SOURCES/varnish-6.0.8-CVE-2022-45060.patch

@@ -1,85 +0,0 @@
-diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
-index d432629..b0dacb9 100644
---- a/bin/varnishd/http2/cache_http2_hpack.c
-+++ b/bin/varnishd/http2/cache_http2_hpack.c
-@@ -93,18 +93,25 @@ static h2_error
- h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- {
- 	/* XXX: This might belong in cache/cache_http.c */
-+	const char *b0;
- 	unsigned n;
-+	int disallow_empty;
-+	char *p;
-+	int i;
- 
- 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
- 	AN(b);
- 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
- 	assert(namelen <= len);
-+	
-+	disallow_empty = 0;
- 
- 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
- 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
- 		return (H2SE_ENHANCE_YOUR_CALM);
- 	}
- 
-+	b0 = b;
- 	if (b[0] == ':') {
- 		/* Match H/2 pseudo headers */
- 		/* XXX: Should probably have some include tbl for
-@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_METHOD;
-+			disallow_empty = 1;
-+
-+			/* First field cannot contain SP or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":path: ", namelen)) {
- 			b += namelen;
- 			len -= namelen;
- 			n = HTTP_HDR_URL;
-+			disallow_empty = 1;
-+
-+			/* Second field cannot contain LWS or CTL */
-+			for (p = b, i = 0; i < len; p++, i++) {
-+				if (vct_islws(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
- 		} else if (!strncmp(b, ":scheme: ", namelen)) {
- 			/* XXX: What to do about this one? (typically
- 			   "http" or "https"). For now set it as a normal
-@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 			b++;
- 			len-=1;
- 			n = hp->nhd;
-+
-+			for (p = b + namelen, i = 0; i < len-namelen;
-+			    p++, i++) {
-+				if (vct_issp(*p) || vct_isctl(*p))
-+					return (H2SE_PROTOCOL_ERROR);
-+			}
-+
-+			if (!i)
-+				return (H2SE_PROTOCOL_ERROR);
- 		} else if (!strncmp(b, ":authority: ", namelen)) {
- 			b+=6;
- 			len-=6;
-@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
- 	hp->hd[n].b = b;
- 	hp->hd[n].e = b + len;
- 
-+	if (disallow_empty && !Tlen(hp->hd[n])) {
-+		VSLb(hp->vsl, SLT_BogoHeader,
-+		    "Empty pseudo-header %.*s",
-+		    (int)namelen, b0);
-+		return (H2SE_PROTOCOL_ERROR);
-+	}
-+
- 	return (0);
- }
- 

SPECS/varnish.spec

@@ -19,7 +19,7 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
 Version: 6.0.8
-Release: 2%{?dist}.1
+Release: 1%{?dist}.1
 License: BSD
 Group: System Environment/Daemons
 URL: https://www.varnish-cache.org/
@@ -35,9 +35,6 @@ Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2045031
 Patch100: varnish-6.0.8.CVE-2022-23959.patch
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=2141844
-Patch101: varnish-6.0.8-CVE-2022-45060.patch
-
 Obsoletes: varnish-libs
 
 %if %{with python3}
@@ -147,7 +144,6 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
 %endif
 
 %patch100 -p1
-%patch101 -p1
 
 %build
 %if 0%{?rhel} == 6
@@ -380,12 +376,8 @@ fi
 
 
 %changelog
-* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2.1
-- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery
-  Vulnerability
-
-* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2
-- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
+* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1.1
+- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
   Smuggling Vulnerability
 
 * Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1