Resolves: RHEL-30337 - varnish: HTTP/2 Broken Window Attack may result

in denial of service (CVE-2024-30156)

varnish.spec

@@ -23,7 +23,7 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
 Version: 6.6.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: BSD
 URL: https://www.varnish-cache.org/
 Source0: http://varnish-cache.org/_downloads/%{name}-%{version}.tgz
@@ -73,6 +73,9 @@ Patch101: varnish-6.6.2-CVE-2023-44487-rate_limit.patch
 # https://issues.redhat.com/browse/RHEL-12818
 Patch102: varnish-6.6.2-CVE-2023-44487-vcl_vrt.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2271486
+Patch103: varnish-6.6.2-CVE-2024-30156.patch
+
 %if 0%{?fedora} > 29
 Provides: varnish%{_isa} = %{version}-%{release}
 Provides: varnishd(abi)%{_isa} = %{abi}
@@ -168,6 +171,7 @@ sed -i 's,rst2man-3.6,rst2man-3.4,g; s,rst2html-3.6,rst2html-3.4,g; s,phinx-buil
 %patch100 -p1 -b .CVE-2022-45060
 %patch101 -p1 -b .CVE-2023-44487
 %patch102 -p1 -b .CVE-2023-44487-vcl
+%patch103 -p1 -b .CVE-2024-30156
 
 %build
 # https://gcc.gnu.org/wiki/FAQ#PR323
@@ -316,6 +320,10 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 
 
 %changelog
+* Tue Apr 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-6
+- Resolves: RHEL-30337 - varnish: HTTP/2 Broken Window Attack may result
+  in denial of service (CVE-2024-30156)
+
 * Fri Oct 20 2023 Tomas Korbar <tkorbar@redhat.com> - 6.6.2-5
 - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487
 - Resolves: RHEL-12818

vsv00002_test.patch

@@ -1,11 +0,0 @@
---- bin/varnishtest/tests/r02429.vtc.orig	2017-11-16 11:08:04.718822949 +0100
-+++ bin/varnishtest/tests/r02429.vtc	2017-11-16 11:08:12.411275341 +0100
-@@ -4,7 +4,7 @@
- 	accept
- } -start
- 
--varnish v1 -arg "-s Transient=file,${tmpdir}/_.file,1m" -vcl+backend {
-+varnish v1 -arg "-s Transient=file,${tmpdir}/_.file,10m" -vcl+backend {
- 	sub vcl_backend_error {
- 		synthetic("foo");
- 		return (deliver);