Import from CS git

SOURCES/varnish-6.0.13-CVE-2025-47905.patch

@@ -0,0 +1,418 @@
+commit 1fef8cc747030259d61bf8e451b4317bff5b2ed5
+Author: Luboš Uhliarik <luhliari@redhat.com>
+Date:   Wed May 21 18:09:51 2025 +0200
+
+    Fix for CVE-2025-47905
+
+diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
+index 374bcac..32176b3 100644
+--- a/bin/varnishd/http1/cache_http1_vfp.c
++++ b/bin/varnishd/http1/cache_http1_vfp.c
+@@ -90,76 +90,118 @@ v1f_read(const struct vfp_ctx *vc, struct http_conn *htc, void *d, ssize_t len)
+ 
+ 
+ /*--------------------------------------------------------------------
+- * Read a chunked HTTP object.
++ * read (CR)?LF at the end of a chunk
++ */
++static enum vfp_status
++v1f_chunk_end(struct vfp_ctx *vc, struct http_conn *htc)
++{
++	char c;
++
++	if (v1f_read(vc, htc, &c, 1) <= 0)
++		return (VFP_Error(vc, "chunked read err"));
++	if (c == '\r' && v1f_read(vc, htc, &c, 1) <= 0)
++		return (VFP_Error(vc, "chunked read err"));
++	if (c != '\n')
++		return (VFP_Error(vc, "chunked tail no NL"));
++	return (VFP_OK);
++}
++
++
++/*--------------------------------------------------------------------
++ * Parse a chunk header and, for VFP_OK, return size in a pointer
+  *
+  * XXX: Reading one byte at a time is pretty pessimal.
+  */
+ 
+-static enum vfp_status v_matchproto_(vfp_pull_f)
+-v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
+-    ssize_t *lp)
++static enum vfp_status
++v1f_chunked_hdr(struct vfp_ctx *vc, struct http_conn *htc, ssize_t *szp)
+ {
+-	struct http_conn *htc;
+ 	char buf[20];		/* XXX: 20 is arbitrary */
+-	char *q;
+ 	unsigned u;
+ 	uintmax_t cll;
+-	ssize_t cl, l, lr;
++	ssize_t cl, lr;
++	char *q;
+ 
+ 	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
+-	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
+-	CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC);
+-	AN(ptr);
+-	AN(lp);
++	CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
++	AN(szp);
++	assert(*szp == -1);
+ 
+-	l = *lp;
+-	*lp = 0;
+-	if (vfe->priv2 == -1) {
+-		/* Skip leading whitespace */
+-		do {
+-			lr = v1f_read(vc, htc, buf, 1);
+-			if (lr <= 0)
+-				return (VFP_Error(vc, "chunked read err"));
+-		} while (vct_islws(buf[0]));
+-
+-		if (!vct_ishex(buf[0]))
+-			 return (VFP_Error(vc, "chunked header non-hex"));
+-
+-		/* Collect hex digits, skipping leading zeros */
+-		for (u = 1; u < sizeof buf; u++) {
+-			do {
+-				lr = v1f_read(vc, htc, buf + u, 1);
+-				if (lr <= 0)
+-					return (VFP_Error(vc,
+-					    "chunked read err"));
+-			} while (u == 1 && buf[0] == '0' && buf[u] == '0');
+-			if (!vct_ishex(buf[u]))
+-				break;
+-		}
++	/* Skip leading whitespace */
++	do {
++		lr = v1f_read(vc, htc, buf, 1);
++		if (lr <= 0)
++			return (VFP_Error(vc, "chunked read err"));
++	} while (vct_isows(buf[0]));
+ 
+-		if (u >= sizeof buf)
+-			return (VFP_Error(vc, "chunked header too long"));
++	if (!vct_ishex(buf[0]))
++		return (VFP_Error(vc, "chunked header non-hex"));
+ 
+-		/* Skip trailing white space */
+-		while (vct_islws(buf[u]) && buf[u] != '\n') {
++	/* Collect hex digits, skipping leading zeros */
++	for (u = 1; u < sizeof buf; u++) {
++		do {
+ 			lr = v1f_read(vc, htc, buf + u, 1);
+ 			if (lr <= 0)
+ 				return (VFP_Error(vc, "chunked read err"));
+-		}
++		} while (u == 1 && buf[0] == '0' && buf[u] == '0');
++		if (!vct_ishex(buf[u]))
++			break;
++	}
+ 
+-		if (buf[u] != '\n')
+-			return (VFP_Error(vc, "chunked header no NL"));
++	if (u >= sizeof buf)
++		return (VFP_Error(vc, "chunked header too long"));
+ 
+-		buf[u] = '\0';
++	/* Skip trailing white space */
++	while (vct_isows(buf[u])) {
++		lr = v1f_read(vc, htc, buf + u, 1);
++		if (lr <= 0)
++			return (VFP_Error(vc, "chunked read err"));
++	}
++
++	if (buf[u] == '\r' && v1f_read(vc, htc, buf + u, 1) <= 0)
++		return (VFP_Error(vc, "chunked read err"));
++	if (buf[u] != '\n')
++		return (VFP_Error(vc, "chunked header no NL"));
+ 
+-		cll = strtoumax(buf, &q, 16);
+-		if (q == NULL || *q != '\0')
+-			return (VFP_Error(vc, "chunked header number syntax"));
+-		cl = (ssize_t)cll;
+-		if (cl < 0 || (uintmax_t)cl != cll)
+-			return (VFP_Error(vc, "bogusly large chunk size"));
++	buf[u] = '\0';
+ 
+-		vfe->priv2 = cl;
++	cll = strtoumax(buf, &q, 16);
++	if (q == NULL || *q != '\0')
++		return (VFP_Error(vc, "chunked header number syntax"));
++	cl = (ssize_t)cll;
++	if (cl < 0 || (uintmax_t)cl != cll)
++		return (VFP_Error(vc, "bogusly large chunk size"));
++
++	*szp = cl;
++	return (VFP_OK);
++}
++
++
++/*--------------------------------------------------------------------
++ * Read a chunked HTTP object.
++ *
++ */
++
++static enum vfp_status v_matchproto_(vfp_pull_f)
++v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
++    ssize_t *lp)
++{
++	static enum vfp_status vfps;
++	struct http_conn *htc;
++	ssize_t l, lr;
++
++	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
++	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
++	CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC);
++	AN(ptr);
++	AN(lp);
++
++	l = *lp;
++	*lp = 0;
++	if (vfe->priv2 == -1) {
++		vfps = v1f_chunked_hdr(vc, htc, &vfe->priv2);
++		if (vfps != VFP_OK)
++			return (vfps);
+ 	}
+ 	if (vfe->priv2 > 0) {
+ 		if (vfe->priv2 < l)
+@@ -169,30 +211,27 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
+ 			return (VFP_Error(vc, "straight insufficient bytes"));
+ 		*lp = lr;
+ 		vfe->priv2 -= lr;
+-		if (vfe->priv2 == 0)
+-			vfe->priv2 = -1;
+-		return (VFP_OK);
++		if (vfe->priv2 != 0)
++			return (VFP_OK);
++
++		vfe->priv2 = -1;
++		return (v1f_chunk_end(vc, htc));
+ 	}
+ 	AZ(vfe->priv2);
+-	if (v1f_read(vc, htc, buf, 1) <= 0)
+-		return (VFP_Error(vc, "chunked read err"));
+-	if (buf[0] == '\r' && v1f_read(vc, htc, buf, 1) <= 0)
+-		return (VFP_Error(vc, "chunked read err"));
+-	if (buf[0] != '\n')
+-		return (VFP_Error(vc, "chunked tail no NL"));
+-	return (VFP_END);
++	vfps = v1f_chunk_end(vc, htc);
++	return (vfps == VFP_OK ? VFP_END : vfps);
+ }
+ 
+ static const struct vfp v1f_chunked = {
+ 	.name = "V1F_CHUNKED",
+-	.pull = v1f_pull_chunked,
++	.pull = v1f_chunked_pull,
+ };
+ 
+ 
+ /*--------------------------------------------------------------------*/
+ 
+ static enum vfp_status v_matchproto_(vfp_pull_f)
+-v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
++v1f_straight_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
+     ssize_t *lp)
+ {
+ 	ssize_t l, lr;
+@@ -223,13 +262,13 @@ v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
+ 
+ static const struct vfp v1f_straight = {
+ 	.name = "V1F_STRAIGHT",
+-	.pull = v1f_pull_straight,
++	.pull = v1f_straight_pull,
+ };
+ 
+ /*--------------------------------------------------------------------*/
+ 
+ static enum vfp_status v_matchproto_(vfp_pull_f)
+-v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
++v1f_eof_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
+ {
+ 	ssize_t l, lr;
+ 	struct http_conn *htc;
+@@ -254,7 +293,7 @@ v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
+ 
+ static const struct vfp v1f_eof = {
+ 	.name = "V1F_EOF",
+-	.pull = v1f_pull_eof,
++	.pull = v1f_eof_pull,
+ };
+ 
+ /*--------------------------------------------------------------------
+diff --git a/bin/varnishtest/tests/f00016.vtc b/bin/varnishtest/tests/f00016.vtc
+new file mode 100644
+index 0000000..a38b8b1
+--- /dev/null
++++ b/bin/varnishtest/tests/f00016.vtc
+@@ -0,0 +1,69 @@
++varnishtest "Do not tolerate anything else than CRLF as chunked ending"
++
++server s0 {
++	rxreq
++	expect_close
++} -dispatch
++
++varnish v1 -vcl+backend {} -start
++
++logexpect l1 -v v1 {
++	expect * 1001 FetchError "chunked tail no NL"
++	expect * 1004 FetchError "chunked tail no NL"
++	expect * 1007 FetchError "chunked header non-hex"
++	expect * 1010 FetchError "chunked header non-hex"
++} -start
++
++client c1 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "1\r\n"
++	send "This is more than one byte of data\r\n"
++	send "0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++client c2 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "1\r\n"
++	send "Z  2\r\n"
++	send "3d\r\n"
++	send "0\r\n\r\nPOST /evil HTTP/1.1\r\nHost: whatever\r\nContent-Length: 5\r\n\r\n"
++	send "0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++client c3 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "d\r\n"
++	send "Spurious CRLF\r\n\r\n"
++	send "0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++client c4 {
++	non_fatal
++	txreq -req POST -hdr "Transfer-encoding: chunked"
++	send "\n0\r\n"
++	send "\r\n"
++	fatal
++	rxresp
++	expect resp.status == 503
++	expect_close
++} -run
++
++logexpect l1 -wait
+diff --git a/bin/varnishtest/tests/r01184.vtc b/bin/varnishtest/tests/r01184.vtc
+index d5aba32..f7cd8d7 100644
+--- a/bin/varnishtest/tests/r01184.vtc
++++ b/bin/varnishtest/tests/r01184.vtc
+@@ -62,6 +62,7 @@ server s1 {
+ 		sendhex " 10 45 f3 a9 83 b8 18 1c  7b c2 30 55 04 17 13 c4"
+ 		sendhex " 0f 07 5f 7a 38 f4 8e 50  b3 37 d4 3a 32 4a 34 07"
+ 		sendhex " FF FF FF FF FF FF FF FF  72 ea 06 5f b3 1c fa dd"
++	send "\n"
+ 	expect_close
+ } -start
+ 
+@@ -93,6 +94,7 @@ server s1 {
+ 		sendhex " 10 45 f3 a9 83 b8 18 1c  7b c2 30 55 04 17 13 c4"
+ 		sendhex " 0f 07 5f 7a 38 f4 8e 50  b3 37 d4 3a 32 4a 34 07"
+ 		sendhex " FF FF FF FF FF FF FF FF  72 ea 06 5f b3 1c fa dd"
++	send "\n"
+ 	expect_close
+ } -start
+ 
+diff --git a/bin/varnishtest/tests/r01729.vtc b/bin/varnishtest/tests/r01729.vtc
+index 883a60c..f6a01e9 100644
+--- a/bin/varnishtest/tests/r01729.vtc
++++ b/bin/varnishtest/tests/r01729.vtc
+@@ -11,7 +11,7 @@ server s1 {
+ 	send "\r\n"
+ 	send "14\r\n"
+ 	send "0123456789"
+-	send "0123456789"
++	send "0123456789\n"
+ 	send "0\r\n"
+ 	send "\r\n"
+ 
+@@ -29,7 +29,7 @@ client c1 {
+ 	send "\r\n"
+ 	send "14\r\n"
+ 	send "0123456789"
+-	send "0123456789"
++	send "0123456789\n"
+ 	send "0\r\n"
+ 	send "\r\n"
+ 
+@@ -45,7 +45,7 @@ client c1 {
+ 	send "\r\n"
+ 	send "14\r\n"
+ 	send "0123456789"
+-	send "0123456789"
++	send "0123456789\n"
+ 	send "0\r\n"
+ 	send "\r\n"
+ 
+diff --git a/include/vct.h b/include/vct.h
+index 1b7ffbd..e68e465 100644
+--- a/include/vct.h
++++ b/include/vct.h
+@@ -30,9 +30,9 @@
+ 
+ /* from libvarnish/vct.c */
+ 
+-#define VCT_SP			(1<<0)
++#define VCT_OWS			(1<<0)
+ #define VCT_CRLF		(1<<1)
+-#define VCT_LWS			(VCT_CRLF | VCT_SP)
++#define VCT_LWS			(VCT_CRLF | VCT_OWS)
+ #define VCT_CTL			(1<<2)
+ #define VCT_ALPHA		(1<<3)
+ #define VCT_SEPARATOR		(1<<4)
+@@ -59,7 +59,8 @@ vct_is(int x, uint16_t y)
+ 	return (vct_typtab[x] & (y));
+ }
+ 
+-#define vct_issp(x) vct_is(x, VCT_SP)
++#define vct_isows(x) vct_is(x, VCT_OWS)
++#define vct_issp(x) vct_is(x, VCT_OWS)
+ #define vct_ishex(x) vct_is(x, VCT_HEX)
+ #define vct_islws(x) vct_is(x, VCT_LWS)
+ #define vct_isctl(x) vct_is(x, VCT_CTL)
+diff --git a/lib/libvarnish/vct.c b/lib/libvarnish/vct.c
+index 73b784e..43853c9 100644
+--- a/lib/libvarnish/vct.c
++++ b/lib/libvarnish/vct.c
+@@ -54,7 +54,7 @@ const uint16_t vct_typtab[256] = {
+ 	[0x06]	=	VCT_CTL,
+ 	[0x07]	=	VCT_CTL,
+ 	[0x08]	=	VCT_CTL,
+-	[0x09]	=	VCT_CTL | VCT_SP,
++	[0x09]	=	VCT_CTL | VCT_OWS,
+ 	[0x0a]	=	VCT_CTL | VCT_CRLF,
+ 	[0x0b]	=	VCT_CTL | VCT_VT,
+ 	[0x0c]	=	VCT_CTL,
+@@ -77,7 +77,7 @@ const uint16_t vct_typtab[256] = {
+ 	[0x1d]	=	VCT_CTL,
+ 	[0x1e]	=	VCT_CTL,
+ 	[0x1f]	=	VCT_CTL,
+-	[0x20]  =	VCT_SP,
++	[0x20]	=	VCT_OWS,
+ 	[0x21]  =	VCT_TCHAR,
+ 	[0x22]  =	VCT_SEPARATOR,
+ 	[0x23]  =	VCT_TCHAR,

SOURCES/varnish-6.0.8-CVE-2022-45060.patch

@@ -1,85 +0,0 @@
-diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
-index d432629..b0dacb9 100644
---- a/bin/varnishd/http2/cache_http2_hpack.c
-+++ b/bin/varnishd/http2/cache_http2_hpack.c
-@@ -93,18 +93,25 @@ static h2_error
- h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- {
- 	/* XXX: This might belong in cache/cache_http.c */
-+	const char *b0;
- 	unsigned n;
-+	int disallow_empty;
-+	char *p;
-+	int i;
- 
- 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
- 	AN(b);
- 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
- 	assert(namelen <= len);
-+	
-+	disallow_empty = 0;
- 
- 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
- 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
- 		return (H2SE_ENHANCE_YOUR_CALM);
- 	}
- 
-+	b0 = b;
- 	if (b[0] == ':') {
- 		/* Match H/2 pseudo headers */
- 		/* XXX: Should probably have some include tbl for
-@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_METHOD;
-+			disallow_empty = 1;
-+
-+			/* First field cannot contain SP or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":path: ", namelen)) {
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_URL;
-+			disallow_empty = 1;
-+
-+			/* Second field cannot contain LWS or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_islws(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":scheme: ", namelen)) {
- 			/* XXX: What to do about this one? (typically
- 			   "http" or "https"). For now set it as a normal
-@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b++;
- 			len-=1;
- 			n = hp->nhd;
-+
-+			for (p = b + namelen, i = 0; i < len-namelen;
-+			    p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
-+
-+			if (!i)
-+				return (H2SE_PROTOCOL_ERROR);
- 		} else if (!strncmp(b, ":authority: ", namelen)) {
- 			b+=6;
- 			len-=6;
-@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 	hp->hd[n].b = b;
- 	hp->hd[n].e = b + len;
- 
-+	if (disallow_empty && !Tlen(hp->hd[n])) {
-+		VSLb(hp->vsl, SLT_BogoHeader,
-+		    "Empty pseudo-header %.*s",
-+		    (int)namelen, b0);
-+		return (H2SE_PROTOCOL_ERROR);
-+	}
-+
- 	return (0);
- }
- 

SOURCES/varnish-6.0.8-CVE-2023-44487-rate_limit.patch

@@ -1,326 +0,0 @@
-commit d5cc31b5e6824f8b031c045fab990f31010ee8a1
-Author: Tomas Korbar <tkorbar@redhat.com>
-Date:   Wed Oct 18 17:02:33 2023 +0200
-
-    Upstream #3997 PR
-    
-    Fix CVE-2023-44487
-
-diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
-index f6925f3..b237f86 100644
---- a/bin/varnishd/VSC_main.vsc
-+++ b/bin/varnishd/VSC_main.vsc
-@@ -586,6 +586,14 @@
- 
- 	Number of session closes with Error VCL_FAILURE (VCL failure)
- 
-+.. varnish_vsc:: sc_rapid_reset
-+       :level: diag
-+       :oneliner:      Session Err RAPID_RESET
-+
-+       Number of times we failed an http/2 session because it hit its
-+       configured limits for the number of permitted rapid stream
-+       resets.
-+
- .. varnish_vsc:: client_resp_500
- 	:level: diag
- 	:group: wrk
-diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
-index 205b96c..36a21bc 100644
---- a/bin/varnishd/http2/cache_http2.h
-+++ b/bin/varnishd/http2/cache_http2.h
-@@ -184,6 +184,8 @@ struct h2_sess {
- 	h2_error			error;
- 
- 	int				open_streams;
-+	double				rst_budget;
-+	vtim_real			last_rst;
- };
- 
- #define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0)
-diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
-index 98f5dc4..270603a 100644
---- a/bin/varnishd/http2/cache_http2_proto.c
-+++ b/bin/varnishd/http2/cache_http2_proto.c
-@@ -43,6 +43,7 @@
- #include "vtcp.h"
- #include "vtim.h"
- 
-+#define H2_CUSTOM_ERRORS
- #define H2EC1(U,v,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1}};
- #define H2EC2(U,v,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0}};
- #define H2EC3(U,v,d) H2EC1(U,v,d) H2EC2(U,v,d)
-@@ -301,9 +302,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
- /**********************************************************************
-  */
- 
-+static h2_error
-+h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
-+{
-+	vtim_real now;
-+	vtim_dur d;
-+
-+	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
-+	ASSERT_RXTHR(h2);
-+	CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC);
-+
-+	if (cache_param->h2_rapid_reset_limit == 0)
-+		return (0);
-+
-+	now = VTIM_real();
-+	CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC);
-+	AN(r2->req->t_first);
-+	if (now - r2->req->t_first > cache_param->h2_rapid_reset)
-+		return (0);
-+
-+	d = now - h2->last_rst;
-+	h2->rst_budget += cache_param->h2_rapid_reset_limit * d /
-+	    cache_param->h2_rapid_reset_period;
-+	h2->rst_budget = vmin_t(double, h2->rst_budget,
-+	    cache_param->h2_rapid_reset_limit);
-+	h2->last_rst = now;
-+
-+	if (h2->rst_budget < 1.0) {
-+		Lck_Lock(&h2->sess->mtx);
-+		VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session.");
-+		Lck_Unlock(&h2->sess->mtx);
-+		return (H2CE_RAPID_RESET);
-+	}
-+	h2->rst_budget -= 1.0;
-+	return (0);
-+}
-+
- static h2_error v_matchproto_(h2_rxframe_f)
- h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
- {
-+	h2_error h2e;
- 
- 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
- 	ASSERT_RXTHR(h2);
-@@ -313,8 +351,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
- 		return (H2CE_FRAME_SIZE_ERROR);
- 	if (r2 == NULL)
- 		return (0);
-+	h2e = h2_rapid_reset(wrk, h2, r2);
- 	h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data)));
--	return (0);
-+	return (h2e);
- }
- 
- /**********************************************************************
-diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
-index de10835..720b009 100644
---- a/bin/varnishd/http2/cache_http2_session.c
-+++ b/bin/varnishd/http2/cache_http2_session.c
-@@ -127,6 +127,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp,
- 	h2_local_settings(&h2->local_settings);
- 	h2->remote_settings = H2_proto_settings;
- 	h2->decode = decode;
-+	h2->rst_budget = cache_param->h2_rapid_reset_limit;
-+	h2->last_rst = sp->t_open;
-+	AZ(isnan(h2->last_rst));
- 
- 	AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size));
- 
-diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc
-new file mode 100644
-index 0000000..3fee370
---- /dev/null
-+++ b/bin/varnishtest/tests/r03996.vtc
-@@ -0,0 +1,51 @@
-+varnishtest "h2 rapid reset"
-+
-+barrier b1 sock 5
-+
-+server s1 {
-+	rxreq
-+	txresp
-+} -start
-+
-+varnish v1 -cliok "param.set feature +http2"
-+varnish v1 -cliok "param.set debug +syncvsl"
-+varnish v1 -cliok "param.set h2_rapid_reset_limit 3"
-+varnish v1 -cliok "param.set h2_rapid_reset 5"
-+
-+varnish v1 -vcl+backend {
-+	import vtc;
-+
-+	sub vcl_recv {
-+		vtc.barrier_sync("${b1_sock}");
-+	}
-+
-+} -start
-+
-+client c1 {
-+	stream 0 {
-+		rxgoaway
-+		expect goaway.err == ENHANCE_YOUR_CALM
-+	} -start
-+
-+	stream 1 {
-+		txreq
-+		txrst
-+	} -run
-+	stream 3 {
-+		txreq
-+		txrst
-+	} -run
-+	stream 5 {
-+		txreq
-+		txrst
-+	} -run
-+	stream 7 {
-+		txreq
-+		txrst
-+	} -run
-+
-+	barrier b1 sync
-+	stream 0 -wait
-+} -run
-+
-+varnish v1 -expect sc_rapid_reset == 1
-diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h
-index 02044db..0293539 100644
---- a/include/tbl/h2_error.h
-+++ b/include/tbl/h2_error.h
-@@ -46,6 +46,18 @@ H2_ERROR(CONNECT_ERROR,	      10,2, "TCP connection error for CONNECT method")
- H2_ERROR(ENHANCE_YOUR_CALM,   11,3, "Processing capacity exceeded")
- H2_ERROR(INADEQUATE_SECURITY, 12,1, "Negotiated TLS parameters not acceptable")
- H2_ERROR(HTTP_1_1_REQUIRED,   13,1, "Use HTTP/1.1 for the request")
-+
-+#ifdef H2_CUSTOM_ERRORS
-+H2_ERROR(
-+       /* name */      RAPID_RESET,
-+       /* val */       11, /* ENHANCE_YOUR_CALM */
-+       /* types */     1,
-+       /* descr */     "http/2 rapid reset detected"
-+)
-+
-+#  undef H2_CUSTOM_ERRORS
-+#endif
-+
- #undef H2_ERROR
- 
- /*lint -restore */
-diff --git a/include/tbl/params.h b/include/tbl/params.h
-index deecd20..61748e4 100644
---- a/include/tbl/params.h
-+++ b/include/tbl/params.h
-@@ -1901,6 +1901,53 @@ PARAM(
- 	/* func */      NULL
- )
- 
-+PARAM(
-+	/* name */	h2_rapid_reset,
-+	/* typ */	timeout,
-+	/* min */	"0.000",
-+	/* max */	NULL,
-+	/* def */	"1.000",
-+	/* units */	"seconds",
-+	/* flags */	EXPERIMENTAL,
-+	/* s-text */
-+       "The upper threshold for how rapid an http/2 RST has to come for "
-+       "it to be treated as suspect and subjected to the rate limits "
-+       "specified by h2_rapid_reset_limit and h2_rapid_reset_period.",
-+	/* l-text */    "",
-+	/* func */      NULL
-+)
-+
-+PARAM(
-+	/* name */	h2_rapid_reset_limit,
-+	/* typ */	uint,
-+	/* min */	"0",
-+	/* max */	NULL,
-+	/* def */	"3600",
-+	/* units */	NULL,
-+	/* flags */	EXPERIMENTAL,
-+	/* s-text */
-+	"HTTP2 RST Allowance.\n"
-+	"Specifies the maximum number of allowed stream resets issued by\n"
-+	"a client over a time period before the connection is closed.\n"
-+	"Setting this parameter to 0 disables the limit.",
-+	/* l-text */    "",
-+	/* func */      NULL
-+)
-+
-+PARAM(
-+	/* name */	h2_rapid_reset_period,
-+	/* typ */	timeout,
-+	/* min */	"1.000",
-+	/* max */	NULL,
-+	/* def */	"60.000",
-+	/* units */	"seconds",
-+	/* flags */	EXPERIMENTAL|WIZARD,
-+	/* s-text */
-+	"HTTP2 sliding window duration for h2_rapid_reset_limit.",
-+	/* l-text */    "",
-+	/* func */      NULL
-+)
-+
- #undef PARAM
- 
- /*lint -restore */
-diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h
-index c20e71c..de130aa 100644
---- a/include/tbl/sess_close.h
-+++ b/include/tbl/sess_close.h
-@@ -47,6 +47,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1,	"Session pipe overflow")
- SESS_CLOSE(RANGE_SHORT,   range_short,	1,	"Insufficient data for range")
- SESS_CLOSE(REQ_HTTP20,	  req_http20,	1,	"HTTP2 not accepted")
- SESS_CLOSE(VCL_FAILURE,	  vcl_failure,	1,	"VCL failure")
-+SESS_CLOSE(RAPID_RESET,	  rapid_reset,  1,      "HTTP2 rapid reset")
- #undef SESS_CLOSE
- 
- /*lint -restore */
-diff --git a/include/vdef.h b/include/vdef.h
-index 60d833c..327d506 100644
---- a/include/vdef.h
-+++ b/include/vdef.h
-@@ -93,6 +93,47 @@
- #  define v_deprecated_
- #endif
- 
-+/**********************************************************************
-+ * Find the minimum or maximum values.
-+ * Only evaluate the expression once and perform type checking.
-+ */
-+
-+/* ref: https://stackoverflow.com/a/17624752 */
-+
-+#define VINDIRECT(a, b, c)	a ## b ## c
-+#define VCOMBINE(a, b, c)	VINDIRECT(a, b, c)
-+
-+#if defined(__COUNTER__)
-+#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, __COUNTER__)
-+#else
-+#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, 0)
-+#endif
-+
-+#ifdef _lint
-+#define typeof(x) __typeof__(x)
-+#endif
-+
-+/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */
-+
-+#define _vtake(op, ta, tb, a, b, _va, _vb)				\
-+	({								\
-+	ta _va = (a);							\
-+	tb _vb = (b);							\
-+	(void)(&_va == &_vb);						\
-+	_va op _vb ? _va : _vb;						\
-+})
-+
-+#define opmin <
-+#define opmax >
-+#define vtake(n, ta, tb, a, b)	_vtake(op ## n, ta, tb, a, b,		\
-+    VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B))
-+
-+#define vmin(a, b)		vtake(min, typeof(a), typeof(b), a, b)
-+#define vmax(a, b)		vtake(max, typeof(a), typeof(b), a, b)
-+
-+#define vmin_t(type, a, b)	vtake(min, type, type, a, b)
-+#define vmax_t(type, a, b)	vtake(max, type, type, a, b)
-+
- /*********************************************************************
-  * Pointer alignment magic
-  */

SOURCES/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch

@@ -1,206 +0,0 @@
-commit c344e21f23c6605caa257abbf46fd333b7015928
-Author: Tomas Korbar <tkorbar@redhat.com>
-Date:   Wed Oct 18 20:42:21 2023 +0200
-
-    vcl_vrt: Skip VCL execution if the client is gone
-    
-    Upstream PR #4006
-
-diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
-index b237f86..88a659f 100644
---- a/bin/varnishd/VSC_main.vsc
-+++ b/bin/varnishd/VSC_main.vsc
-@@ -324,6 +324,15 @@
- 	Number of times an HTTP/2 stream was refused because the queue was
- 	too long already. See also parameter thread_queue_limit.
- 
-+.. varnish_vsc:: req_reset
-+	:group: wrk
-+	:oneliner:	Requests reset
-+
-+	Number of times a client left before the VCL processing of its
-+	requests completed. For HTTP/2 sessions, either the stream was
-+	reset by an RST_STREAM frame from the client, or a stream or
-+	connection error occurred.
-+
- .. varnish_vsc:: n_object
- 	:type:	gauge
- 	:group: wrk
-diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h
-index 5da5e35..8546411 100644
---- a/bin/varnishd/cache/cache_transport.h
-+++ b/bin/varnishd/cache/cache_transport.h
-@@ -42,6 +42,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *);
- typedef void vtr_req_panic_f (struct vsb *, const struct req *);
- typedef void vtr_req_fail_f (struct req *, enum sess_close);
- typedef void vtr_reembark_f (struct worker *, struct req *);
-+typedef int vtr_poll_f (struct req *);
- typedef int vtr_minimal_response_f (struct req *, uint16_t status);
- 
- struct transport {
-@@ -62,6 +63,7 @@ struct transport {
- 	vtr_sess_panic_f		*sess_panic;
- 	vtr_req_panic_f			*req_panic;
- 	vtr_reembark_f			*reembark;
-+	vtr_poll_f			*poll;
- 	vtr_minimal_response_f		*minimal_response;
- 
- 	VTAILQ_ENTRY(transport)		list;
-diff --git a/bin/varnishd/cache/cache_vcl_vrt.c b/bin/varnishd/cache/cache_vcl_vrt.c
-index 5f3bfee..e35ae59 100644
---- a/bin/varnishd/cache/cache_vcl_vrt.c
-+++ b/bin/varnishd/cache/cache_vcl_vrt.c
-@@ -37,8 +37,10 @@
- #include "cache_varnishd.h"
- 
- #include "vcl.h"
-+#include "vtim.h"
- 
- #include "cache_director.h"
-+#include "cache_transport.h"
- #include "cache_vcl.h"
- 
- /*--------------------------------------------------------------------*/
-@@ -338,6 +340,35 @@ VRT_rel_vcl(VRT_CTX, struct vclref **refp)
-  * The workspace argument is where random VCL stuff gets space from.
-  */
- 
-+static int
-+req_poll(struct worker *wrk, struct req *req)
-+{
-+
-+	CHECK_OBJ_NOTNULL(req->top, REQ_MAGIC);
-+	CHECK_OBJ_NOTNULL(req->top->transport, TRANSPORT_MAGIC);
-+
-+	/* NB: Since a fail transition leads to vcl_synth, the request may be
-+	 * short-circuited twice.
-+	 */
-+	if (req->req_reset) {
-+		wrk->handling = VCL_RET_FAIL;
-+		return (-1);
-+	}
-+
-+	if (!FEATURE(FEATURE_VCL_REQ_RESET))
-+		return (0);
-+	if (req->top->transport->poll == NULL)
-+		return (0);
-+	if (req->top->transport->poll(req->top) >= 0)
-+		return (0);
-+
-+	VSLb_ts_req(req, "Reset", W_TIM_real(wrk));
-+	wrk->stats->req_reset++;
-+	wrk->handling = VCL_RET_FAIL;
-+	req->req_reset = 1;
-+	return (-1);
-+}
-+
- static void
- vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
-     void *specific, unsigned method, vcl_func_f *func)
-@@ -351,6 +382,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
- 		CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
- 		CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC);
- 		CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC);
-+		if (req_poll(wrk, req))
-+			return;
- 		VCL_Req2Ctx(&ctx, req);
- 	}
- 	if (bo != NULL) {
-diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
-index 720b009..1584740 100644
---- a/bin/varnishd/http2/cache_http2_session.c
-+++ b/bin/varnishd/http2/cache_http2_session.c
-@@ -440,6 +440,16 @@ h2_new_session(struct worker *wrk, void *arg)
- 	h2_del_sess(wrk, h2, SC_RX_JUNK);
- }
- 
-+static int v_matchproto_(vtr_poll_f)
-+h2_poll(struct req *req)
-+{
-+	struct h2_req *r2;
-+
-+	CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
-+	CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC);
-+	return (r2->error ? -1 : 1);
-+}
-+
- struct transport H2_transport = {
- 	.name =			"H2",
- 	.magic =		TRANSPORT_MAGIC,
-@@ -449,4 +459,5 @@ struct transport H2_transport = {
- 	.req_body =		h2_req_body,
- 	.req_fail =		h2_req_fail,
- 	.sess_panic =		h2_sess_panic,
-+	.poll =			h2_poll,
- };
-diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c
-index 263d8a3..788d8f0 100644
---- a/bin/varnishd/mgt/mgt_param_bits.c
-+++ b/bin/varnishd/mgt/mgt_param_bits.c
-@@ -219,7 +219,12 @@ tweak_feature(struct vsb *vsb, const struct parspec *par, const char *arg)
- 	(void)par;
- 
- 	if (arg != NULL && arg != JSON_FMT) {
--		if (!strcmp(arg, "none")) {
-+		if (!strcmp(arg, "default")) {
-+			AZ(bit_tweak(vsb, mgt_param.feature_bits,
-+				FEATURE_Reserved,
-+				"+vcl_req_reset",
-+				feature_tags, "feature bit", "+"));
-+		}else if (!strcmp(arg, "none")) {
- 			memset(mgt_param.feature_bits,
- 			    0, sizeof mgt_param.feature_bits);
- 		} else {
-@@ -271,6 +276,6 @@ struct parspec VSL_parspec[] = {
- #define FEATURE_BIT(U, l, d, ld) "\n\t" #l "\t" d
- #include "tbl/feature_bits.h"
- #undef FEATURE_BIT
--		, 0, "none", "" },
-+		, 0, "default", "" },
- 	{ NULL, NULL, NULL }
- };
-diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst
-index 4d01f5b..b529562 100644
---- a/doc/sphinx/reference/vsl.rst
-+++ b/doc/sphinx/reference/vsl.rst
-@@ -71,6 +71,11 @@ Resp
- Restart
- 	Client request is being restarted.
- 
-+Reset
-+        The client closed its connection, reset its stream or caused
-+        a stream error that forced Varnish to reset the stream. Request
-+        processing is interrupted and considered failed.
-+
- Pipe handling timestamps
- ~~~~~~~~~~~~~~~~~~~~~~~~
- 
-diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h
-index 23f1b01..844ecfa 100644
---- a/include/tbl/feature_bits.h
-+++ b/include/tbl/feature_bits.h
-@@ -83,6 +83,12 @@ FEATURE_BIT(HTTP_DATE_POSTEL,	http_date_postel,
-     "like Date:, Last-Modified:, Expires: etc."
- )
- 
-+FEATURE_BIT(VCL_REQ_RESET,			vcl_req_reset,
-+    "Stop processing client VCL once the client is gone.",
-+    "Stop processing client VCL once the client is gone. "
-+    "When this happens MAIN.req_reset is incremented."
-+)
-+
- #undef FEATURE_BIT
- 
- /*lint -restore */
-diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h
-index 2c0dbe8..3d3f05f 100644
---- a/include/tbl/req_flags.h
-+++ b/include/tbl/req_flags.h
-@@ -39,6 +39,7 @@ REQ_FLAG(is_hitpass,		1, 0, "")
- REQ_FLAG(waitinglist,		0, 0, "")
- REQ_FLAG(want100cont,		0, 0, "")
- REQ_FLAG(late100cont,		0, 0, "")
-+REQ_FLAG(req_reset,		0, 0, "")
- #undef REQ_FLAG
- 
- /*lint -restore */

SOURCES/varnish-6.0.8.CVE-2022-23959.patch

@@ -1,13 +0,0 @@
-diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
-index 463b75b..982bd73 100644
---- a/bin/varnishd/cache/cache_req_body.c
-+++ b/bin/varnishd/cache/cache_req_body.c
-@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
- 	if (req->req_body_status == REQ_BODY_WITH_LEN ||
- 	    req->req_body_status == REQ_BODY_WITHOUT_LEN)
- 		(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
-+	if (req->req_body_status == REQ_BODY_FAIL)
-+		req->doclose = SC_RX_BODY;
- 	return(0);
- }
- 

SPECS/varnish.spec

@@ -19,7 +19,7 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
 Version: 6.0.13
-Release: 1%{?dist}.alma.1
+Release: 1%{?dist}.1
 License: BSD
 Group: System Environment/Daemons
 URL: https://www.varnish-cache.org/
@@ -32,6 +32,10 @@ Patch9:  varnish-5.1.1.fix_python_version.patch
 # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
 Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
 
+# Security patches ...
+# https://bugzilla.redhat.com/show_bug.cgi?id=2364235
+Patch100: varnish-6.0.13-CVE-2025-47905.patch
+
 Obsoletes: varnish-libs
 
 %if %{with python3}
@@ -139,6 +143,7 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
 %patch9 -p0
 %patch11 -p0
 %endif
+%patch100 -p1
 
 %build
 %if 0%{?rhel} == 6
@@ -205,6 +210,10 @@ sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc
 %endif
 #make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1
 
+# disable test because of CVE-2023-44487 fix
+# https://github.com/varnishcache/varnish-cache/pull/3998#issuecomment-1764649216
+rm bin/varnishtest/tests/t02014.vtc
+
 %install
 rm -rf %{buildroot}
 make install DESTDIR=%{buildroot} INSTALL="install -p"
@@ -371,19 +380,21 @@ fi
 
 
 %changelog
-* Wed Apr 10 2024 Eduard Abdullin <eabdullin@almalinu.org> - 6.0.13-1.alma.1
-- Update to 6.0.13
+* Wed May 21 2025 Luboš Uhliarik <luhliari@redhat.com> - 6.0.13-1.1
+- Resolves: RHEL-89695 - varnish: request smuggling attacks (CVE-2025-47905)
 
-* Mon Oct 23 2023 Tomas Korbar <tkorbar@redhat.com> - 6.0.8-3.1
+* Thu Mar 28 2024 Luboš Uhliarik <luhliari@redhat.com> - 6.0.13-1
+- new version 6.0.13
+- Resolves: RHEL-30379 - varnish:6/varnish: HTTP/2 Broken Window Attack may
+  result in denial of service (CVE-2024-30156)
+
+* Mon Oct 23 2023 Tomas Korbar <tkorbar@redhat.com> - 6.0.8-4
 - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487
+- CVE-2022-45060 varnish:6/varnish: Request Forgery
 - Resolves: RHEL-12814
 
-* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2.1
-- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery
-  Vulnerability
-
-* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2
-- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
+* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1.1
+- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
   Smuggling Vulnerability
 
 * Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1