Import from CS git

.gitignore

@@ -1,2 +1,2 @@
 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
-SOURCES/varnish-6.0.8.tgz
+SOURCES/varnish-6.0.13.tgz

.varnish.metadata

@@ -1,2 +1,2 @@
 db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
-7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz
+614d305e69b01255347f33000f76ed6a4fa3c3f7 SOURCES/varnish-6.0.13.tgz

SOURCES/varnish-6.0.13-CVE-2025-47905.patch

@@ -0,0 +1,418 @@
+commit 1fef8cc747030259d61bf8e451b4317bff5b2ed5
+Author: Luboš Uhliarik <luhliari@redhat.com>
+Date:   Wed May 21 18:09:51 2025 +0200
+
+    Fix for CVE-2025-47905
+
+diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
+index 374bcac..32176b3 100644
+--- a/bin/varnishd/http1/cache_http1_vfp.c
++++ b/bin/varnishd/http1/cache_http1_vfp.c
+@@ -90,76 +90,118 @@ v1f_read(const struct vfp_ctx *vc, struct http_conn *htc, void *d, ssize_t len)
+ 
+ 
+ /*--------------------------------------------------------------------
+- * Read a chunked HTTP object.
++ * read (CR)?LF at the end of a chunk
++ */
++static enum vfp_status
++v1f_chunk_end(struct vfp_ctx *vc, struct http_conn *htc)
++{
++	char c;
++
++	if (v1f_read(vc, htc, &c, 1) <= 0)
++		return (VFP_Error(vc, "chunked read err"));
++	if (c == '\r' && v1f_read(vc, htc, &c, 1) <= 0)
++		return (VFP_Error(vc, "chunked read err"));
++	if (c != '\n')
++		return (VFP_Error(vc, "chunked tail no NL"));
++	return (VFP_OK);
++}
++
++
++/*--------------------------------------------------------------------
++ * Parse a chunk header and, for VFP_OK, return size in a pointer
+  *
+  * XXX: Reading one byte at a time is pretty pessimal.
+  */
+ 
+-static enum vfp_status v_matchproto_(vfp_pull_f)
+-v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
+-    ssize_t *lp)
++static enum vfp_status
++v1f_chunked_hdr(struct vfp_ctx *vc, struct http_conn *htc, ssize_t *szp)
+ {
+-	struct http_conn *htc;
+ 	char buf[20];		/* XXX: 20 is arbitrary */
+-	char *q;
+ 	unsigned u;
+ 	uintmax_t cll;
+-	ssize_t cl, l, lr;
++	ssize_t cl, lr;
++	char *q;
+ 
+ 	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
+-	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
+-	CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC);
+-	AN(ptr);
+-	AN(lp);
++	CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
++	AN(szp);
++	assert(*szp == -1);
+ 
+-	l = *lp;
+-	*lp = 0;
+-	if (vfe->priv2 == -1) {
+-		/* Skip leading whitespace */
+-		do {
+-			lr = v1f_read(vc, htc, buf, 1);
+-			if (lr <= 0)
+-				return (VFP_Error(vc, "chunked read err"));
+-		} while (vct_islws(buf[0]));
+-
+-		if (!vct_ishex(buf[0]))
+-			 return (VFP_Error(vc, "chunked header non-hex"));
+-
+-		/* Collect hex digits, skipping leading zeros */
+-		for (u = 1; u < sizeof buf; u++) {
+-			do {
+-				lr = v1f_read(vc, htc, buf + u, 1);
+-				if (lr <= 0)
+-					return (VFP_Error(vc,
+-					    "chunked read err"));
+-			} while (u == 1 && buf[0] == '0' && buf[u] == '0');
+-			if (!vct_ishex(buf[u]))
+-				break;
+-		}
++	/* Skip leading whitespace */
++	do {
++		lr = v1f_read(vc, htc, buf, 1);
++		if (lr <= 0)
++			return (VFP_Error(vc, "chunked read err"));
++	} while (vct_isows(buf[0]));
+ 
+-		if (u >= sizeof buf)
+-			return (VFP_Error(vc, "chunked header too long"));
++	if (!vct_ishex(buf[0]))
++		return (VFP_Error(vc, "chunked header non-hex"));
+ 
+-		/* Skip trailing white space */
+-		while (vct_islws(buf[u]) && buf[u] != '\n') {
++	/* Collect hex digits, skipping leading zeros */
++	for (u = 1; u < sizeof buf; u++) {
++		do {
+ 			lr = v1f_read(vc, htc, buf + u, 1);
+ 			if (lr <= 0)
+ 				return (VFP_Error(vc, "chunked read err"));
+-		}
++		} while (u == 1 && buf[0] == '0' && buf[u] == '0');
++		if (!vct_ishex(buf[u]))
++			break;
++	}
+ 
+-		if (buf[u] != '\n')
+-			return (VFP_Error(vc, "chunked header no NL"));
++	if (u >= sizeof buf)
++		return (VFP_Error(vc, "chunked header too long"));
+ 
+-		buf[u] = '\0';
++	/* Skip trailing white space */
++	while (vct_isows(buf[u])) {
++		lr = v1f_read(vc, htc, buf + u, 1);
++		if (lr <= 0)
++			return (VFP_Error(vc, "chunked read err"));
++	}
++
++	if (buf[u] == '\r' && v1f_read(vc, htc, buf + u, 1) <= 0)
++		return (VFP_Error(vc, "chunked read err"));
++	if (buf[u] != '\n')
++		return (VFP_Error(vc, "chunked header no NL"));
+ 
+-		cll = strtoumax(buf, &q, 16);
+-		if (q == NULL || *q != '\0')
+-			return (VFP_Error(vc, "chunked header number syntax"));
+-		cl = (ssize_t)cll;
+-		if (cl < 0 || (uintmax_t)cl != cll)
+-			return (VFP_Error(vc, "bogusly large chunk size"));
++	buf[u] = '\0';
+ 
+-		vfe->priv2 = cl;
++	cll = strtoumax(buf, &q, 16);
++	if (q == NULL || *q != '\0')
++		return (VFP_Error(vc, "chunked header number syntax"));
++	cl = (ssize_t)cll;
++	if (cl < 0 || (uintmax_t)cl != cll)
++		return (VFP_Error(vc, "bogusly large chunk size"));
++
++	*szp = cl;
++	return (VFP_OK);
++}
++
++
++/*--------------------------------------------------------------------
++ * Read a chunked HTTP object.
++ *
++ */
++
++static enum vfp_status v_matchproto_(vfp_pull_f)
++v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
++    ssize_t *lp)
++{
++	static enum vfp_status vfps;
++	struct http_conn *htc;
++	ssize_t l, lr;
++
++	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
++	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
++	CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC);
++	AN(ptr);
++	AN(lp);
++
++	l = *lp;
++	*lp = 0;
++	if (vfe->priv2 == -1) {
++		vfps = v1f_chunked_hdr(vc, htc, &vfe->priv2);
++		if (vfps != VFP_OK)
++			return (vfps);
+ 	}
+ 	if (vfe->priv2 > 0) {
+ 		if (vfe->priv2 < l)
+@@ -169,30 +211,27 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
+ 			return (VFP_Error(vc, "straight insufficient bytes"));
+ 		*lp = lr;
+ 		vfe->priv2 -= lr;
+-		if (vfe->priv2 == 0)
+-			vfe->priv2 = -1;
+-		return (VFP_OK);
++		if (vfe->priv2 != 0)
++			return (VFP_OK);
++
++		vfe->priv2 = -1;
++		return (v1f_chunk_end(vc, htc));
+ 	}
+ 	AZ(vfe->priv2);
+-	if (v1f_read(vc, htc, buf, 1) <= 0)
+-		return (VFP_Error(vc, "chunked read err"));
+-	if (buf[0] == '\r' && v1f_read(vc, htc, buf, 1) <= 0)
+-		return (VFP_Error(vc, "chunked read err"));
+-	if (buf[0] != '\n')
+-		return (VFP_Error(vc, "chunked tail no NL"));
+-	return (VFP_END);
++	vfps = v1f_chunk_end(vc, htc);
++	return (vfps == VFP_OK ? VFP_END : vfps);
+ }
+ 
+ static const struct vfp v1f_chunked = {
+ 	.name = "V1F_CHUNKED",
+-	.pull = v1f_pull_chunked,
++	.pull = v1f_chunked_pull,
+ };
+ 
+ 
+ /*--------------------------------------------------------------------*/
+ 
+ static enum vfp_status v_matchproto_(vfp_pull_f)
+-v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
++v1f_straight_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
+     ssize_t *lp)
+ {
+ 	ssize_t l, lr;
+@@ -223,13 +262,13 @@ v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
+ 
+ static const struct vfp v1f_straight = {
+ 	.name = "V1F_STRAIGHT",
+-	.pull = v1f_pull_straight,
++	.pull = v1f_straight_pull,
+ };
+ 
+ /*--------------------------------------------------------------------*/
+ 
+ static enum vfp_status v_matchproto_(vfp_pull_f)
+-v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
++v1f_eof_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
+ {
+ 	ssize_t l, lr;
+ 	struct http_conn *htc;
+@@ -254,7 +293,7 @@ v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
+ 
+ static const struct vfp v1f_eof = {
+ 	.name = "V1F_EOF",
+-	.pull = v1f_pull_eof,
++	.pull = v1f_eof_pull,
+ };
+ 
+ /*--------------------------------------------------------------------
+diff --git a/bin/varnishtest/tests/f00016.vtc b/bin/varnishtest/tests/f00016.vtc
+new file mode 100644
+index 0000000..a38b8b1
+--- /dev/null
++++ b/bin/varnishtest/tests/f00016.vtc
+@@ -0,0 +1,69 @@
++varnishtest "Do not tolerate anything else than CRLF as chunked ending"
++
++server s0 {
++	rxreq
++	expect_close
++} -dispatch
++
++varnish v1 -vcl+backend {} -start
++
++logexpect l1 -v v1 {
++	expect * 1001 FetchError "chunked tail no NL"
++	expect * 1004 FetchError "chunked tail no NL"
++	expect * 1007 FetchError "chunked header non-hex"
++	expect * 1010 FetchError "chunked header non-hex"
++} -start
++
++client c1 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "1\r\n"
++	send "This is more than one byte of data\r\n"
++	send "0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++client c2 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "1\r\n"
++	send "Z  2\r\n"
++	send "3d\r\n"
++	send "0\r\n\r\nPOST /evil HTTP/1.1\r\nHost: whatever\r\nContent-Length: 5\r\n\r\n"
++	send "0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++client c3 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "d\r\n"
++	send "Spurious CRLF\r\n\r\n"
++	send "0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++client c4 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "\n0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++logexpect l1 -wait
+diff --git a/bin/varnishtest/tests/r01184.vtc b/bin/varnishtest/tests/r01184.vtc
+index d5aba32..f7cd8d7 100644
+--- a/bin/varnishtest/tests/r01184.vtc
++++ b/bin/varnishtest/tests/r01184.vtc
+@@ -62,6 +62,7 @@ server s1 {
+ 		sendhex " 10 45 f3 a9 83 b8 18 1c  7b c2 30 55 04 17 13 c4"
+ 		sendhex " 0f 07 5f 7a 38 f4 8e 50  b3 37 d4 3a 32 4a 34 07"
+ 		sendhex " FF FF FF FF FF FF FF FF  72 ea 06 5f b3 1c fa dd"
++	send "\n"
+ 	expect_close
+ } -start
+ 
+@@ -93,6 +94,7 @@ server s1 {
+ 		sendhex " 10 45 f3 a9 83 b8 18 1c  7b c2 30 55 04 17 13 c4"
+ 		sendhex " 0f 07 5f 7a 38 f4 8e 50  b3 37 d4 3a 32 4a 34 07"
+ 		sendhex " FF FF FF FF FF FF FF FF  72 ea 06 5f b3 1c fa dd"
++	send "\n"
+ 	expect_close
+ } -start
+ 
+diff --git a/bin/varnishtest/tests/r01729.vtc b/bin/varnishtest/tests/r01729.vtc
+index 883a60c..f6a01e9 100644
+--- a/bin/varnishtest/tests/r01729.vtc
++++ b/bin/varnishtest/tests/r01729.vtc
+@@ -11,7 +11,7 @@ server s1 {
+ 	send "\r\n"
+ 	send "14\r\n"
+ 	send "0123456789"
+-	send "0123456789"
++	send "0123456789\n"
+ 	send "0\r\n"
+ 	send "\r\n"
+ 
+@@ -29,7 +29,7 @@ client c1 {
+ 	send "\r\n"
+ 	send "14\r\n"
+ 	send "0123456789"
+-	send "0123456789"
++	send "0123456789\n"
+ 	send "0\r\n"
+ 	send "\r\n"
+ 
+@@ -45,7 +45,7 @@ client c1 {
+ 	send "\r\n"
+ 	send "14\r\n"
+ 	send "0123456789"
+-	send "0123456789"
++	send "0123456789\n"
+ 	send "0\r\n"
+ 	send "\r\n"
+ 
+diff --git a/include/vct.h b/include/vct.h
+index 1b7ffbd..e68e465 100644
+--- a/include/vct.h
++++ b/include/vct.h
+@@ -30,9 +30,9 @@
+ 
+ /* from libvarnish/vct.c */
+ 
+-#define VCT_SP			(1<<0)
++#define VCT_OWS			(1<<0)
+ #define VCT_CRLF		(1<<1)
+-#define VCT_LWS			(VCT_CRLF | VCT_SP)
++#define VCT_LWS			(VCT_CRLF | VCT_OWS)
+ #define VCT_CTL			(1<<2)
+ #define VCT_ALPHA		(1<<3)
+ #define VCT_SEPARATOR		(1<<4)
+@@ -59,7 +59,8 @@ vct_is(int x, uint16_t y)
+ 	return (vct_typtab[x] & (y));
+ }
+ 
+-#define vct_issp(x) vct_is(x, VCT_SP)
++#define vct_isows(x) vct_is(x, VCT_OWS)
++#define vct_issp(x) vct_is(x, VCT_OWS)
+ #define vct_ishex(x) vct_is(x, VCT_HEX)
+ #define vct_islws(x) vct_is(x, VCT_LWS)
+ #define vct_isctl(x) vct_is(x, VCT_CTL)
+diff --git a/lib/libvarnish/vct.c b/lib/libvarnish/vct.c
+index 73b784e..43853c9 100644
+--- a/lib/libvarnish/vct.c
++++ b/lib/libvarnish/vct.c
+@@ -54,7 +54,7 @@ const uint16_t vct_typtab[256] = {
+ 	[0x06]	=	VCT_CTL,
+ 	[0x07]	=	VCT_CTL,
+ 	[0x08]	=	VCT_CTL,
+-	[0x09]	=	VCT_CTL | VCT_SP,
++	[0x09]	=	VCT_CTL | VCT_OWS,
+ 	[0x0a]	=	VCT_CTL | VCT_CRLF,
+ 	[0x0b]	=	VCT_CTL | VCT_VT,
+ 	[0x0c]	=	VCT_CTL,
+@@ -77,7 +77,7 @@ const uint16_t vct_typtab[256] = {
+ 	[0x1d]	=	VCT_CTL,
+ 	[0x1e]	=	VCT_CTL,
+ 	[0x1f]	=	VCT_CTL,
+-	[0x20]  =	VCT_SP,
++	[0x20]	=	VCT_OWS,
+ 	[0x21]  =	VCT_TCHAR,
+ 	[0x22]  =	VCT_SEPARATOR,
+ 	[0x23]  =	VCT_TCHAR,

SOURCES/varnish-6.0.8-CVE-2022-45060.patch

@@ -1,85 +0,0 @@
-diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
-index d432629..b0dacb9 100644
---- a/bin/varnishd/http2/cache_http2_hpack.c
-+++ b/bin/varnishd/http2/cache_http2_hpack.c
-@@ -93,18 +93,25 @@ static h2_error
- h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- {
- 	/* XXX: This might belong in cache/cache_http.c */
-+	const char *b0;
- 	unsigned n;
-+	int disallow_empty;
-+	char *p;
-+	int i;
- 
- 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
- 	AN(b);
- 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
- 	assert(namelen <= len);
-+	
-+	disallow_empty = 0;
- 
- 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
- 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
- 		return (H2SE_ENHANCE_YOUR_CALM);
- 	}
- 
-+	b0 = b;
- 	if (b[0] == ':') {
- 		/* Match H/2 pseudo headers */
- 		/* XXX: Should probably have some include tbl for
-@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_METHOD;
-+			disallow_empty = 1;
-+
-+			/* First field cannot contain SP or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":path: ", namelen)) {
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_URL;
-+			disallow_empty = 1;
-+
-+			/* Second field cannot contain LWS or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_islws(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":scheme: ", namelen)) {
- 			/* XXX: What to do about this one? (typically
- 			   "http" or "https"). For now set it as a normal
-@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b++;
- 			len-=1;
- 			n = hp->nhd;
-+
-+			for (p = b + namelen, i = 0; i < len-namelen;
-+			    p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
-+
-+			if (!i)
-+				return (H2SE_PROTOCOL_ERROR);
- 		} else if (!strncmp(b, ":authority: ", namelen)) {
- 			b+=6;
- 			len-=6;
-@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 	hp->hd[n].b = b;
- 	hp->hd[n].e = b + len;
- 
-+	if (disallow_empty && !Tlen(hp->hd[n])) {
-+		VSLb(hp->vsl, SLT_BogoHeader,
-+		    "Empty pseudo-header %.*s",
-+		    (int)namelen, b0);
-+		return (H2SE_PROTOCOL_ERROR);
-+	}
-+
- 	return (0);
- }
- 

SOURCES/varnish-6.0.8.CVE-2022-23959.patch

@@ -1,13 +0,0 @@
-diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
-index 463b75b..982bd73 100644
---- a/bin/varnishd/cache/cache_req_body.c
-+++ b/bin/varnishd/cache/cache_req_body.c
-@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
- 	if (req->req_body_status == REQ_BODY_WITH_LEN ||
- 	    req->req_body_status == REQ_BODY_WITHOUT_LEN)
- 		(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
-+	if (req->req_body_status == REQ_BODY_FAIL)
-+		req->doclose = SC_RX_BODY;
- 	return(0);
- }
- 

SPECS/varnish.spec

@@ -18,8 +18,8 @@
 
 Summary: High-performance HTTP accelerator
 Name: varnish
-Version: 6.0.8
-Release: 2%{?dist}.1
+Version: 6.0.13
+Release: 1%{?dist}.1
 License: BSD
 Group: System Environment/Daemons
 URL: https://www.varnish-cache.org/
@@ -32,11 +32,9 @@ Patch9:  varnish-5.1.1.fix_python_version.patch
 # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
 Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=2045031
-Patch100: varnish-6.0.8.CVE-2022-23959.patch
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=2141844
-Patch101: varnish-6.0.8-CVE-2022-45060.patch
+# Security patches ...
+# https://bugzilla.redhat.com/show_bug.cgi?id=2364235
+Patch100: varnish-6.0.13-CVE-2025-47905.patch
 
 Obsoletes: varnish-libs
 
@@ -145,9 +143,7 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
 %patch9 -p0
 %patch11 -p0
 %endif
-
 %patch100 -p1
-%patch101 -p1
 
 %build
 %if 0%{?rhel} == 6
@@ -214,6 +210,10 @@ sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc
 %endif
 #make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1
 
+# disable test because of CVE-2023-44487 fix
+# https://github.com/varnishcache/varnish-cache/pull/3998#issuecomment-1764649216
+rm bin/varnishtest/tests/t02014.vtc
+
 %install
 rm -rf %{buildroot}
 make install DESTDIR=%{buildroot} INSTALL="install -p"
@@ -380,12 +380,21 @@ fi
 
 
 %changelog
-* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2.1
-- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery
-  Vulnerability
+* Wed May 21 2025 Luboš Uhliarik <luhliari@redhat.com> - 6.0.13-1.1
+- Resolves: RHEL-89695 - varnish: request smuggling attacks (CVE-2025-47905)
 
-* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2
-- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
+* Thu Mar 28 2024 Luboš Uhliarik <luhliari@redhat.com> - 6.0.13-1
+- new version 6.0.13
+- Resolves: RHEL-30379 - varnish:6/varnish: HTTP/2 Broken Window Attack may
+  result in denial of service (CVE-2024-30156)
+
+* Mon Oct 23 2023 Tomas Korbar <tkorbar@redhat.com> - 6.0.8-4
+- Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487
+- CVE-2022-45060 varnish:6/varnish: Request Forgery
+- Resolves: RHEL-12814
+
+* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1.1
+- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
   Smuggling Vulnerability
 
 * Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1