diff --git a/varnish-6.0.8-CVE-2022-45060.patch b/varnish-6.0.8-CVE-2022-45060.patch new file mode 100644 index 0000000..6261b91 --- /dev/null +++ b/varnish-6.0.8-CVE-2022-45060.patch @@ -0,0 +1,85 @@ +diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c +index d432629..b0dacb9 100644 +--- a/bin/varnishd/http2/cache_http2_hpack.c ++++ b/bin/varnishd/http2/cache_http2_hpack.c +@@ -93,18 +93,25 @@ static h2_error + h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + { + /* XXX: This might belong in cache/cache_http.c */ ++ const char *b0; + unsigned n; ++ int disallow_empty; ++ char *p; ++ int i; + + CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); + AN(b); + assert(namelen >= 2); /* 2 chars from the ': ' that we added */ + assert(namelen <= len); ++ ++ disallow_empty = 0; + + if (len > UINT_MAX) { /* XXX: cache_param max header size */ + VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b); + return (H2SE_ENHANCE_YOUR_CALM); + } + ++ b0 = b; + if (b[0] == ':') { + /* Match H/2 pseudo headers */ + /* XXX: Should probably have some include tbl for +@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + b += namelen; + len -= namelen; + n = HTTP_HDR_METHOD; ++ disallow_empty = 1; ++ ++ /* First field cannot contain SP or CTL */ ++ for (p = b, i = 0; i < len; p++, i++) { ++ if (vct_issp(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } + } else if (!strncmp(b, ":path: ", namelen)) { + b += namelen; + len -= namelen; + n = HTTP_HDR_URL; ++ disallow_empty = 1; ++ ++ /* Second field cannot contain LWS or CTL */ ++ for (p = b, i = 0; i < len; p++, i++) { ++ if (vct_islws(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } + } else if (!strncmp(b, ":scheme: ", namelen)) { + /* XXX: What to do about this one? (typically + "http" or "https"). For now set it as a normal +@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + b++; + len-=1; + n = hp->nhd; ++ ++ for (p = b + namelen, i = 0; i < len-namelen; ++ p++, i++) { ++ if (vct_issp(*p) || vct_isctl(*p)) ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ ++ if (!i) ++ return (H2SE_PROTOCOL_ERROR); + } else if (!strncmp(b, ":authority: ", namelen)) { + b+=6; + len-=6; +@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) + hp->hd[n].b = b; + hp->hd[n].e = b + len; + ++ if (disallow_empty && !Tlen(hp->hd[n])) { ++ VSLb(hp->vsl, SLT_BogoHeader, ++ "Empty pseudo-header %.*s", ++ (int)namelen, b0); ++ return (H2SE_PROTOCOL_ERROR); ++ } ++ + return (0); + } + diff --git a/varnish-6.0.8-CVE-2023-44487-rate_limit.patch b/varnish-6.0.8-CVE-2023-44487-rate_limit.patch new file mode 100644 index 0000000..509b2cf --- /dev/null +++ b/varnish-6.0.8-CVE-2023-44487-rate_limit.patch @@ -0,0 +1,326 @@ +commit d5cc31b5e6824f8b031c045fab990f31010ee8a1 +Author: Tomas Korbar +Date: Wed Oct 18 17:02:33 2023 +0200 + + Upstream #3997 PR + + Fix CVE-2023-44487 + +diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc +index f6925f3..b237f86 100644 +--- a/bin/varnishd/VSC_main.vsc ++++ b/bin/varnishd/VSC_main.vsc +@@ -586,6 +586,14 @@ + + Number of session closes with Error VCL_FAILURE (VCL failure) + ++.. varnish_vsc:: sc_rapid_reset ++ :level: diag ++ :oneliner: Session Err RAPID_RESET ++ ++ Number of times we failed an http/2 session because it hit its ++ configured limits for the number of permitted rapid stream ++ resets. ++ + .. varnish_vsc:: client_resp_500 + :level: diag + :group: wrk +diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h +index 205b96c..36a21bc 100644 +--- a/bin/varnishd/http2/cache_http2.h ++++ b/bin/varnishd/http2/cache_http2.h +@@ -184,6 +184,8 @@ struct h2_sess { + h2_error error; + + int open_streams; ++ double rst_budget; ++ vtim_real last_rst; + }; + + #define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0) +diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c +index 98f5dc4..270603a 100644 +--- a/bin/varnishd/http2/cache_http2_proto.c ++++ b/bin/varnishd/http2/cache_http2_proto.c +@@ -43,6 +43,7 @@ + #include "vtcp.h" + #include "vtim.h" + ++#define H2_CUSTOM_ERRORS + #define H2EC1(U,v,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1}}; + #define H2EC2(U,v,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0}}; + #define H2EC3(U,v,d) H2EC1(U,v,d) H2EC2(U,v,d) +@@ -301,9 +302,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) + /********************************************************************** + */ + ++static h2_error ++h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) ++{ ++ vtim_real now; ++ vtim_dur d; ++ ++ CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); ++ ASSERT_RXTHR(h2); ++ CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC); ++ ++ if (cache_param->h2_rapid_reset_limit == 0) ++ return (0); ++ ++ now = VTIM_real(); ++ CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC); ++ AN(r2->req->t_first); ++ if (now - r2->req->t_first > cache_param->h2_rapid_reset) ++ return (0); ++ ++ d = now - h2->last_rst; ++ h2->rst_budget += cache_param->h2_rapid_reset_limit * d / ++ cache_param->h2_rapid_reset_period; ++ h2->rst_budget = vmin_t(double, h2->rst_budget, ++ cache_param->h2_rapid_reset_limit); ++ h2->last_rst = now; ++ ++ if (h2->rst_budget < 1.0) { ++ Lck_Lock(&h2->sess->mtx); ++ VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session."); ++ Lck_Unlock(&h2->sess->mtx); ++ return (H2CE_RAPID_RESET); ++ } ++ h2->rst_budget -= 1.0; ++ return (0); ++} ++ + static h2_error v_matchproto_(h2_rxframe_f) + h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) + { ++ h2_error h2e; + + CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); + ASSERT_RXTHR(h2); +@@ -313,8 +351,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) + return (H2CE_FRAME_SIZE_ERROR); + if (r2 == NULL) + return (0); ++ h2e = h2_rapid_reset(wrk, h2, r2); + h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data))); +- return (0); ++ return (h2e); + } + + /********************************************************************** +diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c +index de10835..720b009 100644 +--- a/bin/varnishd/http2/cache_http2_session.c ++++ b/bin/varnishd/http2/cache_http2_session.c +@@ -127,6 +127,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp, + h2_local_settings(&h2->local_settings); + h2->remote_settings = H2_proto_settings; + h2->decode = decode; ++ h2->rst_budget = cache_param->h2_rapid_reset_limit; ++ h2->last_rst = sp->t_open; ++ AZ(isnan(h2->last_rst)); + + AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size)); + +diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc +new file mode 100644 +index 0000000..3fee370 +--- /dev/null ++++ b/bin/varnishtest/tests/r03996.vtc +@@ -0,0 +1,51 @@ ++varnishtest "h2 rapid reset" ++ ++barrier b1 sock 5 ++ ++server s1 { ++ rxreq ++ txresp ++} -start ++ ++varnish v1 -cliok "param.set feature +http2" ++varnish v1 -cliok "param.set debug +syncvsl" ++varnish v1 -cliok "param.set h2_rapid_reset_limit 3" ++varnish v1 -cliok "param.set h2_rapid_reset 5" ++ ++varnish v1 -vcl+backend { ++ import vtc; ++ ++ sub vcl_recv { ++ vtc.barrier_sync("${b1_sock}"); ++ } ++ ++} -start ++ ++client c1 { ++ stream 0 { ++ rxgoaway ++ expect goaway.err == ENHANCE_YOUR_CALM ++ } -start ++ ++ stream 1 { ++ txreq ++ txrst ++ } -run ++ stream 3 { ++ txreq ++ txrst ++ } -run ++ stream 5 { ++ txreq ++ txrst ++ } -run ++ stream 7 { ++ txreq ++ txrst ++ } -run ++ ++ barrier b1 sync ++ stream 0 -wait ++} -run ++ ++varnish v1 -expect sc_rapid_reset == 1 +diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h +index 02044db..0293539 100644 +--- a/include/tbl/h2_error.h ++++ b/include/tbl/h2_error.h +@@ -46,6 +46,18 @@ H2_ERROR(CONNECT_ERROR, 10,2, "TCP connection error for CONNECT method") + H2_ERROR(ENHANCE_YOUR_CALM, 11,3, "Processing capacity exceeded") + H2_ERROR(INADEQUATE_SECURITY, 12,1, "Negotiated TLS parameters not acceptable") + H2_ERROR(HTTP_1_1_REQUIRED, 13,1, "Use HTTP/1.1 for the request") ++ ++#ifdef H2_CUSTOM_ERRORS ++H2_ERROR( ++ /* name */ RAPID_RESET, ++ /* val */ 11, /* ENHANCE_YOUR_CALM */ ++ /* types */ 1, ++ /* descr */ "http/2 rapid reset detected" ++) ++ ++# undef H2_CUSTOM_ERRORS ++#endif ++ + #undef H2_ERROR + + /*lint -restore */ +diff --git a/include/tbl/params.h b/include/tbl/params.h +index deecd20..61748e4 100644 +--- a/include/tbl/params.h ++++ b/include/tbl/params.h +@@ -1901,6 +1901,53 @@ PARAM( + /* func */ NULL + ) + ++PARAM( ++ /* name */ h2_rapid_reset, ++ /* typ */ timeout, ++ /* min */ "0.000", ++ /* max */ NULL, ++ /* def */ "1.000", ++ /* units */ "seconds", ++ /* flags */ EXPERIMENTAL, ++ /* s-text */ ++ "The upper threshold for how rapid an http/2 RST has to come for " ++ "it to be treated as suspect and subjected to the rate limits " ++ "specified by h2_rapid_reset_limit and h2_rapid_reset_period.", ++ /* l-text */ "", ++ /* func */ NULL ++) ++ ++PARAM( ++ /* name */ h2_rapid_reset_limit, ++ /* typ */ uint, ++ /* min */ "0", ++ /* max */ NULL, ++ /* def */ "3600", ++ /* units */ NULL, ++ /* flags */ EXPERIMENTAL, ++ /* s-text */ ++ "HTTP2 RST Allowance.\n" ++ "Specifies the maximum number of allowed stream resets issued by\n" ++ "a client over a time period before the connection is closed.\n" ++ "Setting this parameter to 0 disables the limit.", ++ /* l-text */ "", ++ /* func */ NULL ++) ++ ++PARAM( ++ /* name */ h2_rapid_reset_period, ++ /* typ */ timeout, ++ /* min */ "1.000", ++ /* max */ NULL, ++ /* def */ "60.000", ++ /* units */ "seconds", ++ /* flags */ EXPERIMENTAL|WIZARD, ++ /* s-text */ ++ "HTTP2 sliding window duration for h2_rapid_reset_limit.", ++ /* l-text */ "", ++ /* func */ NULL ++) ++ + #undef PARAM + + /*lint -restore */ +diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h +index c20e71c..de130aa 100644 +--- a/include/tbl/sess_close.h ++++ b/include/tbl/sess_close.h +@@ -47,6 +47,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1, "Session pipe overflow") + SESS_CLOSE(RANGE_SHORT, range_short, 1, "Insufficient data for range") + SESS_CLOSE(REQ_HTTP20, req_http20, 1, "HTTP2 not accepted") + SESS_CLOSE(VCL_FAILURE, vcl_failure, 1, "VCL failure") ++SESS_CLOSE(RAPID_RESET, rapid_reset, 1, "HTTP2 rapid reset") + #undef SESS_CLOSE + + /*lint -restore */ +diff --git a/include/vdef.h b/include/vdef.h +index 60d833c..327d506 100644 +--- a/include/vdef.h ++++ b/include/vdef.h +@@ -93,6 +93,47 @@ + # define v_deprecated_ + #endif + ++/********************************************************************** ++ * Find the minimum or maximum values. ++ * Only evaluate the expression once and perform type checking. ++ */ ++ ++/* ref: https://stackoverflow.com/a/17624752 */ ++ ++#define VINDIRECT(a, b, c) a ## b ## c ++#define VCOMBINE(a, b, c) VINDIRECT(a, b, c) ++ ++#if defined(__COUNTER__) ++# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, __COUNTER__) ++#else ++# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, 0) ++#endif ++ ++#ifdef _lint ++#define typeof(x) __typeof__(x) ++#endif ++ ++/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */ ++ ++#define _vtake(op, ta, tb, a, b, _va, _vb) \ ++ ({ \ ++ ta _va = (a); \ ++ tb _vb = (b); \ ++ (void)(&_va == &_vb); \ ++ _va op _vb ? _va : _vb; \ ++}) ++ ++#define opmin < ++#define opmax > ++#define vtake(n, ta, tb, a, b) _vtake(op ## n, ta, tb, a, b, \ ++ VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B)) ++ ++#define vmin(a, b) vtake(min, typeof(a), typeof(b), a, b) ++#define vmax(a, b) vtake(max, typeof(a), typeof(b), a, b) ++ ++#define vmin_t(type, a, b) vtake(min, type, type, a, b) ++#define vmax_t(type, a, b) vtake(max, type, type, a, b) ++ + /********************************************************************* + * Pointer alignment magic + */ diff --git a/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch b/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch new file mode 100644 index 0000000..c0a7cfd --- /dev/null +++ b/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch @@ -0,0 +1,206 @@ +commit c344e21f23c6605caa257abbf46fd333b7015928 +Author: Tomas Korbar +Date: Wed Oct 18 20:42:21 2023 +0200 + + vcl_vrt: Skip VCL execution if the client is gone + + Upstream PR #4006 + +diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc +index b237f86..88a659f 100644 +--- a/bin/varnishd/VSC_main.vsc ++++ b/bin/varnishd/VSC_main.vsc +@@ -324,6 +324,15 @@ + Number of times an HTTP/2 stream was refused because the queue was + too long already. See also parameter thread_queue_limit. + ++.. varnish_vsc:: req_reset ++ :group: wrk ++ :oneliner: Requests reset ++ ++ Number of times a client left before the VCL processing of its ++ requests completed. For HTTP/2 sessions, either the stream was ++ reset by an RST_STREAM frame from the client, or a stream or ++ connection error occurred. ++ + .. varnish_vsc:: n_object + :type: gauge + :group: wrk +diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h +index 5da5e35..8546411 100644 +--- a/bin/varnishd/cache/cache_transport.h ++++ b/bin/varnishd/cache/cache_transport.h +@@ -42,6 +42,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *); + typedef void vtr_req_panic_f (struct vsb *, const struct req *); + typedef void vtr_req_fail_f (struct req *, enum sess_close); + typedef void vtr_reembark_f (struct worker *, struct req *); ++typedef int vtr_poll_f (struct req *); + typedef int vtr_minimal_response_f (struct req *, uint16_t status); + + struct transport { +@@ -62,6 +63,7 @@ struct transport { + vtr_sess_panic_f *sess_panic; + vtr_req_panic_f *req_panic; + vtr_reembark_f *reembark; ++ vtr_poll_f *poll; + vtr_minimal_response_f *minimal_response; + + VTAILQ_ENTRY(transport) list; +diff --git a/bin/varnishd/cache/cache_vcl_vrt.c b/bin/varnishd/cache/cache_vcl_vrt.c +index 5f3bfee..e35ae59 100644 +--- a/bin/varnishd/cache/cache_vcl_vrt.c ++++ b/bin/varnishd/cache/cache_vcl_vrt.c +@@ -37,8 +37,10 @@ + #include "cache_varnishd.h" + + #include "vcl.h" ++#include "vtim.h" + + #include "cache_director.h" ++#include "cache_transport.h" + #include "cache_vcl.h" + + /*--------------------------------------------------------------------*/ +@@ -338,6 +340,35 @@ VRT_rel_vcl(VRT_CTX, struct vclref **refp) + * The workspace argument is where random VCL stuff gets space from. + */ + ++static int ++req_poll(struct worker *wrk, struct req *req) ++{ ++ ++ CHECK_OBJ_NOTNULL(req->top, REQ_MAGIC); ++ CHECK_OBJ_NOTNULL(req->top->transport, TRANSPORT_MAGIC); ++ ++ /* NB: Since a fail transition leads to vcl_synth, the request may be ++ * short-circuited twice. ++ */ ++ if (req->req_reset) { ++ wrk->handling = VCL_RET_FAIL; ++ return (-1); ++ } ++ ++ if (!FEATURE(FEATURE_VCL_REQ_RESET)) ++ return (0); ++ if (req->top->transport->poll == NULL) ++ return (0); ++ if (req->top->transport->poll(req->top) >= 0) ++ return (0); ++ ++ VSLb_ts_req(req, "Reset", W_TIM_real(wrk)); ++ wrk->stats->req_reset++; ++ wrk->handling = VCL_RET_FAIL; ++ req->req_reset = 1; ++ return (-1); ++} ++ + static void + vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo, + void *specific, unsigned method, vcl_func_f *func) +@@ -351,6 +382,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo, + CHECK_OBJ_NOTNULL(req, REQ_MAGIC); + CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC); + CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC); ++ if (req_poll(wrk, req)) ++ return; + VCL_Req2Ctx(&ctx, req); + } + if (bo != NULL) { +diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c +index 720b009..1584740 100644 +--- a/bin/varnishd/http2/cache_http2_session.c ++++ b/bin/varnishd/http2/cache_http2_session.c +@@ -440,6 +440,16 @@ h2_new_session(struct worker *wrk, void *arg) + h2_del_sess(wrk, h2, SC_RX_JUNK); + } + ++static int v_matchproto_(vtr_poll_f) ++h2_poll(struct req *req) ++{ ++ struct h2_req *r2; ++ ++ CHECK_OBJ_NOTNULL(req, REQ_MAGIC); ++ CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC); ++ return (r2->error ? -1 : 1); ++} ++ + struct transport H2_transport = { + .name = "H2", + .magic = TRANSPORT_MAGIC, +@@ -449,4 +459,5 @@ struct transport H2_transport = { + .req_body = h2_req_body, + .req_fail = h2_req_fail, + .sess_panic = h2_sess_panic, ++ .poll = h2_poll, + }; +diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c +index 263d8a3..788d8f0 100644 +--- a/bin/varnishd/mgt/mgt_param_bits.c ++++ b/bin/varnishd/mgt/mgt_param_bits.c +@@ -219,7 +219,12 @@ tweak_feature(struct vsb *vsb, const struct parspec *par, const char *arg) + (void)par; + + if (arg != NULL && arg != JSON_FMT) { +- if (!strcmp(arg, "none")) { ++ if (!strcmp(arg, "default")) { ++ AZ(bit_tweak(vsb, mgt_param.feature_bits, ++ FEATURE_Reserved, ++ "+vcl_req_reset", ++ feature_tags, "feature bit", "+")); ++ }else if (!strcmp(arg, "none")) { + memset(mgt_param.feature_bits, + 0, sizeof mgt_param.feature_bits); + } else { +@@ -271,6 +276,6 @@ struct parspec VSL_parspec[] = { + #define FEATURE_BIT(U, l, d, ld) "\n\t" #l "\t" d + #include "tbl/feature_bits.h" + #undef FEATURE_BIT +- , 0, "none", "" }, ++ , 0, "default", "" }, + { NULL, NULL, NULL } + }; +diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst +index 4d01f5b..b529562 100644 +--- a/doc/sphinx/reference/vsl.rst ++++ b/doc/sphinx/reference/vsl.rst +@@ -71,6 +71,11 @@ Resp + Restart + Client request is being restarted. + ++Reset ++ The client closed its connection, reset its stream or caused ++ a stream error that forced Varnish to reset the stream. Request ++ processing is interrupted and considered failed. ++ + Pipe handling timestamps + ~~~~~~~~~~~~~~~~~~~~~~~~ + +diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h +index 23f1b01..844ecfa 100644 +--- a/include/tbl/feature_bits.h ++++ b/include/tbl/feature_bits.h +@@ -83,6 +83,12 @@ FEATURE_BIT(HTTP_DATE_POSTEL, http_date_postel, + "like Date:, Last-Modified:, Expires: etc." + ) + ++FEATURE_BIT(VCL_REQ_RESET, vcl_req_reset, ++ "Stop processing client VCL once the client is gone.", ++ "Stop processing client VCL once the client is gone. " ++ "When this happens MAIN.req_reset is incremented." ++) ++ + #undef FEATURE_BIT + + /*lint -restore */ +diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h +index 2c0dbe8..3d3f05f 100644 +--- a/include/tbl/req_flags.h ++++ b/include/tbl/req_flags.h +@@ -39,6 +39,7 @@ REQ_FLAG(is_hitpass, 1, 0, "") + REQ_FLAG(waitinglist, 0, 0, "") + REQ_FLAG(want100cont, 0, 0, "") + REQ_FLAG(late100cont, 0, 0, "") ++REQ_FLAG(req_reset, 0, 0, "") + #undef REQ_FLAG + + /*lint -restore */ diff --git a/varnish.spec b/varnish.spec index 03b615a..7b801c9 100644 --- a/varnish.spec +++ b/varnish.spec @@ -19,7 +19,7 @@ Summary: High-performance HTTP accelerator Name: varnish Version: 6.0.8 -Release: 1%{?dist}.1 +Release: 4%{?dist} License: BSD Group: System Environment/Daemons URL: https://www.varnish-cache.org/ @@ -35,6 +35,15 @@ Patch11: varnish-6.0.0.fix_el6_fortify_source.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2045031 Patch100: varnish-6.0.8.CVE-2022-23959.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2141844 +Patch101: varnish-6.0.8-CVE-2022-45060.patch + +# https://issues.redhat.com/browse/RHEL-12814 +Patch102: varnish-6.0.8-CVE-2023-44487-rate_limit.patch + +# https://issues.redhat.com/browse/RHEL-12814 +Patch103: varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch + Obsoletes: varnish-libs %if %{with python3} @@ -144,6 +153,9 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides %endif %patch100 -p1 +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 %build %if 0%{?rhel} == 6 @@ -210,6 +222,10 @@ sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc %endif #make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1 +# disable test because of CVE-2023-44487 fix +# https://github.com/varnishcache/varnish-cache/pull/3998#issuecomment-1764649216 +rm bin/varnishtest/tests/t02014.vtc + %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} INSTALL="install -p" @@ -376,6 +392,11 @@ fi %changelog +* Mon Oct 23 2023 Tomas Korbar - 6.0.8-4 +- Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487 +- CVE-2022-45060 varnish:6/varnish: Request Forgery +- Resolves: RHEL-12814 + * Tue Feb 01 2022 Luboš Uhliarik - 6.0.8-1.1 - Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request Smuggling Vulnerability