Resolves: RHEL-59267 - varnish rebase to 7.6.0

Resolves: RHEL-30333 CVE-2024-30156 varnish: HTTP/2 Broken Window Attack may result in denial of service
2024-11-19 01:43:00 +01:00 · 2024-11-19 01:43:00 +01:00 · f96e72e653
commit f96e72e653
parent ee2b5f6ab9
3 changed files with 43 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,3 +62,5 @@ varnish-2.1.3.tar.gz
 /varnish-7.4.0.tgz
 /varnish-7.4.1.tgz
 /varnish-7.4.2.tgz
 /varnish-7.6.0.tgz
 /pkg-varnish-cache-7d90347.tar.gz
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (varnish-7.4.2.tgz) = acd61a852ac7d66b268ab831d3a771d7a063a6a257b5e7c25c5a2ec9bccefa845279b9bd5fc85dd0b4f1d56da59164a13149355d1e6187e71ad76463687f7971
+SHA512 (varnish-7.6.0.tgz) = 11ca965837ef38aa52487f388555dd56a33faaff61d6662e9df647891cf444309323c665fd353c49c69ba327beeba131730b397d1849b8cff721f0d8257b9f48
-SHA512 (pkg-varnish-cache-cfa8cb3.tar.gz) = 058e689186d1b01bb4a256ff3a5a373337e380a0a87128d4b2adbcff41210189e7f4b3d56e8451f06120449c04aaa4ddc61f934a1fda9c5336dfe2020c66a569
+SHA512 (pkg-varnish-cache-7d90347.tar.gz) = c5bf026bb50b416001d0e22e56c2774c143dab1f4658f03f1a4e6578369b71cfda5854b7d6b580c43c2ab8e68bfb9033b56734adfd29ac0fddc61fd6b1b4b0c0
--- a/varnish.spec
+++ b/varnish.spec
@ -12,12 +12,12 @@
 %global __provides_exclude_from ^%{_libdir}/varnish/vmods
-%global abi cd1d10ab53a6f6115b2b4f3b2a1da94c1f749f80
+%global abi ed1243ca162a7b1d975bc0332f0d66d33f0bc78e
-%global vrt 18.0
+%global vrt 20.0
 # Package scripts are now external
 # https://github.com/varnishcache/pkg-varnish-cache
-%global commit1 cfa8cb3724e4ca6398f60b09157715bcb99d189d
+%global commit1 7d90347be31891b338dededb318594cebb668ba7
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 # Default: Use jemalloc, as adviced by upstream project
@ -36,8 +36,8 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
-Version: 7.4.2
+Version: 7.6.0
-Release: 5%{?dist}
+Release: 2%{?dist}
 License: BSD-2-Clause AND (BSD-2-Clause-FreeBSD AND BSD-3-Clause AND LicenseRef-Fedora-Public-Domain AND Zlib)
 URL: https://www.varnish-cache.org/
 Source0: http://varnish-cache.org/_downloads/%{name}-%{version}.tgz
@ -67,17 +67,20 @@ BuildRequires: python34 python34-sphinx python34-docutils
 BuildRequires: python3, python3-sphinx, python3-docutils
 %endif
 BuildRequires: gcc
 %if %{with system_allocator}
 # use glibc
 %else
 %ifnarch aarch64
 BuildRequires: jemalloc-devel
 %endif
 %endif
 BuildRequires: libedit-devel
 BuildRequires: make
 BuildRequires: ncurses-devel
 BuildRequires: pcre2-devel
 BuildRequires: pkgconfig
 BuildRequires: systemd-units
 %if %{with system_allocator}
 # use glibc
 %else
 BuildRequires: jemalloc-devel
 %endif
 # Extra requirements for the build suite
 #   needs haproxy2
@ -86,15 +89,15 @@ BuildRequires: haproxy
 %endif
 BuildRequires: nghttp2
 # Varnish actually needs gcc installed to work. It uses the C compiler
 # at runtime to compile the VCL configuration files. This is by design.
 Requires: gcc
 Requires: logrotate
 Requires: ncurses
 Requires: pcre2
 Requires: redhat-rpm-config
 Requires(pre): shadow-utils
 Requires(post): /usr/bin/uuidgen
 # Varnish actually needs gcc installed to work. It uses the C compiler 
 # at runtime to compile the VCL configuration files. This is by design.
 Requires: gcc
 Requires(post): systemd-units
 Requires(post): systemd-sysv
 Requires(preun): systemd-units
@ -163,6 +166,8 @@ export CFLAGS="$CFLAGS -ffloat-store -fexcess-precision=standard"
 export CFLAGS="$CFLAGS -Wno-error=free-nonheap-object"
 %endif
 # What platform is this
 uname -a
 # What gcc version is this?
 gcc --version
@ -199,20 +204,18 @@ rm -rf doc/html/_sources
 %check
-# Remove these for now. Hard to get the size and timing right
+# Up the stack size in tests, necessary on secondary arches
-%ifarch s390 s390x aarch64
+sed -i 's/thread_pool_stack 80k/thread_pool_stack 128k/g;' bin/varnishtest/tests/*.vtc
-rm bin/varnishtest/tests/o00005.vtc
+sed -i 's/file,2M/file,8M/' bin/varnishtest/tests/r04036.vtc
 %endif
 %ifarch armv7hl
 rm bin/varnishtest/tests/b00046.vtc
 %endif
 %ifarch s390x
 rm bin/varnishtest/tests/r02310.vtc
 %endif
 # failing on all arches
 rm bin/varnishtest/tests/h00004.vtc
-%make_build check
+# Just a hack to avoid too high load on secondary arch builders
 %ifarch s390x ppc64le
 # This works when ran alone, but not in the whole suite. Load and/or timing issues
 rm bin/varnishtest/tests/t02014.vtc
 make -j2 check
 %else
 #make_build check
 %endif
 %install
 rm -rf %{buildroot}
@ -287,10 +290,11 @@ chmod 644 lib/libvmod_*/*.h
 %pre
-getent group varnish >/dev/null || groupadd -r varnish
+getent group varnish >/dev/null ||
-getent passwd varnish >/dev/null || \
+groupadd -r varnish
-       useradd -r -g varnish -d /var/lib/varnish -s /sbin/nologin \
+getent passwd varnish >/dev/null ||
-               -c "Varnish Cache" varnish
+useradd -r -g varnish -d /var/lib/varnish -s /sbin/nologin \
 	-c "Varnish Cache" varnish
 exit 0
@ -309,6 +313,11 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
 %changelog
 * Tue Nov 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 7.6.0-2
 - Resolves: RHEL-59267 - varnish rebase to 7.6.0
 - Resolves: RHEL-30333 CVE-2024-30156 varnish: HTTP/2 Broken Window
  Attack may result in denial of service
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 7.4.2-5
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
`@ -1,2 +1,2 @@`
	`SHA512 (varnish-7.4.2.tgz) = acd61a852ac7d66b268ab831d3a771d7a063a6a257b5e7c25c5a2ec9bccefa845279b9bd5fc85dd0b4f1d56da59164a13149355d1e6187e71ad76463687f7971`	`SHA512 (varnish-7.6.0.tgz) = 11ca965837ef38aa52487f388555dd56a33faaff61d6662e9df647891cf444309323c665fd353c49c69ba327beeba131730b397d1849b8cff721f0d8257b9f48`
	`SHA512 (pkg-varnish-cache-cfa8cb3.tar.gz) = 058e689186d1b01bb4a256ff3a5a373337e380a0a87128d4b2adbcff41210189e7f4b3d56e8451f06120449c04aaa4ddc61f934a1fda9c5336dfe2020c66a569`	`SHA512 (pkg-varnish-cache-7d90347.tar.gz) = c5bf026bb50b416001d0e22e56c2774c143dab1f4658f03f1a4e6578369b71cfda5854b7d6b580c43c2ab8e68bfb9033b56734adfd29ac0fddc61fd6b1b4b0c0`