From 1692ac55a6f9bccbd21453d483798156cfc8551b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= Date: Tue, 16 Apr 2024 15:08:01 +0200 Subject: [PATCH] new version 6.0.13 Resolves: RHEL-30379 - varnish:6/varnish: HTTP/2 Broken Window Attack may result in denial of service (CVE-2024-30156) --- .gitignore | 1 + sources | 2 +- varnish-6.0.8-CVE-2022-45060.patch | 85 ----- varnish-6.0.8-CVE-2023-44487-rate_limit.patch | 326 ------------------ varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch | 206 ----------- varnish-6.0.8.CVE-2022-23959.patch | 13 - varnish.spec | 27 +- 7 files changed, 11 insertions(+), 649 deletions(-) delete mode 100644 varnish-6.0.8-CVE-2022-45060.patch delete mode 100644 varnish-6.0.8-CVE-2023-44487-rate_limit.patch delete mode 100644 varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch delete mode 100644 varnish-6.0.8.CVE-2022-23959.patch diff --git a/.gitignore b/.gitignore index bd7f7ec..c786faf 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ SOURCES/pkg-varnish-cache-0ad2f22.tar.gz SOURCES/varnish-6.0.8.tgz /pkg-varnish-cache-0ad2f22.tar.gz /varnish-6.0.8.tgz +/varnish-6.0.13.tgz diff --git a/sources b/sources index 5bc7ad2..f147e92 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ +SHA512 (varnish-6.0.13.tgz) = 3bdb4f04bdb22789ebe04a1e57dc814a7d7e642456cce2696f7e05fe557a277f18d5dc4a2df22a27fa9445447af3356ebdb3c5d63c01bb32d9bff7881aa8a703 SHA512 (pkg-varnish-cache-0ad2f22.tar.gz) = b66c05f74f9bd62ddf16ab3e7904f4e74993bd1406aaebf20d4dca840198430da9f5e746af22778f1a73063113ac19b6f8127d77ff71c30c246fd5fab5ed78da -SHA512 (varnish-6.0.8.tgz) = 73ed2f465ba3b11680b20a70633fc78da9b3eac68395f927b7ff02f4106b6cc92a2b395db2813a0605da2771530e5c4fc594eaf5a9a32bf2e42181b6dd90cf3f diff --git a/varnish-6.0.8-CVE-2022-45060.patch b/varnish-6.0.8-CVE-2022-45060.patch deleted file mode 100644 index 6261b91..0000000 --- a/varnish-6.0.8-CVE-2022-45060.patch +++ /dev/null @@ -1,85 +0,0 @@ -diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c -index d432629..b0dacb9 100644 ---- a/bin/varnishd/http2/cache_http2_hpack.c -+++ b/bin/varnishd/http2/cache_http2_hpack.c -@@ -93,18 +93,25 @@ static h2_error - h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - { - /* XXX: This might belong in cache/cache_http.c */ -+ const char *b0; - unsigned n; -+ int disallow_empty; -+ char *p; -+ int i; - - CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); - AN(b); - assert(namelen >= 2); /* 2 chars from the ': ' that we added */ - assert(namelen <= len); -+ -+ disallow_empty = 0; - - if (len > UINT_MAX) { /* XXX: cache_param max header size */ - VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b); - return (H2SE_ENHANCE_YOUR_CALM); - } - -+ b0 = b; - if (b[0] == ':') { - /* Match H/2 pseudo headers */ - /* XXX: Should probably have some include tbl for -@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b += namelen; - len -= namelen; - n = HTTP_HDR_METHOD; -+ disallow_empty = 1; -+ -+ /* First field cannot contain SP or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":path: ", namelen)) { - b += namelen; - len -= namelen; - n = HTTP_HDR_URL; -+ disallow_empty = 1; -+ -+ /* Second field cannot contain LWS or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_islws(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":scheme: ", namelen)) { - /* XXX: What to do about this one? (typically - "http" or "https"). For now set it as a normal -@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b++; - len-=1; - n = hp->nhd; -+ -+ for (p = b + namelen, i = 0; i < len-namelen; -+ p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ -+ if (!i) -+ return (H2SE_PROTOCOL_ERROR); - } else if (!strncmp(b, ":authority: ", namelen)) { - b+=6; - len-=6; -@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - hp->hd[n].b = b; - hp->hd[n].e = b + len; - -+ if (disallow_empty && !Tlen(hp->hd[n])) { -+ VSLb(hp->vsl, SLT_BogoHeader, -+ "Empty pseudo-header %.*s", -+ (int)namelen, b0); -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ - return (0); - } - diff --git a/varnish-6.0.8-CVE-2023-44487-rate_limit.patch b/varnish-6.0.8-CVE-2023-44487-rate_limit.patch deleted file mode 100644 index 509b2cf..0000000 --- a/varnish-6.0.8-CVE-2023-44487-rate_limit.patch +++ /dev/null @@ -1,326 +0,0 @@ -commit d5cc31b5e6824f8b031c045fab990f31010ee8a1 -Author: Tomas Korbar -Date: Wed Oct 18 17:02:33 2023 +0200 - - Upstream #3997 PR - - Fix CVE-2023-44487 - -diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc -index f6925f3..b237f86 100644 ---- a/bin/varnishd/VSC_main.vsc -+++ b/bin/varnishd/VSC_main.vsc -@@ -586,6 +586,14 @@ - - Number of session closes with Error VCL_FAILURE (VCL failure) - -+.. varnish_vsc:: sc_rapid_reset -+ :level: diag -+ :oneliner: Session Err RAPID_RESET -+ -+ Number of times we failed an http/2 session because it hit its -+ configured limits for the number of permitted rapid stream -+ resets. -+ - .. varnish_vsc:: client_resp_500 - :level: diag - :group: wrk -diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h -index 205b96c..36a21bc 100644 ---- a/bin/varnishd/http2/cache_http2.h -+++ b/bin/varnishd/http2/cache_http2.h -@@ -184,6 +184,8 @@ struct h2_sess { - h2_error error; - - int open_streams; -+ double rst_budget; -+ vtim_real last_rst; - }; - - #define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0) -diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c -index 98f5dc4..270603a 100644 ---- a/bin/varnishd/http2/cache_http2_proto.c -+++ b/bin/varnishd/http2/cache_http2_proto.c -@@ -43,6 +43,7 @@ - #include "vtcp.h" - #include "vtim.h" - -+#define H2_CUSTOM_ERRORS - #define H2EC1(U,v,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1}}; - #define H2EC2(U,v,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0}}; - #define H2EC3(U,v,d) H2EC1(U,v,d) H2EC2(U,v,d) -@@ -301,9 +302,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - /********************************************************************** - */ - -+static h2_error -+h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) -+{ -+ vtim_real now; -+ vtim_dur d; -+ -+ CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); -+ ASSERT_RXTHR(h2); -+ CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC); -+ -+ if (cache_param->h2_rapid_reset_limit == 0) -+ return (0); -+ -+ now = VTIM_real(); -+ CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC); -+ AN(r2->req->t_first); -+ if (now - r2->req->t_first > cache_param->h2_rapid_reset) -+ return (0); -+ -+ d = now - h2->last_rst; -+ h2->rst_budget += cache_param->h2_rapid_reset_limit * d / -+ cache_param->h2_rapid_reset_period; -+ h2->rst_budget = vmin_t(double, h2->rst_budget, -+ cache_param->h2_rapid_reset_limit); -+ h2->last_rst = now; -+ -+ if (h2->rst_budget < 1.0) { -+ Lck_Lock(&h2->sess->mtx); -+ VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session."); -+ Lck_Unlock(&h2->sess->mtx); -+ return (H2CE_RAPID_RESET); -+ } -+ h2->rst_budget -= 1.0; -+ return (0); -+} -+ - static h2_error v_matchproto_(h2_rxframe_f) - h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - { -+ h2_error h2e; - - CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); - ASSERT_RXTHR(h2); -@@ -313,8 +351,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - return (H2CE_FRAME_SIZE_ERROR); - if (r2 == NULL) - return (0); -+ h2e = h2_rapid_reset(wrk, h2, r2); - h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data))); -- return (0); -+ return (h2e); - } - - /********************************************************************** -diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c -index de10835..720b009 100644 ---- a/bin/varnishd/http2/cache_http2_session.c -+++ b/bin/varnishd/http2/cache_http2_session.c -@@ -127,6 +127,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp, - h2_local_settings(&h2->local_settings); - h2->remote_settings = H2_proto_settings; - h2->decode = decode; -+ h2->rst_budget = cache_param->h2_rapid_reset_limit; -+ h2->last_rst = sp->t_open; -+ AZ(isnan(h2->last_rst)); - - AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size)); - -diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc -new file mode 100644 -index 0000000..3fee370 ---- /dev/null -+++ b/bin/varnishtest/tests/r03996.vtc -@@ -0,0 +1,51 @@ -+varnishtest "h2 rapid reset" -+ -+barrier b1 sock 5 -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -cliok "param.set feature +http2" -+varnish v1 -cliok "param.set debug +syncvsl" -+varnish v1 -cliok "param.set h2_rapid_reset_limit 3" -+varnish v1 -cliok "param.set h2_rapid_reset 5" -+ -+varnish v1 -vcl+backend { -+ import vtc; -+ -+ sub vcl_recv { -+ vtc.barrier_sync("${b1_sock}"); -+ } -+ -+} -start -+ -+client c1 { -+ stream 0 { -+ rxgoaway -+ expect goaway.err == ENHANCE_YOUR_CALM -+ } -start -+ -+ stream 1 { -+ txreq -+ txrst -+ } -run -+ stream 3 { -+ txreq -+ txrst -+ } -run -+ stream 5 { -+ txreq -+ txrst -+ } -run -+ stream 7 { -+ txreq -+ txrst -+ } -run -+ -+ barrier b1 sync -+ stream 0 -wait -+} -run -+ -+varnish v1 -expect sc_rapid_reset == 1 -diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h -index 02044db..0293539 100644 ---- a/include/tbl/h2_error.h -+++ b/include/tbl/h2_error.h -@@ -46,6 +46,18 @@ H2_ERROR(CONNECT_ERROR, 10,2, "TCP connection error for CONNECT method") - H2_ERROR(ENHANCE_YOUR_CALM, 11,3, "Processing capacity exceeded") - H2_ERROR(INADEQUATE_SECURITY, 12,1, "Negotiated TLS parameters not acceptable") - H2_ERROR(HTTP_1_1_REQUIRED, 13,1, "Use HTTP/1.1 for the request") -+ -+#ifdef H2_CUSTOM_ERRORS -+H2_ERROR( -+ /* name */ RAPID_RESET, -+ /* val */ 11, /* ENHANCE_YOUR_CALM */ -+ /* types */ 1, -+ /* descr */ "http/2 rapid reset detected" -+) -+ -+# undef H2_CUSTOM_ERRORS -+#endif -+ - #undef H2_ERROR - - /*lint -restore */ -diff --git a/include/tbl/params.h b/include/tbl/params.h -index deecd20..61748e4 100644 ---- a/include/tbl/params.h -+++ b/include/tbl/params.h -@@ -1901,6 +1901,53 @@ PARAM( - /* func */ NULL - ) - -+PARAM( -+ /* name */ h2_rapid_reset, -+ /* typ */ timeout, -+ /* min */ "0.000", -+ /* max */ NULL, -+ /* def */ "1.000", -+ /* units */ "seconds", -+ /* flags */ EXPERIMENTAL, -+ /* s-text */ -+ "The upper threshold for how rapid an http/2 RST has to come for " -+ "it to be treated as suspect and subjected to the rate limits " -+ "specified by h2_rapid_reset_limit and h2_rapid_reset_period.", -+ /* l-text */ "", -+ /* func */ NULL -+) -+ -+PARAM( -+ /* name */ h2_rapid_reset_limit, -+ /* typ */ uint, -+ /* min */ "0", -+ /* max */ NULL, -+ /* def */ "3600", -+ /* units */ NULL, -+ /* flags */ EXPERIMENTAL, -+ /* s-text */ -+ "HTTP2 RST Allowance.\n" -+ "Specifies the maximum number of allowed stream resets issued by\n" -+ "a client over a time period before the connection is closed.\n" -+ "Setting this parameter to 0 disables the limit.", -+ /* l-text */ "", -+ /* func */ NULL -+) -+ -+PARAM( -+ /* name */ h2_rapid_reset_period, -+ /* typ */ timeout, -+ /* min */ "1.000", -+ /* max */ NULL, -+ /* def */ "60.000", -+ /* units */ "seconds", -+ /* flags */ EXPERIMENTAL|WIZARD, -+ /* s-text */ -+ "HTTP2 sliding window duration for h2_rapid_reset_limit.", -+ /* l-text */ "", -+ /* func */ NULL -+) -+ - #undef PARAM - - /*lint -restore */ -diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h -index c20e71c..de130aa 100644 ---- a/include/tbl/sess_close.h -+++ b/include/tbl/sess_close.h -@@ -47,6 +47,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1, "Session pipe overflow") - SESS_CLOSE(RANGE_SHORT, range_short, 1, "Insufficient data for range") - SESS_CLOSE(REQ_HTTP20, req_http20, 1, "HTTP2 not accepted") - SESS_CLOSE(VCL_FAILURE, vcl_failure, 1, "VCL failure") -+SESS_CLOSE(RAPID_RESET, rapid_reset, 1, "HTTP2 rapid reset") - #undef SESS_CLOSE - - /*lint -restore */ -diff --git a/include/vdef.h b/include/vdef.h -index 60d833c..327d506 100644 ---- a/include/vdef.h -+++ b/include/vdef.h -@@ -93,6 +93,47 @@ - # define v_deprecated_ - #endif - -+/********************************************************************** -+ * Find the minimum or maximum values. -+ * Only evaluate the expression once and perform type checking. -+ */ -+ -+/* ref: https://stackoverflow.com/a/17624752 */ -+ -+#define VINDIRECT(a, b, c) a ## b ## c -+#define VCOMBINE(a, b, c) VINDIRECT(a, b, c) -+ -+#if defined(__COUNTER__) -+# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, __COUNTER__) -+#else -+# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, 0) -+#endif -+ -+#ifdef _lint -+#define typeof(x) __typeof__(x) -+#endif -+ -+/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */ -+ -+#define _vtake(op, ta, tb, a, b, _va, _vb) \ -+ ({ \ -+ ta _va = (a); \ -+ tb _vb = (b); \ -+ (void)(&_va == &_vb); \ -+ _va op _vb ? _va : _vb; \ -+}) -+ -+#define opmin < -+#define opmax > -+#define vtake(n, ta, tb, a, b) _vtake(op ## n, ta, tb, a, b, \ -+ VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B)) -+ -+#define vmin(a, b) vtake(min, typeof(a), typeof(b), a, b) -+#define vmax(a, b) vtake(max, typeof(a), typeof(b), a, b) -+ -+#define vmin_t(type, a, b) vtake(min, type, type, a, b) -+#define vmax_t(type, a, b) vtake(max, type, type, a, b) -+ - /********************************************************************* - * Pointer alignment magic - */ diff --git a/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch b/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch deleted file mode 100644 index c0a7cfd..0000000 --- a/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch +++ /dev/null @@ -1,206 +0,0 @@ -commit c344e21f23c6605caa257abbf46fd333b7015928 -Author: Tomas Korbar -Date: Wed Oct 18 20:42:21 2023 +0200 - - vcl_vrt: Skip VCL execution if the client is gone - - Upstream PR #4006 - -diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc -index b237f86..88a659f 100644 ---- a/bin/varnishd/VSC_main.vsc -+++ b/bin/varnishd/VSC_main.vsc -@@ -324,6 +324,15 @@ - Number of times an HTTP/2 stream was refused because the queue was - too long already. See also parameter thread_queue_limit. - -+.. varnish_vsc:: req_reset -+ :group: wrk -+ :oneliner: Requests reset -+ -+ Number of times a client left before the VCL processing of its -+ requests completed. For HTTP/2 sessions, either the stream was -+ reset by an RST_STREAM frame from the client, or a stream or -+ connection error occurred. -+ - .. varnish_vsc:: n_object - :type: gauge - :group: wrk -diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h -index 5da5e35..8546411 100644 ---- a/bin/varnishd/cache/cache_transport.h -+++ b/bin/varnishd/cache/cache_transport.h -@@ -42,6 +42,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *); - typedef void vtr_req_panic_f (struct vsb *, const struct req *); - typedef void vtr_req_fail_f (struct req *, enum sess_close); - typedef void vtr_reembark_f (struct worker *, struct req *); -+typedef int vtr_poll_f (struct req *); - typedef int vtr_minimal_response_f (struct req *, uint16_t status); - - struct transport { -@@ -62,6 +63,7 @@ struct transport { - vtr_sess_panic_f *sess_panic; - vtr_req_panic_f *req_panic; - vtr_reembark_f *reembark; -+ vtr_poll_f *poll; - vtr_minimal_response_f *minimal_response; - - VTAILQ_ENTRY(transport) list; -diff --git a/bin/varnishd/cache/cache_vcl_vrt.c b/bin/varnishd/cache/cache_vcl_vrt.c -index 5f3bfee..e35ae59 100644 ---- a/bin/varnishd/cache/cache_vcl_vrt.c -+++ b/bin/varnishd/cache/cache_vcl_vrt.c -@@ -37,8 +37,10 @@ - #include "cache_varnishd.h" - - #include "vcl.h" -+#include "vtim.h" - - #include "cache_director.h" -+#include "cache_transport.h" - #include "cache_vcl.h" - - /*--------------------------------------------------------------------*/ -@@ -338,6 +340,35 @@ VRT_rel_vcl(VRT_CTX, struct vclref **refp) - * The workspace argument is where random VCL stuff gets space from. - */ - -+static int -+req_poll(struct worker *wrk, struct req *req) -+{ -+ -+ CHECK_OBJ_NOTNULL(req->top, REQ_MAGIC); -+ CHECK_OBJ_NOTNULL(req->top->transport, TRANSPORT_MAGIC); -+ -+ /* NB: Since a fail transition leads to vcl_synth, the request may be -+ * short-circuited twice. -+ */ -+ if (req->req_reset) { -+ wrk->handling = VCL_RET_FAIL; -+ return (-1); -+ } -+ -+ if (!FEATURE(FEATURE_VCL_REQ_RESET)) -+ return (0); -+ if (req->top->transport->poll == NULL) -+ return (0); -+ if (req->top->transport->poll(req->top) >= 0) -+ return (0); -+ -+ VSLb_ts_req(req, "Reset", W_TIM_real(wrk)); -+ wrk->stats->req_reset++; -+ wrk->handling = VCL_RET_FAIL; -+ req->req_reset = 1; -+ return (-1); -+} -+ - static void - vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo, - void *specific, unsigned method, vcl_func_f *func) -@@ -351,6 +382,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo, - CHECK_OBJ_NOTNULL(req, REQ_MAGIC); - CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC); - CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC); -+ if (req_poll(wrk, req)) -+ return; - VCL_Req2Ctx(&ctx, req); - } - if (bo != NULL) { -diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c -index 720b009..1584740 100644 ---- a/bin/varnishd/http2/cache_http2_session.c -+++ b/bin/varnishd/http2/cache_http2_session.c -@@ -440,6 +440,16 @@ h2_new_session(struct worker *wrk, void *arg) - h2_del_sess(wrk, h2, SC_RX_JUNK); - } - -+static int v_matchproto_(vtr_poll_f) -+h2_poll(struct req *req) -+{ -+ struct h2_req *r2; -+ -+ CHECK_OBJ_NOTNULL(req, REQ_MAGIC); -+ CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC); -+ return (r2->error ? -1 : 1); -+} -+ - struct transport H2_transport = { - .name = "H2", - .magic = TRANSPORT_MAGIC, -@@ -449,4 +459,5 @@ struct transport H2_transport = { - .req_body = h2_req_body, - .req_fail = h2_req_fail, - .sess_panic = h2_sess_panic, -+ .poll = h2_poll, - }; -diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c -index 263d8a3..788d8f0 100644 ---- a/bin/varnishd/mgt/mgt_param_bits.c -+++ b/bin/varnishd/mgt/mgt_param_bits.c -@@ -219,7 +219,12 @@ tweak_feature(struct vsb *vsb, const struct parspec *par, const char *arg) - (void)par; - - if (arg != NULL && arg != JSON_FMT) { -- if (!strcmp(arg, "none")) { -+ if (!strcmp(arg, "default")) { -+ AZ(bit_tweak(vsb, mgt_param.feature_bits, -+ FEATURE_Reserved, -+ "+vcl_req_reset", -+ feature_tags, "feature bit", "+")); -+ }else if (!strcmp(arg, "none")) { - memset(mgt_param.feature_bits, - 0, sizeof mgt_param.feature_bits); - } else { -@@ -271,6 +276,6 @@ struct parspec VSL_parspec[] = { - #define FEATURE_BIT(U, l, d, ld) "\n\t" #l "\t" d - #include "tbl/feature_bits.h" - #undef FEATURE_BIT -- , 0, "none", "" }, -+ , 0, "default", "" }, - { NULL, NULL, NULL } - }; -diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst -index 4d01f5b..b529562 100644 ---- a/doc/sphinx/reference/vsl.rst -+++ b/doc/sphinx/reference/vsl.rst -@@ -71,6 +71,11 @@ Resp - Restart - Client request is being restarted. - -+Reset -+ The client closed its connection, reset its stream or caused -+ a stream error that forced Varnish to reset the stream. Request -+ processing is interrupted and considered failed. -+ - Pipe handling timestamps - ~~~~~~~~~~~~~~~~~~~~~~~~ - -diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h -index 23f1b01..844ecfa 100644 ---- a/include/tbl/feature_bits.h -+++ b/include/tbl/feature_bits.h -@@ -83,6 +83,12 @@ FEATURE_BIT(HTTP_DATE_POSTEL, http_date_postel, - "like Date:, Last-Modified:, Expires: etc." - ) - -+FEATURE_BIT(VCL_REQ_RESET, vcl_req_reset, -+ "Stop processing client VCL once the client is gone.", -+ "Stop processing client VCL once the client is gone. " -+ "When this happens MAIN.req_reset is incremented." -+) -+ - #undef FEATURE_BIT - - /*lint -restore */ -diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h -index 2c0dbe8..3d3f05f 100644 ---- a/include/tbl/req_flags.h -+++ b/include/tbl/req_flags.h -@@ -39,6 +39,7 @@ REQ_FLAG(is_hitpass, 1, 0, "") - REQ_FLAG(waitinglist, 0, 0, "") - REQ_FLAG(want100cont, 0, 0, "") - REQ_FLAG(late100cont, 0, 0, "") -+REQ_FLAG(req_reset, 0, 0, "") - #undef REQ_FLAG - - /*lint -restore */ diff --git a/varnish-6.0.8.CVE-2022-23959.patch b/varnish-6.0.8.CVE-2022-23959.patch deleted file mode 100644 index 27e3861..0000000 --- a/varnish-6.0.8.CVE-2022-23959.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c -index 463b75b..982bd73 100644 ---- a/bin/varnishd/cache/cache_req_body.c -+++ b/bin/varnishd/cache/cache_req_body.c -@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req) - if (req->req_body_status == REQ_BODY_WITH_LEN || - req->req_body_status == REQ_BODY_WITHOUT_LEN) - (void)VRB_Iterate(req, httpq_req_body_discard, NULL); -+ if (req->req_body_status == REQ_BODY_FAIL) -+ req->doclose = SC_RX_BODY; - return(0); - } - diff --git a/varnish.spec b/varnish.spec index 7b801c9..a985a2f 100644 --- a/varnish.spec +++ b/varnish.spec @@ -18,8 +18,8 @@ Summary: High-performance HTTP accelerator Name: varnish -Version: 6.0.8 -Release: 4%{?dist} +Version: 6.0.13 +Release: 1%{?dist} License: BSD Group: System Environment/Daemons URL: https://www.varnish-cache.org/ @@ -32,17 +32,8 @@ Patch9: varnish-5.1.1.fix_python_version.patch # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e Patch11: varnish-6.0.0.fix_el6_fortify_source.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2045031 -Patch100: varnish-6.0.8.CVE-2022-23959.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=2141844 -Patch101: varnish-6.0.8-CVE-2022-45060.patch - -# https://issues.redhat.com/browse/RHEL-12814 -Patch102: varnish-6.0.8-CVE-2023-44487-rate_limit.patch - -# https://issues.redhat.com/browse/RHEL-12814 -Patch103: varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch +# Security patches ... +# Patch100: varnish-6.0.13.CVE-.....patch Obsoletes: varnish-libs @@ -152,11 +143,6 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides %patch11 -p0 %endif -%patch100 -p1 -%patch101 -p1 -%patch102 -p1 -%patch103 -p1 - %build %if 0%{?rhel} == 6 export CFLAGS="%{optflags} -fPIC" @@ -392,6 +378,11 @@ fi %changelog +* Thu Mar 28 2024 Luboš Uhliarik - 6.0.13-1 +- new version 6.0.13 +- Resolves: RHEL-30379 - varnish:6/varnish: HTTP/2 Broken Window Attack may + result in denial of service (CVE-2024-30156) + * Mon Oct 23 2023 Tomas Korbar - 6.0.8-4 - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487 - CVE-2022-45060 varnish:6/varnish: Request Forgery