From 36e7beac650a3aba4c06684c36093177c061255b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sun, 1 May 2022 02:14:57 +0000 Subject: [PATCH] import varnish-6.0.8-1.module+el8.5.0+14089+03a0c2cc.1 --- .gitignore | 2 +- .varnish.metadata | 2 +- SOURCES/varnish-6.0.8.CVE-2022-23959.patch | 13 +++++++++++++ SPECS/varnish.spec | 18 ++++++++++++++++-- 4 files changed, 31 insertions(+), 4 deletions(-) create mode 100644 SOURCES/varnish-6.0.8.CVE-2022-23959.patch diff --git a/.gitignore b/.gitignore index 918cc33..84741e1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/pkg-varnish-cache-0ad2f22.tar.gz -SOURCES/varnish-6.0.6.tgz +SOURCES/varnish-6.0.8.tgz diff --git a/.varnish.metadata b/.varnish.metadata index aa082b2..597d7a5 100644 --- a/.varnish.metadata +++ b/.varnish.metadata @@ -1,2 +1,2 @@ db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz -c9cdd61f46d70b1bf8cb5eac3510aa3f4cf5c326 SOURCES/varnish-6.0.6.tgz +7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz diff --git a/SOURCES/varnish-6.0.8.CVE-2022-23959.patch b/SOURCES/varnish-6.0.8.CVE-2022-23959.patch new file mode 100644 index 0000000..27e3861 --- /dev/null +++ b/SOURCES/varnish-6.0.8.CVE-2022-23959.patch @@ -0,0 +1,13 @@ +diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c +index 463b75b..982bd73 100644 +--- a/bin/varnishd/cache/cache_req_body.c ++++ b/bin/varnishd/cache/cache_req_body.c +@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req) + if (req->req_body_status == REQ_BODY_WITH_LEN || + req->req_body_status == REQ_BODY_WITHOUT_LEN) + (void)VRB_Iterate(req, httpq_req_body_discard, NULL); ++ if (req->req_body_status == REQ_BODY_FAIL) ++ req->doclose = SC_RX_BODY; + return(0); + } + diff --git a/SPECS/varnish.spec b/SPECS/varnish.spec index f2036a3..03b615a 100644 --- a/SPECS/varnish.spec +++ b/SPECS/varnish.spec @@ -18,8 +18,8 @@ Summary: High-performance HTTP accelerator Name: varnish -Version: 6.0.6 -Release: 2%{?dist} +Version: 6.0.8 +Release: 1%{?dist}.1 License: BSD Group: System Environment/Daemons URL: https://www.varnish-cache.org/ @@ -32,6 +32,9 @@ Patch9: varnish-5.1.1.fix_python_version.patch # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e Patch11: varnish-6.0.0.fix_el6_fortify_source.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2045031 +Patch100: varnish-6.0.8.CVE-2022-23959.patch + Obsoletes: varnish-libs %if %{with python3} @@ -140,6 +143,8 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides %patch11 -p0 %endif +%patch100 -p1 + %build %if 0%{?rhel} == 6 export CFLAGS="%{optflags} -fPIC" @@ -371,6 +376,15 @@ fi %changelog +* Tue Feb 01 2022 Luboš Uhliarik - 6.0.8-1.1 +- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request + Smuggling Vulnerability + +* Thu Jul 22 2021 Luboš Uhliarik - 6.0.8-1 +- new version 6.0.8 +- Resolves: #1982862 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request + smuggling attack via a large Content-Length header for a POST request + * Tue Apr 14 2020 Lubos Uhliarik - 6.0.6-2 - new version 6.0.6 - Resolves: #1795673 - RFE: rebase varnish:6 to latest 6.0.x LTS