From 24ebab017ad4900e5418ec201287e68585da65da Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 4 Jun 2025 10:19:10 +0000 Subject: [PATCH] Import from CS git --- .gitignore | 2 +- .varnish.metadata | 2 +- SOURCES/varnish-6.0.13-CVE-2025-47905.patch | 418 ++++++++++++++++++++ SOURCES/varnish-6.0.8-CVE-2022-45060.patch | 85 ---- SOURCES/varnish-6.0.8.CVE-2022-23959.patch | 13 - SPECS/varnish.spec | 37 +- 6 files changed, 443 insertions(+), 114 deletions(-) create mode 100644 SOURCES/varnish-6.0.13-CVE-2025-47905.patch delete mode 100644 SOURCES/varnish-6.0.8-CVE-2022-45060.patch delete mode 100644 SOURCES/varnish-6.0.8.CVE-2022-23959.patch diff --git a/.gitignore b/.gitignore index 84741e1..dfde0d0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/pkg-varnish-cache-0ad2f22.tar.gz -SOURCES/varnish-6.0.8.tgz +SOURCES/varnish-6.0.13.tgz diff --git a/.varnish.metadata b/.varnish.metadata index 597d7a5..666e811 100644 --- a/.varnish.metadata +++ b/.varnish.metadata @@ -1,2 +1,2 @@ db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz -7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz +614d305e69b01255347f33000f76ed6a4fa3c3f7 SOURCES/varnish-6.0.13.tgz diff --git a/SOURCES/varnish-6.0.13-CVE-2025-47905.patch b/SOURCES/varnish-6.0.13-CVE-2025-47905.patch new file mode 100644 index 0000000..e89b073 --- /dev/null +++ b/SOURCES/varnish-6.0.13-CVE-2025-47905.patch @@ -0,0 +1,418 @@ +commit 1fef8cc747030259d61bf8e451b4317bff5b2ed5 +Author: Luboš Uhliarik +Date: Wed May 21 18:09:51 2025 +0200 + + Fix for CVE-2025-47905 + +diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c +index 374bcac..32176b3 100644 +--- a/bin/varnishd/http1/cache_http1_vfp.c ++++ b/bin/varnishd/http1/cache_http1_vfp.c +@@ -90,76 +90,118 @@ v1f_read(const struct vfp_ctx *vc, struct http_conn *htc, void *d, ssize_t len) + + + /*-------------------------------------------------------------------- +- * Read a chunked HTTP object. ++ * read (CR)?LF at the end of a chunk ++ */ ++static enum vfp_status ++v1f_chunk_end(struct vfp_ctx *vc, struct http_conn *htc) ++{ ++ char c; ++ ++ if (v1f_read(vc, htc, &c, 1) <= 0) ++ return (VFP_Error(vc, "chunked read err")); ++ if (c == '\r' && v1f_read(vc, htc, &c, 1) <= 0) ++ return (VFP_Error(vc, "chunked read err")); ++ if (c != '\n') ++ return (VFP_Error(vc, "chunked tail no NL")); ++ return (VFP_OK); ++} ++ ++ ++/*-------------------------------------------------------------------- ++ * Parse a chunk header and, for VFP_OK, return size in a pointer + * + * XXX: Reading one byte at a time is pretty pessimal. + */ + +-static enum vfp_status v_matchproto_(vfp_pull_f) +-v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, +- ssize_t *lp) ++static enum vfp_status ++v1f_chunked_hdr(struct vfp_ctx *vc, struct http_conn *htc, ssize_t *szp) + { +- struct http_conn *htc; + char buf[20]; /* XXX: 20 is arbitrary */ +- char *q; + unsigned u; + uintmax_t cll; +- ssize_t cl, l, lr; ++ ssize_t cl, lr; ++ char *q; + + CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC); +- CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC); +- CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC); +- AN(ptr); +- AN(lp); ++ CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC); ++ AN(szp); ++ assert(*szp == -1); + +- l = *lp; +- *lp = 0; +- if (vfe->priv2 == -1) { +- /* Skip leading whitespace */ +- do { +- lr = v1f_read(vc, htc, buf, 1); +- if (lr <= 0) +- return (VFP_Error(vc, "chunked read err")); +- } while (vct_islws(buf[0])); +- +- if (!vct_ishex(buf[0])) +- return (VFP_Error(vc, "chunked header non-hex")); +- +- /* Collect hex digits, skipping leading zeros */ +- for (u = 1; u < sizeof buf; u++) { +- do { +- lr = v1f_read(vc, htc, buf + u, 1); +- if (lr <= 0) +- return (VFP_Error(vc, +- "chunked read err")); +- } while (u == 1 && buf[0] == '0' && buf[u] == '0'); +- if (!vct_ishex(buf[u])) +- break; +- } ++ /* Skip leading whitespace */ ++ do { ++ lr = v1f_read(vc, htc, buf, 1); ++ if (lr <= 0) ++ return (VFP_Error(vc, "chunked read err")); ++ } while (vct_isows(buf[0])); + +- if (u >= sizeof buf) +- return (VFP_Error(vc, "chunked header too long")); ++ if (!vct_ishex(buf[0])) ++ return (VFP_Error(vc, "chunked header non-hex")); + +- /* Skip trailing white space */ +- while (vct_islws(buf[u]) && buf[u] != '\n') { ++ /* Collect hex digits, skipping leading zeros */ ++ for (u = 1; u < sizeof buf; u++) { ++ do { + lr = v1f_read(vc, htc, buf + u, 1); + if (lr <= 0) + return (VFP_Error(vc, "chunked read err")); +- } ++ } while (u == 1 && buf[0] == '0' && buf[u] == '0'); ++ if (!vct_ishex(buf[u])) ++ break; ++ } + +- if (buf[u] != '\n') +- return (VFP_Error(vc, "chunked header no NL")); ++ if (u >= sizeof buf) ++ return (VFP_Error(vc, "chunked header too long")); + +- buf[u] = '\0'; ++ /* Skip trailing white space */ ++ while (vct_isows(buf[u])) { ++ lr = v1f_read(vc, htc, buf + u, 1); ++ if (lr <= 0) ++ return (VFP_Error(vc, "chunked read err")); ++ } ++ ++ if (buf[u] == '\r' && v1f_read(vc, htc, buf + u, 1) <= 0) ++ return (VFP_Error(vc, "chunked read err")); ++ if (buf[u] != '\n') ++ return (VFP_Error(vc, "chunked header no NL")); + +- cll = strtoumax(buf, &q, 16); +- if (q == NULL || *q != '\0') +- return (VFP_Error(vc, "chunked header number syntax")); +- cl = (ssize_t)cll; +- if (cl < 0 || (uintmax_t)cl != cll) +- return (VFP_Error(vc, "bogusly large chunk size")); ++ buf[u] = '\0'; + +- vfe->priv2 = cl; ++ cll = strtoumax(buf, &q, 16); ++ if (q == NULL || *q != '\0') ++ return (VFP_Error(vc, "chunked header number syntax")); ++ cl = (ssize_t)cll; ++ if (cl < 0 || (uintmax_t)cl != cll) ++ return (VFP_Error(vc, "bogusly large chunk size")); ++ ++ *szp = cl; ++ return (VFP_OK); ++} ++ ++ ++/*-------------------------------------------------------------------- ++ * Read a chunked HTTP object. ++ * ++ */ ++ ++static enum vfp_status v_matchproto_(vfp_pull_f) ++v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, ++ ssize_t *lp) ++{ ++ static enum vfp_status vfps; ++ struct http_conn *htc; ++ ssize_t l, lr; ++ ++ CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC); ++ CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC); ++ CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC); ++ AN(ptr); ++ AN(lp); ++ ++ l = *lp; ++ *lp = 0; ++ if (vfe->priv2 == -1) { ++ vfps = v1f_chunked_hdr(vc, htc, &vfe->priv2); ++ if (vfps != VFP_OK) ++ return (vfps); + } + if (vfe->priv2 > 0) { + if (vfe->priv2 < l) +@@ -169,30 +211,27 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, + return (VFP_Error(vc, "straight insufficient bytes")); + *lp = lr; + vfe->priv2 -= lr; +- if (vfe->priv2 == 0) +- vfe->priv2 = -1; +- return (VFP_OK); ++ if (vfe->priv2 != 0) ++ return (VFP_OK); ++ ++ vfe->priv2 = -1; ++ return (v1f_chunk_end(vc, htc)); + } + AZ(vfe->priv2); +- if (v1f_read(vc, htc, buf, 1) <= 0) +- return (VFP_Error(vc, "chunked read err")); +- if (buf[0] == '\r' && v1f_read(vc, htc, buf, 1) <= 0) +- return (VFP_Error(vc, "chunked read err")); +- if (buf[0] != '\n') +- return (VFP_Error(vc, "chunked tail no NL")); +- return (VFP_END); ++ vfps = v1f_chunk_end(vc, htc); ++ return (vfps == VFP_OK ? VFP_END : vfps); + } + + static const struct vfp v1f_chunked = { + .name = "V1F_CHUNKED", +- .pull = v1f_pull_chunked, ++ .pull = v1f_chunked_pull, + }; + + + /*--------------------------------------------------------------------*/ + + static enum vfp_status v_matchproto_(vfp_pull_f) +-v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ++v1f_straight_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, + ssize_t *lp) + { + ssize_t l, lr; +@@ -223,13 +262,13 @@ v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, + + static const struct vfp v1f_straight = { + .name = "V1F_STRAIGHT", +- .pull = v1f_pull_straight, ++ .pull = v1f_straight_pull, + }; + + /*--------------------------------------------------------------------*/ + + static enum vfp_status v_matchproto_(vfp_pull_f) +-v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp) ++v1f_eof_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp) + { + ssize_t l, lr; + struct http_conn *htc; +@@ -254,7 +293,7 @@ v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp) + + static const struct vfp v1f_eof = { + .name = "V1F_EOF", +- .pull = v1f_pull_eof, ++ .pull = v1f_eof_pull, + }; + + /*-------------------------------------------------------------------- +diff --git a/bin/varnishtest/tests/f00016.vtc b/bin/varnishtest/tests/f00016.vtc +new file mode 100644 +index 0000000..a38b8b1 +--- /dev/null ++++ b/bin/varnishtest/tests/f00016.vtc +@@ -0,0 +1,69 @@ ++varnishtest "Do not tolerate anything else than CRLF as chunked ending" ++ ++server s0 { ++ rxreq ++ expect_close ++} -dispatch ++ ++varnish v1 -vcl+backend {} -start ++ ++logexpect l1 -v v1 { ++ expect * 1001 FetchError "chunked tail no NL" ++ expect * 1004 FetchError "chunked tail no NL" ++ expect * 1007 FetchError "chunked header non-hex" ++ expect * 1010 FetchError "chunked header non-hex" ++} -start ++ ++client c1 { ++ non_fatal ++ txreq -req POST -hdr "Transfer-encoding: chunked" ++ send "1\r\n" ++ send "This is more than one byte of data\r\n" ++ send "0\r\n" ++ send "\r\n" ++ fatal ++ rxresp ++ expect resp.status == 503 ++ expect_close ++} -run ++ ++client c2 { ++ non_fatal ++ txreq -req POST -hdr "Transfer-encoding: chunked" ++ send "1\r\n" ++ send "Z 2\r\n" ++ send "3d\r\n" ++ send "0\r\n\r\nPOST /evil HTTP/1.1\r\nHost: whatever\r\nContent-Length: 5\r\n\r\n" ++ send "0\r\n" ++ send "\r\n" ++ fatal ++ rxresp ++ expect resp.status == 503 ++ expect_close ++} -run ++ ++client c3 { ++ non_fatal ++ txreq -req POST -hdr "Transfer-encoding: chunked" ++ send "d\r\n" ++ send "Spurious CRLF\r\n\r\n" ++ send "0\r\n" ++ send "\r\n" ++ fatal ++ rxresp ++ expect resp.status == 503 ++ expect_close ++} -run ++ ++client c4 { ++ non_fatal ++ txreq -req POST -hdr "Transfer-encoding: chunked" ++ send "\n0\r\n" ++ send "\r\n" ++ fatal ++ rxresp ++ expect resp.status == 503 ++ expect_close ++} -run ++ ++logexpect l1 -wait +diff --git a/bin/varnishtest/tests/r01184.vtc b/bin/varnishtest/tests/r01184.vtc +index d5aba32..f7cd8d7 100644 +--- a/bin/varnishtest/tests/r01184.vtc ++++ b/bin/varnishtest/tests/r01184.vtc +@@ -62,6 +62,7 @@ server s1 { + sendhex " 10 45 f3 a9 83 b8 18 1c 7b c2 30 55 04 17 13 c4" + sendhex " 0f 07 5f 7a 38 f4 8e 50 b3 37 d4 3a 32 4a 34 07" + sendhex " FF FF FF FF FF FF FF FF 72 ea 06 5f b3 1c fa dd" ++ send "\n" + expect_close + } -start + +@@ -93,6 +94,7 @@ server s1 { + sendhex " 10 45 f3 a9 83 b8 18 1c 7b c2 30 55 04 17 13 c4" + sendhex " 0f 07 5f 7a 38 f4 8e 50 b3 37 d4 3a 32 4a 34 07" + sendhex " FF FF FF FF FF FF FF FF 72 ea 06 5f b3 1c fa dd" ++ send "\n" + expect_close + } -start + +diff --git a/bin/varnishtest/tests/r01729.vtc b/bin/varnishtest/tests/r01729.vtc +index 883a60c..f6a01e9 100644 +--- a/bin/varnishtest/tests/r01729.vtc ++++ b/bin/varnishtest/tests/r01729.vtc +@@ -11,7 +11,7 @@ server s1 { + send "\r\n" + send "14\r\n" + send "0123456789" +- send "0123456789" ++ send "0123456789\n" + send "0\r\n" + send "\r\n" + +@@ -29,7 +29,7 @@ client c1 { + send "\r\n" + send "14\r\n" + send "0123456789" +- send "0123456789" ++ send "0123456789\n" + send "0\r\n" + send "\r\n" + +@@ -45,7 +45,7 @@ client c1 { + send "\r\n" + send "14\r\n" + send "0123456789" +- send "0123456789" ++ send "0123456789\n" + send "0\r\n" + send "\r\n" + +diff --git a/include/vct.h b/include/vct.h +index 1b7ffbd..e68e465 100644 +--- a/include/vct.h ++++ b/include/vct.h +@@ -30,9 +30,9 @@ + + /* from libvarnish/vct.c */ + +-#define VCT_SP (1<<0) ++#define VCT_OWS (1<<0) + #define VCT_CRLF (1<<1) +-#define VCT_LWS (VCT_CRLF | VCT_SP) ++#define VCT_LWS (VCT_CRLF | VCT_OWS) + #define VCT_CTL (1<<2) + #define VCT_ALPHA (1<<3) + #define VCT_SEPARATOR (1<<4) +@@ -59,7 +59,8 @@ vct_is(int x, uint16_t y) + return (vct_typtab[x] & (y)); + } + +-#define vct_issp(x) vct_is(x, VCT_SP) ++#define vct_isows(x) vct_is(x, VCT_OWS) ++#define vct_issp(x) vct_is(x, VCT_OWS) + #define vct_ishex(x) vct_is(x, VCT_HEX) + #define vct_islws(x) vct_is(x, VCT_LWS) + #define vct_isctl(x) vct_is(x, VCT_CTL) +diff --git a/lib/libvarnish/vct.c b/lib/libvarnish/vct.c +index 73b784e..43853c9 100644 +--- a/lib/libvarnish/vct.c ++++ b/lib/libvarnish/vct.c +@@ -54,7 +54,7 @@ const uint16_t vct_typtab[256] = { + [0x06] = VCT_CTL, + [0x07] = VCT_CTL, + [0x08] = VCT_CTL, +- [0x09] = VCT_CTL | VCT_SP, ++ [0x09] = VCT_CTL | VCT_OWS, + [0x0a] = VCT_CTL | VCT_CRLF, + [0x0b] = VCT_CTL | VCT_VT, + [0x0c] = VCT_CTL, +@@ -77,7 +77,7 @@ const uint16_t vct_typtab[256] = { + [0x1d] = VCT_CTL, + [0x1e] = VCT_CTL, + [0x1f] = VCT_CTL, +- [0x20] = VCT_SP, ++ [0x20] = VCT_OWS, + [0x21] = VCT_TCHAR, + [0x22] = VCT_SEPARATOR, + [0x23] = VCT_TCHAR, diff --git a/SOURCES/varnish-6.0.8-CVE-2022-45060.patch b/SOURCES/varnish-6.0.8-CVE-2022-45060.patch deleted file mode 100644 index 6261b91..0000000 --- a/SOURCES/varnish-6.0.8-CVE-2022-45060.patch +++ /dev/null @@ -1,85 +0,0 @@ -diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c -index d432629..b0dacb9 100644 ---- a/bin/varnishd/http2/cache_http2_hpack.c -+++ b/bin/varnishd/http2/cache_http2_hpack.c -@@ -93,18 +93,25 @@ static h2_error - h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - { - /* XXX: This might belong in cache/cache_http.c */ -+ const char *b0; - unsigned n; -+ int disallow_empty; -+ char *p; -+ int i; - - CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); - AN(b); - assert(namelen >= 2); /* 2 chars from the ': ' that we added */ - assert(namelen <= len); -+ -+ disallow_empty = 0; - - if (len > UINT_MAX) { /* XXX: cache_param max header size */ - VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b); - return (H2SE_ENHANCE_YOUR_CALM); - } - -+ b0 = b; - if (b[0] == ':') { - /* Match H/2 pseudo headers */ - /* XXX: Should probably have some include tbl for -@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b += namelen; - len -= namelen; - n = HTTP_HDR_METHOD; -+ disallow_empty = 1; -+ -+ /* First field cannot contain SP or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":path: ", namelen)) { - b += namelen; - len -= namelen; - n = HTTP_HDR_URL; -+ disallow_empty = 1; -+ -+ /* Second field cannot contain LWS or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_islws(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":scheme: ", namelen)) { - /* XXX: What to do about this one? (typically - "http" or "https"). For now set it as a normal -@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b++; - len-=1; - n = hp->nhd; -+ -+ for (p = b + namelen, i = 0; i < len-namelen; -+ p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ -+ if (!i) -+ return (H2SE_PROTOCOL_ERROR); - } else if (!strncmp(b, ":authority: ", namelen)) { - b+=6; - len-=6; -@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - hp->hd[n].b = b; - hp->hd[n].e = b + len; - -+ if (disallow_empty && !Tlen(hp->hd[n])) { -+ VSLb(hp->vsl, SLT_BogoHeader, -+ "Empty pseudo-header %.*s", -+ (int)namelen, b0); -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ - return (0); - } - diff --git a/SOURCES/varnish-6.0.8.CVE-2022-23959.patch b/SOURCES/varnish-6.0.8.CVE-2022-23959.patch deleted file mode 100644 index 27e3861..0000000 --- a/SOURCES/varnish-6.0.8.CVE-2022-23959.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c -index 463b75b..982bd73 100644 ---- a/bin/varnishd/cache/cache_req_body.c -+++ b/bin/varnishd/cache/cache_req_body.c -@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req) - if (req->req_body_status == REQ_BODY_WITH_LEN || - req->req_body_status == REQ_BODY_WITHOUT_LEN) - (void)VRB_Iterate(req, httpq_req_body_discard, NULL); -+ if (req->req_body_status == REQ_BODY_FAIL) -+ req->doclose = SC_RX_BODY; - return(0); - } - diff --git a/SPECS/varnish.spec b/SPECS/varnish.spec index e04ee71..646bcac 100644 --- a/SPECS/varnish.spec +++ b/SPECS/varnish.spec @@ -18,8 +18,8 @@ Summary: High-performance HTTP accelerator Name: varnish -Version: 6.0.8 -Release: 2%{?dist}.1 +Version: 6.0.13 +Release: 1%{?dist}.1 License: BSD Group: System Environment/Daemons URL: https://www.varnish-cache.org/ @@ -32,11 +32,9 @@ Patch9: varnish-5.1.1.fix_python_version.patch # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e Patch11: varnish-6.0.0.fix_el6_fortify_source.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2045031 -Patch100: varnish-6.0.8.CVE-2022-23959.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=2141844 -Patch101: varnish-6.0.8-CVE-2022-45060.patch +# Security patches ... +# https://bugzilla.redhat.com/show_bug.cgi?id=2364235 +Patch100: varnish-6.0.13-CVE-2025-47905.patch Obsoletes: varnish-libs @@ -145,9 +143,7 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides %patch9 -p0 %patch11 -p0 %endif - %patch100 -p1 -%patch101 -p1 %build %if 0%{?rhel} == 6 @@ -214,6 +210,10 @@ sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc %endif #make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1 +# disable test because of CVE-2023-44487 fix +# https://github.com/varnishcache/varnish-cache/pull/3998#issuecomment-1764649216 +rm bin/varnishtest/tests/t02014.vtc + %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" @@ -380,12 +380,21 @@ fi %changelog -* Mon Nov 14 2022 Luboš Uhliarik - 6.0.8-2.1 -- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery - Vulnerability +* Wed May 21 2025 Luboš Uhliarik - 6.0.13-1.1 +- Resolves: RHEL-89695 - varnish: request smuggling attacks (CVE-2025-47905) -* Tue Feb 01 2022 Luboš Uhliarik - 6.0.8-2 -- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request +* Thu Mar 28 2024 Luboš Uhliarik - 6.0.13-1 +- new version 6.0.13 +- Resolves: RHEL-30379 - varnish:6/varnish: HTTP/2 Broken Window Attack may + result in denial of service (CVE-2024-30156) + +* Mon Oct 23 2023 Tomas Korbar - 6.0.8-4 +- Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487 +- CVE-2022-45060 varnish:6/varnish: Request Forgery +- Resolves: RHEL-12814 + +* Tue Feb 01 2022 Luboš Uhliarik - 6.0.8-1.1 +- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request Smuggling Vulnerability * Thu Jul 22 2021 Luboš Uhliarik - 6.0.8-1