched. So, you’ll probably want to make backup copies of them before patching:

cp blockallocations.php /root/blockallocations-preCVE2024.php
cp privileges.php /root/privileges-preCVE2024.php

While still in the directory containing lots of .php files, apply the first patch using the following command:

patch < /tmp/VCL-CVE-2024/CVE-2024-53678.patch

You should see output similar to

patching file blockallocations.php

Apply the second patch using the following command:

patch < /tmp/VCL-CVE-2024/CVE-2024-53679.patch

You should see output similar to

patching file privileges.php

Patches to php files will take effect immediately - there is no need to restart httpd.