import varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1
This commit is contained in:
parent
1d6c28dc5c
commit
aaf8ced8cf
85
SOURCES/varnish-6.0.8-CVE-2022-45060.patch
Normal file
85
SOURCES/varnish-6.0.8-CVE-2022-45060.patch
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
|
||||||
|
index d432629..b0dacb9 100644
|
||||||
|
--- a/bin/varnishd/http2/cache_http2_hpack.c
|
||||||
|
+++ b/bin/varnishd/http2/cache_http2_hpack.c
|
||||||
|
@@ -93,18 +93,25 @@ static h2_error
|
||||||
|
h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
||||||
|
{
|
||||||
|
/* XXX: This might belong in cache/cache_http.c */
|
||||||
|
+ const char *b0;
|
||||||
|
unsigned n;
|
||||||
|
+ int disallow_empty;
|
||||||
|
+ char *p;
|
||||||
|
+ int i;
|
||||||
|
|
||||||
|
CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
|
||||||
|
AN(b);
|
||||||
|
assert(namelen >= 2); /* 2 chars from the ': ' that we added */
|
||||||
|
assert(namelen <= len);
|
||||||
|
+
|
||||||
|
+ disallow_empty = 0;
|
||||||
|
|
||||||
|
if (len > UINT_MAX) { /* XXX: cache_param max header size */
|
||||||
|
VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
|
||||||
|
return (H2SE_ENHANCE_YOUR_CALM);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ b0 = b;
|
||||||
|
if (b[0] == ':') {
|
||||||
|
/* Match H/2 pseudo headers */
|
||||||
|
/* XXX: Should probably have some include tbl for
|
||||||
|
@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
||||||
|
b += namelen;
|
||||||
|
len -= namelen;
|
||||||
|
n = HTTP_HDR_METHOD;
|
||||||
|
+ disallow_empty = 1;
|
||||||
|
+
|
||||||
|
+ /* First field cannot contain SP or CTL */
|
||||||
|
+ for (p = b, i = 0; i < len; p++, i++) {
|
||||||
|
+ if (vct_issp(*p) || vct_isctl(*p))
|
||||||
|
+ return (H2SE_PROTOCOL_ERROR);
|
||||||
|
+ }
|
||||||
|
} else if (!strncmp(b, ":path: ", namelen)) {
|
||||||
|
b += namelen;
|
||||||
|
len -= namelen;
|
||||||
|
n = HTTP_HDR_URL;
|
||||||
|
+ disallow_empty = 1;
|
||||||
|
+
|
||||||
|
+ /* Second field cannot contain LWS or CTL */
|
||||||
|
+ for (p = b, i = 0; i < len; p++, i++) {
|
||||||
|
+ if (vct_islws(*p) || vct_isctl(*p))
|
||||||
|
+ return (H2SE_PROTOCOL_ERROR);
|
||||||
|
+ }
|
||||||
|
} else if (!strncmp(b, ":scheme: ", namelen)) {
|
||||||
|
/* XXX: What to do about this one? (typically
|
||||||
|
"http" or "https"). For now set it as a normal
|
||||||
|
@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
||||||
|
b++;
|
||||||
|
len-=1;
|
||||||
|
n = hp->nhd;
|
||||||
|
+
|
||||||
|
+ for (p = b + namelen, i = 0; i < len-namelen;
|
||||||
|
+ p++, i++) {
|
||||||
|
+ if (vct_issp(*p) || vct_isctl(*p))
|
||||||
|
+ return (H2SE_PROTOCOL_ERROR);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!i)
|
||||||
|
+ return (H2SE_PROTOCOL_ERROR);
|
||||||
|
} else if (!strncmp(b, ":authority: ", namelen)) {
|
||||||
|
b+=6;
|
||||||
|
len-=6;
|
||||||
|
@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
|
||||||
|
hp->hd[n].b = b;
|
||||||
|
hp->hd[n].e = b + len;
|
||||||
|
|
||||||
|
+ if (disallow_empty && !Tlen(hp->hd[n])) {
|
||||||
|
+ VSLb(hp->vsl, SLT_BogoHeader,
|
||||||
|
+ "Empty pseudo-header %.*s",
|
||||||
|
+ (int)namelen, b0);
|
||||||
|
+ return (H2SE_PROTOCOL_ERROR);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
@ -19,7 +19,7 @@
|
|||||||
Summary: High-performance HTTP accelerator
|
Summary: High-performance HTTP accelerator
|
||||||
Name: varnish
|
Name: varnish
|
||||||
Version: 6.0.8
|
Version: 6.0.8
|
||||||
Release: 1%{?dist}.1
|
Release: 2%{?dist}.1
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
URL: https://www.varnish-cache.org/
|
URL: https://www.varnish-cache.org/
|
||||||
@ -35,6 +35,9 @@ Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
|
|||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2045031
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2045031
|
||||||
Patch100: varnish-6.0.8.CVE-2022-23959.patch
|
Patch100: varnish-6.0.8.CVE-2022-23959.patch
|
||||||
|
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2141844
|
||||||
|
Patch101: varnish-6.0.8-CVE-2022-45060.patch
|
||||||
|
|
||||||
Obsoletes: varnish-libs
|
Obsoletes: varnish-libs
|
||||||
|
|
||||||
%if %{with python3}
|
%if %{with python3}
|
||||||
@ -144,6 +147,7 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
|
%patch101 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if 0%{?rhel} == 6
|
%if 0%{?rhel} == 6
|
||||||
@ -376,8 +380,12 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1.1
|
* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2.1
|
||||||
- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
|
- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery
|
||||||
|
Vulnerability
|
||||||
|
|
||||||
|
* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2
|
||||||
|
- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
|
||||||
Smuggling Vulnerability
|
Smuggling Vulnerability
|
||||||
|
|
||||||
* Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1
|
* Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1
|
||||||
|
Loading…
Reference in New Issue
Block a user