rpms/varnish
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8-stream-6
Branches Tags
rpms:c8-stream-6
rpms:c9
rpms:c10s
rpms:c9-beta
rpms:c9s
rpms:stream-varnish-6-rhel-8.10.0
rpms:a8-stream-6
rpms:c8-beta-stream-6
rpms:stream-varnish-6-rhel-8.9.0
rpms:c8s-stream-6
rpms:imports/c9/varnish-6.6.2-6.el9
rpms:imports/c10s/varnish-7.4.2-5.el10
rpms:imports/c9-beta/varnish-6.6.2-6.el9
rpms:imports/c10s/varnish-7.4.2-4.el10
rpms:changed/a8-stream-6/varnish-6.0.13-1.module+el8.9.0+17239+94d153bd.alma.1
rpms:imports/c9/varnish-6.6.2-4.el9_3.1
rpms:imports/c9/varnish-6.6.2-3.el9_2.1
rpms:imports/c9/varnish-6.6.2-3.el9
rpms:imports/c9-beta/varnish-6.6.2-3.el9
rpms:imports/c8-beta-stream-6/varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1
rpms:imports/c8-stream-6/varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1
rpms:imports/c9/varnish-6.6.2-2.el9_1.1
rpms:imports/c9/varnish-6.6.2-2.el9
rpms:imports/c8s-stream-6/varnish-6.0.8-1.module+el8.5.0+14089+03a0c2cc.1
rpms:imports/c9-beta/varnish-6.6.2-2.el9
rpms:imports/c8-beta-stream-6/varnish-6.0.8-1.module+el8.5.0+14089+03a0c2cc.1
rpms:imports/c8-stream-6/varnish-6.0.8-1.module+el8.5.0+14089+03a0c2cc.1
rpms:imports/c9-beta/varnish-6.5.2-2.el9
rpms:imports/c8-stream-6/varnish-6.0.8-1.module+el8.5.0+11919+2c98a2b6
rpms:imports/c8-beta-stream-6/varnish-6.0.8-1.module+el8.5.0+11919+2c98a2b6
rpms:imports/c8-beta-stream-6/varnish-6.0.6-2.module+el8.3.0+6843+b3b42fcc
rpms:imports/c8-beta-stream-6/varnish-6.0.2-1.module+el8+2481+4078e9d2
rpms:imports/c8s-stream-6/varnish-6.0.6-2.module+el8.3.0+6843+b3b42fcc
rpms:imports/c8-stream-6/varnish-6.0.6-2.module+el8.4.0+11921+1a6539fc.1
rpms:imports/c8-stream-6/varnish-6.0.6-2.module+el8.3.0+6843+b3b42fcc
rpms:imports/c8-stream-6/varnish-6.0.2-1.module+el8+2481+4078e9d2
...
pull from: rpms:c9
Branches Tags
rpms:c9
rpms:c10s
rpms:c9-beta
rpms:c9s
rpms:stream-varnish-6-rhel-8.10.0
rpms:a8-stream-6
rpms:c8-beta-stream-6
rpms:stream-varnish-6-rhel-8.9.0
rpms:c8-stream-6
rpms:c8s-stream-6
rpms:imports/c9/varnish-6.6.2-6.el9
rpms:imports/c10s/varnish-7.4.2-5.el10
rpms:imports/c9-beta/varnish-6.6.2-6.el9
rpms:imports/c10s/varnish-7.4.2-4.el10
rpms:changed/a8-stream-6/varnish-6.0.13-1.module+el8.9.0+17239+94d153bd.alma.1
rpms:imports/c9/varnish-6.6.2-4.el9_3.1
rpms:imports/c9/varnish-6.6.2-3.el9_2.1
rpms:imports/c9/varnish-6.6.2-3.el9
rpms:imports/c9-beta/varnish-6.6.2-3.el9
rpms:imports/c8-beta-stream-6/varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1
rpms:imports/c8-stream-6/varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1
rpms:imports/c9/varnish-6.6.2-2.el9_1.1
rpms:imports/c9/varnish-6.6.2-2.el9
rpms:imports/c8s-stream-6/varnish-6.0.8-1.module+el8.5.0+14089+03a0c2cc.1
rpms:imports/c9-beta/varnish-6.6.2-2.el9
rpms:imports/c8-beta-stream-6/varnish-6.0.8-1.module+el8.5.0+14089+03a0c2cc.1
rpms:imports/c8-stream-6/varnish-6.0.8-1.module+el8.5.0+14089+03a0c2cc.1
rpms:imports/c9-beta/varnish-6.5.2-2.el9
rpms:imports/c8-stream-6/varnish-6.0.8-1.module+el8.5.0+11919+2c98a2b6
rpms:imports/c8-beta-stream-6/varnish-6.0.8-1.module+el8.5.0+11919+2c98a2b6
rpms:imports/c8-beta-stream-6/varnish-6.0.6-2.module+el8.3.0+6843+b3b42fcc
rpms:imports/c8-beta-stream-6/varnish-6.0.2-1.module+el8+2481+4078e9d2
rpms:imports/c8s-stream-6/varnish-6.0.6-2.module+el8.3.0+6843+b3b42fcc
rpms:imports/c8-stream-6/varnish-6.0.6-2.module+el8.4.0+11921+1a6539fc.1
rpms:imports/c8-stream-6/varnish-6.0.6-2.module+el8.3.0+6843+b3b42fcc
rpms:imports/c8-stream-6/varnish-6.0.2-1.module+el8+2481+4078e9d2

No commits in common. "c8-stream-6" and "c9" have entirely different histories.
c8-stream- ... c9

12 changed files with 2010 additions and 401 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
SOURCES/varnish-6.0.8.tgz
SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz
SOURCES/varnish-6.6.2.tgz

4
.varnish.metadata
View File

@ -1,2 +1,2 @@
db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz
d15a2afe52d546c45b46875b656ec3542c69e2f2 SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz
d2423c88186f5d409c72870199c8b46d489fdb48 SOURCES/varnish-6.6.2.tgz

17
SOURCES/varnish-4.0.3_fix_varnish4_selinux.el6.patch
View File

@ -1,17 +0,0 @@
diff -Nur ../varnish-4.0.3_pre_selinux/selinux/varnish4.te ./selinux/varnish4.te
--- ../varnish-4.0.3_pre_selinux/selinux/varnish4.te 1970-01-01 01:00:00.000000000 +0100
+++ ./selinux/varnish4.te 2015-03-06 10:00:00.015151633 +0100
@@ -0,0 +1,13 @@
+
+module varnish4 1.0;
+
+require {
+ type varnishd_t;
+ class capability { fowner chown fsetid };
+}
+
+#============= varnishd_t ==============
+allow varnishd_t self:capability fowner;
+allow varnishd_t self:capability chown;
+allow varnishd_t self:capability fsetid;
+

52
SOURCES/varnish-5.1.1.fix_ld_library_path_in_doc_build.patch
View File

@ -1,52 +0,0 @@
diff --git a/doc/sphinx/Makefile.in b/doc/sphinx/Makefile.in
index 0819064..11e4ba2 100644
--- a/doc/sphinx/Makefile.in
+++ b/doc/sphinx/Makefile.in
@@ -659,37 +659,47 @@ include/counters.rst: $(top_srcdir)/lib/libvcc/vsctool.py $(COUNTERS)
# XXX add varnishstat here when it's been _opt2rst'ed
include/varnishncsa_options.rst: $(top_builddir)/bin/varnishncsa/varnishncsa
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishncsa/varnishncsa --options > ${@}_
mv ${@}_ ${@}
include/varnishncsa_synopsis.rst: $(top_builddir)/bin/varnishncsa/varnishncsa
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishncsa/varnishncsa --synopsis > ${@}_
mv ${@}_ ${@}
include/varnishlog_options.rst: $(top_builddir)/bin/varnishlog/varnishlog
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishlog/varnishlog --options > ${@}_
mv ${@}_ ${@}
include/varnishlog_synopsis.rst: $(top_builddir)/bin/varnishlog/varnishlog
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishlog/varnishlog --synopsis > ${@}_
mv ${@}_ ${@}
include/varnishtop_options.rst: $(top_builddir)/bin/varnishtop/varnishtop
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishtop/varnishtop --options > ${@}_
mv ${@}_ ${@}
include/varnishtop_synopsis.rst: $(top_builddir)/bin/varnishtop/varnishtop
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishtop/varnishtop --synopsis > ${@}_
mv ${@}_ ${@}
include/varnishhist_options.rst: $(top_builddir)/bin/varnishhist/varnishhist
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishhist/varnishhist --options > ${@}_
mv ${@}_ ${@}
include/varnishhist_synopsis.rst: $(top_builddir)/bin/varnishhist/varnishhist
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishhist/varnishhist --synopsis > ${@}_
mv ${@}_ ${@}
include/varnishstat_options.rst: $(top_builddir)/bin/varnishstat/varnishstat
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishstat/varnishstat --options > ${@}_
mv ${@}_ ${@}
include/varnishstat_synopsis.rst: $(top_builddir)/bin/varnishstat/varnishstat
+ LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
$(top_builddir)/bin/varnishstat/varnishstat --synopsis > ${@}_
mv ${@}_ ${@}

62
SOURCES/varnish-5.1.1.fix_python_version.patch
View File

@ -1,62 +0,0 @@
--- configure.orig 2017-03-18 02:53:31.235204299 +0100
+++ configure 2017-03-18 02:54:54.229053852 +0100
@@ -13545,13 +13545,13 @@
if test -n "$PYTHON"; then
# If the user set $PYTHON, use it and don't search something else.
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 2.7" >&5
-$as_echo_n "checking whether $PYTHON version is >= 2.7... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 2.4" >&5
+$as_echo_n "checking whether $PYTHON version is >= 2.4... " >&6; }
prog="import sys
# split strings by '.' and convert to numeric. Append some zeros
# because we need at least 4 digits for the hex conversion.
# map returns an iterator in Python 3.0 and a list in 2.x
-minver = list(map(int, '2.7'.split('.'))) + [0, 0, 0]
+minver = list(map(int, '2.4'.split('.'))) + [0, 0, 0]
minverhex = 0
# xrange is not present in Python 3.0 and range returns an iterator
for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
@@ -13572,8 +13572,8 @@
else
# Otherwise, try each interpreter until we find one that satisfies
# VERSION.
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 2.7" >&5
-$as_echo_n "checking for a Python interpreter with version >= 2.7... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 2.4" >&5
+$as_echo_n "checking for a Python interpreter with version >= 2.4... " >&6; }
if ${am_cv_pathless_PYTHON+:} false; then :
$as_echo_n "(cached) " >&6
else
@@ -13584,7 +13584,7 @@
# split strings by '.' and convert to numeric. Append some zeros
# because we need at least 4 digits for the hex conversion.
# map returns an iterator in Python 3.0 and a list in 2.x
-minver = list(map(int, '2.7'.split('.'))) + [0, 0, 0]
+minver = list(map(int, '2.4'.split('.'))) + [0, 0, 0]
minverhex = 0
# xrange is not present in Python 3.0 and range returns an iterator
for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
@@ -13651,7 +13651,7 @@
if test "$PYTHON" = :; then
- as_fn_error $? "Python >= 2.7 is required." "$LINENO" 5
+ as_fn_error $? "Python >= 2.4 is required." "$LINENO" 5
else
@@ -13698,11 +13698,11 @@
can_use_sysconfig = 0
else:
can_use_sysconfig = 1
-# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
+# Can't use sysconfig in CPython 2.4, since it's broken in virtualenvs:
# <https://github.com/pypa/virtualenv/issues/118>
try:
from platform import python_implementation
- if python_implementation() == 'CPython' and sys.version[:3] == '2.7':
+ if python_implementation() == 'CPython' and sys.version[:3] == '2.4':
can_use_sysconfig = 0
except ImportError:
pass"

20
SOURCES/varnish-6.0.0.fix_el6_fortify_source.patch
View File

@ -1,20 +0,0 @@
--- bin/varnishtest/vtc_process.c.orig 2018-04-26 14:12:29.539178105 +0100
+++ bin/varnishtest/vtc_process.c 2018-04-26 15:27:49.851948252 +0100
@@ -216,7 +216,7 @@
vtc_dump(p->vl, 4, "stdout", buf, i);
else if (p->log == 3)
vtc_hexdump(p->vl, 4, "stdout", buf, i);
- (void)write(p->f_stdout, buf, i);
+ assert(write(p->f_stdout, buf, i) == i);
Term_Feed(p->term, buf, buf + i);
return (0);
}
@@ -239,7 +239,7 @@
p->stderr_bytes += i;
AZ(pthread_mutex_unlock(&p->mtx));
vtc_dump(p->vl, 4, "stderr", buf, i);
- (void)write(p->f_stderr, buf, i);
+ assert(write(p->f_stdout, buf, i) == i);
return (0);
}

13
SOURCES/varnish-6.0.8.CVE-2022-23959.patch
View File

@ -1,13 +0,0 @@
diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
index 463b75b..982bd73 100644
--- a/bin/varnishd/cache/cache_req_body.c
+++ b/bin/varnishd/cache/cache_req_body.c
@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
if (req->req_body_status == REQ_BODY_WITH_LEN ||
req->req_body_status == REQ_BODY_WITHOUT_LEN)
(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
+ if (req->req_body_status == REQ_BODY_FAIL)
+ req->doclose = SC_RX_BODY;
return(0);
}

21
SOURCES/varnish-6.0.8-CVE-2022-45060.patch → SOURCES/varnish-6.6.2-CVE-2022-45060.patch
View File

@ -1,12 +1,10 @@
diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
index d432629..b0dacb9 100644
index 6bc062e..570b871 100644
--- a/bin/varnishd/http2/cache_http2_hpack.c
+++ b/bin/varnishd/http2/cache_http2_hpack.c
@@ -93,18 +93,25 @@ static h2_error
h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
{
@@ -97,11 +97,16 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
/* XXX: This might belong in cache/cache_http.c */
+ const char *b0;
const char *b0;
unsigned n;
+ int disallow_empty;
+ char *p;
@ -21,14 +19,7 @@ index d432629..b0dacb9 100644
if (len > UINT_MAX) { /* XXX: cache_param max header size */
VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
return (H2SE_ENHANCE_YOUR_CALM);
}
+ b0 = b;
if (b[0] == ':') {
/* Match H/2 pseudo headers */
/* XXX: Should probably have some include tbl for
@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
b += namelen;
len -= namelen;
n = HTTP_HDR_METHOD;
@ -53,7 +44,7 @@ index d432629..b0dacb9 100644
} else if (!strncmp(b, ":scheme: ", namelen)) {
/* XXX: What to do about this one? (typically
"http" or "https"). For now set it as a normal
@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
b++;
len-=1;
n = hp->nhd;
@ -69,7 +60,7 @@ index d432629..b0dacb9 100644
} else if (!strncmp(b, ":authority: ", namelen)) {
b+=6;
len-=6;
@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
hp->hd[n].b = b;
hp->hd[n].e = b + len;

319
SOURCES/varnish-6.6.2-CVE-2023-44487-rate_limit.patch Normal file
View File

@ -0,0 +1,319 @@
commit bb3f607590a102321a15a8a17474d87da8bec32c
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Tue Oct 17 16:52:32 2023 +0200
Upstream #3997 PR
Fix CVE-2023-44487
diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
index 7b32584..d55b9df 100644
--- a/bin/varnishd/VSC_main.vsc
+++ b/bin/varnishd/VSC_main.vsc
@@ -631,6 +631,14 @@
Number of session closes with Error VCL_FAILURE (VCL failure)
+.. varnish_vsc:: sc_rapid_reset
+ :level: diag
+ :oneliner: Session Err RAPID_RESET
+
+ Number of times we failed an http/2 session because it hit its
+ configured limits for the number of permitted rapid stream
+ resets.
+
.. varnish_vsc:: client_resp_500
:level: diag
:group: wrk
diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
index ea5eb52..9088e21 100644
--- a/bin/varnishd/http2/cache_http2.h
+++ b/bin/varnishd/http2/cache_http2.h
@@ -184,6 +184,8 @@ struct h2_sess {
VTAILQ_HEAD(,h2_req) txqueue;
h2_error error;
+ double rst_budget;
+ vtim_real last_rst;
};
#define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0)
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index 3597ec1..408acad 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -45,6 +45,7 @@
#include "vtcp.h"
#include "vtim.h"
+#define H2_CUSTOM_ERRORS
#define H2EC1(U,v,r,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1,r}};
#define H2EC2(U,v,r,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0,r}};
#define H2EC3(U,v,r,d) H2EC1(U,v,r,d) H2EC2(U,v,r,d)
@@ -304,9 +305,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
/**********************************************************************
*/
+static h2_error
+h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+{
+ vtim_real now;
+ vtim_dur d;
+
+ CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
+ ASSERT_RXTHR(h2);
+ CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC);
+
+ if (cache_param->h2_rapid_reset_limit == 0)
+ return (0);
+
+ now = VTIM_real();
+ CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC);
+ AN(r2->req->t_first);
+ if (now - r2->req->t_first > cache_param->h2_rapid_reset)
+ return (0);
+
+ d = now - h2->last_rst;
+ h2->rst_budget += cache_param->h2_rapid_reset_limit * d /
+ cache_param->h2_rapid_reset_period;
+ h2->rst_budget = vmin_t(double, h2->rst_budget,
+ cache_param->h2_rapid_reset_limit);
+ h2->last_rst = now;
+
+ if (h2->rst_budget < 1.0) {
+ Lck_Lock(&h2->sess->mtx);
+ VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session.");
+ Lck_Unlock(&h2->sess->mtx);
+ return (H2CE_RAPID_RESET);
+ }
+ h2->rst_budget -= 1.0;
+ return (0);
+}
+
static h2_error v_matchproto_(h2_rxframe_f)
h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
{
+ h2_error h2e;
CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
ASSERT_RXTHR(h2);
@@ -316,8 +354,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
return (H2CE_FRAME_SIZE_ERROR);
if (r2 == NULL)
return (0);
+ h2e = h2_rapid_reset(wrk, h2, r2);
h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data)));
- return (0);
+ return (h2e);
}
/**********************************************************************
diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
index 36d4a1c..f81c94a 100644
--- a/bin/varnishd/http2/cache_http2_session.c
+++ b/bin/varnishd/http2/cache_http2_session.c
@@ -128,6 +128,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp,
h2_local_settings(&h2->local_settings);
h2->remote_settings = H2_proto_settings;
h2->decode = decode;
+ h2->rst_budget = cache_param->h2_rapid_reset_limit;
+ h2->last_rst = sp->t_open;
+ AZ(isnan(h2->last_rst));
AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size));
diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc
new file mode 100644
index 0000000..3fee370
--- /dev/null
+++ b/bin/varnishtest/tests/r03996.vtc
@@ -0,0 +1,51 @@
+varnishtest "h2 rapid reset"
+
+barrier b1 sock 5
+
+server s1 {
+ rxreq
+ txresp
+} -start
+
+varnish v1 -cliok "param.set feature +http2"
+varnish v1 -cliok "param.set debug +syncvsl"
+varnish v1 -cliok "param.set h2_rapid_reset_limit 3"
+varnish v1 -cliok "param.set h2_rapid_reset 5"
+
+varnish v1 -vcl+backend {
+ import vtc;
+
+ sub vcl_recv {
+ vtc.barrier_sync("${b1_sock}");
+ }
+
+} -start
+
+client c1 {
+ stream 0 {
+ rxgoaway
+ expect goaway.err == ENHANCE_YOUR_CALM
+ } -start
+
+ stream 1 {
+ txreq
+ txrst
+ } -run
+ stream 3 {
+ txreq
+ txrst
+ } -run
+ stream 5 {
+ txreq
+ txrst
+ } -run
+ stream 7 {
+ txreq
+ txrst
+ } -run
+
+ barrier b1 sync
+ stream 0 -wait
+} -run
+
+varnish v1 -expect sc_rapid_reset == 1
diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h
index e8104f8..11051de 100644
--- a/include/tbl/h2_error.h
+++ b/include/tbl/h2_error.h
@@ -147,5 +147,17 @@ H2_ERROR(
/* descr */ "Use HTTP/1.1 for the request"
)
+#ifdef H2_CUSTOM_ERRORS
+H2_ERROR(
+ /* name */ RAPID_RESET,
+ /* val */ 11, /* ENHANCE_YOUR_CALM */
+ /* types */ 1,
+ /* reason */ SC_RAPID_RESET,
+ /* descr */ "http/2 rapid reset detected"
+)
+
+# undef H2_CUSTOM_ERRORS
+#endif
+
#undef H2_ERROR
/*lint -restore */
diff --git a/include/tbl/params.h b/include/tbl/params.h
index cca420c..4014dd6 100644
--- a/include/tbl/params.h
+++ b/include/tbl/params.h
@@ -1217,6 +1217,47 @@ PARAM_SIMPLE(
"HTTP2 maximum size of an uncompressed header list."
)
+PARAM_SIMPLE(
+ /* name */ h2_rapid_reset,
+ /* typ */ timeout,
+ /* min */ "0.000",
+ /* max */ NULL,
+ /* def */ "1.000",
+ /* units */ "seconds",
+ /* descr */
+ "The upper threshold for how rapid an http/2 RST has to come for "
+ "it to be treated as suspect and subjected to the rate limits "
+ "specified by h2_rapid_reset_limit and h2_rapid_reset_period.",
+ /* flags */ EXPERIMENTAL,
+)
+
+PARAM_SIMPLE(
+ /* name */ h2_rapid_reset_limit,
+ /* typ */ uint,
+ /* min */ "0",
+ /* max */ NULL,
+ /* def */ "3600",
+ /* units */ NULL,
+ /* descr */
+ "HTTP2 RST Allowance.\n"
+ "Specifies the maximum number of allowed stream resets issued by\n"
+ "a client over a time period before the connection is closed.\n"
+ "Setting this parameter to 0 disables the limit.",
+ /* flags */ EXPERIMENTAL,
+)
+
+PARAM_SIMPLE(
+ /* name */ h2_rapid_reset_period,
+ /* typ */ timeout,
+ /* min */ "1.000",
+ /* max */ NULL,
+ /* def */ "60.000",
+ /* units */ "seconds",
+ /* descr */
+ "HTTP2 sliding window duration for h2_rapid_reset_limit.",
+ /* flags */ EXPERIMENTAL|WIZARD,
+)
+
/*--------------------------------------------------------------------
* Memory pool parameters
*/
diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h
index 9748314..6d2f635 100644
--- a/include/tbl/sess_close.h
+++ b/include/tbl/sess_close.h
@@ -50,6 +50,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1, "Session pipe overflow")
SESS_CLOSE(RANGE_SHORT, range_short, 1, "Insufficient data for range")
SESS_CLOSE(REQ_HTTP20, req_http20, 1, "HTTP2 not accepted")
SESS_CLOSE(VCL_FAILURE, vcl_failure, 1, "VCL failure")
+SESS_CLOSE(RAPID_RESET, rapid_reset, 1, "HTTP2 rapid reset")
#undef SESS_CLOSE
/*lint -restore */
diff --git a/include/vdef.h b/include/vdef.h
index a9111fe..c85bea8 100644
--- a/include/vdef.h
+++ b/include/vdef.h
@@ -106,6 +106,47 @@
# define v_dont_optimize
#endif
+/**********************************************************************
+ * Find the minimum or maximum values.
+ * Only evaluate the expression once and perform type checking.
+ */
+
+/* ref: https://stackoverflow.com/a/17624752 */
+
+#define VINDIRECT(a, b, c) a ## b ## c
+#define VCOMBINE(a, b, c) VINDIRECT(a, b, c)
+
+#if defined(__COUNTER__)
+# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, __COUNTER__)
+#else
+# define VUNIQ_NAME(base) VCOMBINE(base, __LINE__, 0)
+#endif
+
+#ifdef _lint
+#define typeof(x) __typeof__(x)
+#endif
+
+/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */
+
+#define _vtake(op, ta, tb, a, b, _va, _vb) \
+ ({ \
+ ta _va = (a); \
+ tb _vb = (b); \
+ (void)(&_va == &_vb); \
+ _va op _vb ? _va : _vb; \
+})
+
+#define opmin <
+#define opmax >
+#define vtake(n, ta, tb, a, b) _vtake(op ## n, ta, tb, a, b, \
+ VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B))
+
+#define vmin(a, b) vtake(min, typeof(a), typeof(b), a, b)
+#define vmax(a, b) vtake(max, typeof(a), typeof(b), a, b)
+
+#define vmin_t(type, a, b) vtake(min, type, type, a, b)
+#define vmax_t(type, a, b) vtake(max, type, type, a, b)
+
/*********************************************************************
* Pointer alignment magic
*/

328
SOURCES/varnish-6.6.2-CVE-2023-44487-vcl_vrt.patch Normal file
View File

@ -0,0 +1,328 @@
commit bb44b34d5e9078ede3769ef519badb65d340351a
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Wed Oct 18 12:32:24 2023 +0200
vcl_vrt: Skip VCL execution if the client is gone
Upstream PR #3998
and 4991d9f6e40f381d058a83fc21ceed90e34a822e for r03996.vtc
diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
index d55b9df..0978c2f 100644
--- a/bin/varnishd/VSC_main.vsc
+++ b/bin/varnishd/VSC_main.vsc
@@ -342,6 +342,15 @@
Number of times an HTTP/2 stream was refused because the queue was
too long already. See also parameter thread_queue_limit.
+.. varnish_vsc:: req_reset
+ :group: wrk
+ :oneliner: Requests reset
+
+ Number of times a client left before the VCL processing of its
+ requests completed. For HTTP/2 sessions, either the stream was
+ reset by an RST_STREAM frame from the client, or a stream or
+ connection error occurred.
+
.. varnish_vsc:: n_object
:type: gauge
:group: wrk
diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h
index 3650291..be396b9 100644
--- a/bin/varnishd/cache/cache_transport.h
+++ b/bin/varnishd/cache/cache_transport.h
@@ -44,6 +44,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *);
typedef void vtr_req_panic_f (struct vsb *, const struct req *);
typedef void vtr_req_fail_f (struct req *, enum sess_close);
typedef void vtr_reembark_f (struct worker *, struct req *);
+typedef int vtr_poll_f (struct req *);
typedef int vtr_minimal_response_f (struct req *, uint16_t status);
struct transport {
@@ -64,6 +65,7 @@ struct transport {
vtr_sess_panic_f *sess_panic;
vtr_req_panic_f *req_panic;
vtr_reembark_f *reembark;
+ vtr_poll_f *poll;
vtr_minimal_response_f *minimal_response;
VTAILQ_ENTRY(transport) list;
diff --git a/bin/varnishd/cache/cache_vrt_vcl.c b/bin/varnishd/cache/cache_vrt_vcl.c
index 023ba00..2fbaff6 100644
--- a/bin/varnishd/cache/cache_vrt_vcl.c
+++ b/bin/varnishd/cache/cache_vrt_vcl.c
@@ -42,6 +42,7 @@
#include "vbm.h"
#include "cache_director.h"
+#include "cache_transport.h"
#include "cache_vcl.h"
#include "vcc_interface.h"
@@ -437,6 +438,40 @@ VRT_VCL_Allow_Discard(struct vclref **refp)
FREE_OBJ(ref);
}
+/*--------------------------------------------------------------------
+ */
+
+static int
+req_poll(struct worker *wrk, struct req *req)
+{
+ struct req *top;
+
+ /* NB: Since a fail transition leads to vcl_synth, the request may be
+ * short-circuited twice.
+ */
+ if (req->req_reset) {
+ wrk->handling = VCL_RET_FAIL;
+ return (-1);
+ }
+
+ top = req->top->topreq;
+ CHECK_OBJ_NOTNULL(top, REQ_MAGIC);
+ CHECK_OBJ_NOTNULL(top->transport, TRANSPORT_MAGIC);
+
+ if (!FEATURE(FEATURE_VCL_REQ_RESET))
+ return (0);
+ if (top->transport->poll == NULL)
+ return (0);
+ if (top->transport->poll(top) >= 0)
+ return (0);
+
+ VSLb_ts_req(req, "Reset", W_TIM_real(wrk));
+ wrk->stats->req_reset++;
+ wrk->handling = VCL_RET_FAIL;
+ req->req_reset = 1;
+ return (-1);
+}
+
/*--------------------------------------------------------------------
* Method functions to call into VCL programs.
*
@@ -468,6 +503,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC);
CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC);
CHECK_OBJ_NOTNULL(req->top, REQTOP_MAGIC);
+ if (req_poll(wrk, req))
+ return;
VCL_Req2Ctx(&ctx, req);
}
assert(ctx.now != 0);
diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
index f81c94a..f978763 100644
--- a/bin/varnishd/http2/cache_http2_session.c
+++ b/bin/varnishd/http2/cache_http2_session.c
@@ -439,6 +439,16 @@ h2_new_session(struct worker *wrk, void *arg)
h2_del_sess(wrk, h2, h2->error->reason);
}
+static int v_matchproto_(vtr_poll_f)
+h2_poll(struct req *req)
+{
+ struct h2_req *r2;
+
+ CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
+ CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC);
+ return (r2->error ? -1 : 1);
+}
+
struct transport H2_transport = {
.name = "H2",
.magic = TRANSPORT_MAGIC,
@@ -448,4 +458,5 @@ struct transport H2_transport = {
.req_body = h2_req_body,
.req_fail = h2_req_fail,
.sess_panic = h2_sess_panic,
+ .poll = h2_poll,
};
diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c
index d6a9c3f..6d9b32a 100644
--- a/bin/varnishd/mgt/mgt_param_bits.c
+++ b/bin/varnishd/mgt/mgt_param_bits.c
@@ -276,7 +276,7 @@ struct parspec VSL_parspec[] = {
#undef DEBUG_BIT
},
{ "feature", tweak_feature, NULL,
- NULL, NULL, "default",
+ NULL, NULL, "+validate_headers +vcl_req_reset",
NULL,
"Enable/Disable various minor features.\n"
"\tdefault\tSet default value\n"
diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc
index 3fee370..7faf783 100644
--- a/bin/varnishtest/tests/r03996.vtc
+++ b/bin/varnishtest/tests/r03996.vtc
@@ -1,6 +1,7 @@
varnishtest "h2 rapid reset"
-barrier b1 sock 5
+barrier b1 sock 2 -cyclic
+barrier b2 sock 5 -cyclic
server s1 {
rxreq
@@ -16,7 +17,10 @@ varnish v1 -vcl+backend {
import vtc;
sub vcl_recv {
- vtc.barrier_sync("${b1_sock}");
+ if (req.http.barrier) {
+ vtc.barrier_sync(req.http.barrier);
+ }
+ vtc.barrier_sync("${b2_sock}");
}
} -start
@@ -27,6 +31,41 @@ client c1 {
expect goaway.err == ENHANCE_YOUR_CALM
} -start
+ stream 1 {
+ txreq -hdr barrier ${b1_sock}
+ barrier b1 sync
+ txrst
+ } -run
+ stream 3 {
+ txreq -hdr barrier ${b1_sock}
+ barrier b1 sync
+ txrst
+ } -run
+ stream 5 {
+ txreq -hdr barrier ${b1_sock}
+ barrier b1 sync
+ txrst
+ } -run
+ stream 7 {
+ txreq -hdr barrier ${b1_sock}
+ barrier b1 sync
+ txrst
+ } -run
+
+ barrier b2 sync
+ stream 0 -wait
+} -run
+
+varnish v1 -expect sc_rapid_reset == 1
+
+varnish v1 -cliok "param.set feature -vcl_req_reset"
+
+client c2 {
+ stream 0 {
+ rxgoaway
+ expect goaway.err == ENHANCE_YOUR_CALM
+ } -start
+
stream 1 {
txreq
txrst
@@ -44,8 +83,8 @@ client c1 {
txrst
} -run
- barrier b1 sync
+ barrier b2 sync
stream 0 -wait
} -run
-varnish v1 -expect sc_rapid_reset == 1
+varnish v1 -expect sc_rapid_reset == 2
diff --git a/bin/varnishtest/tests/t02025.vtc b/bin/varnishtest/tests/t02025.vtc
new file mode 100644
index 0000000..3b7e90e
--- /dev/null
+++ b/bin/varnishtest/tests/t02025.vtc
@@ -0,0 +1,49 @@
+varnishtest "h2 reset interrupt"
+
+barrier b1 sock 2
+barrier b2 sock 2
+
+varnish v1 -cliok "param.set feature +http2"
+varnish v1 -cliok "param.set debug +syncvsl"
+varnish v1 -vcl {
+ import vtc;
+
+ backend be none;
+
+ sub vcl_recv {
+ vtc.barrier_sync("${b1_sock}");
+ vtc.barrier_sync("${b2_sock}");
+ }
+
+ sub vcl_miss {
+ vtc.panic("unreachable");
+ }
+} -start
+
+logexpect l1 -v v1 -g raw -i Debug {
+ expect * * Debug "^H2RXF RST_STREAM"
+} -start
+
+client c1 {
+ stream 1 {
+ txreq
+ barrier b1 sync
+ txrst
+ } -run
+} -start
+
+logexpect l1 -wait
+barrier b2 sync
+
+varnish v1 -vsl_catchup
+varnish v1 -expect req_reset == 1
+
+# NB: The varnishncsa command below shows a minimal pattern to collect
+# "rapid reset" suspects per session, with the IP address. Here rapid
+# is interpreted as before a second elapsed. Session VXIDs showing up
+# numerous times become increasingly more suspicious. The format can of
+# course be extended to add anything else useful for data mining.
+shell -expect "1000 ${localhost}" {
+ varnishncsa -n ${v1_name} -d \
+ -q 'Timestamp:Reset[2] < 1.0' -F '%{VSL:Begin[2]}x %h'
+}
diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst
index cf63089..f1ed987 100644
--- a/doc/sphinx/reference/vsl.rst
+++ b/doc/sphinx/reference/vsl.rst
@@ -76,6 +76,11 @@ Resp
Restart
Client request is being restarted.
+Reset
+ The client closed its connection, reset its stream or caused
+ a stream error that forced Varnish to reset the stream. Request
+ processing is interrupted and considered failed.
+
Pipe handling timestamps
~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h
index d51b22c..3d6ac35 100644
--- a/include/tbl/feature_bits.h
+++ b/include/tbl/feature_bits.h
@@ -82,6 +82,11 @@ FEATURE_BIT(BUSY_STATS_RATE, busy_stats_rate,
"Make busy workers comply with thread_stats_rate."
)
+FEATURE_BIT(VCL_REQ_RESET, vcl_req_reset,
+ "Stop processing client VCL once the client is gone. "
+ "When this happens MAIN.req_reset is incremented."
+)
+
#undef FEATURE_BIT
/*lint -restore */
diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h
index 2e82660..9e72312 100644
--- a/include/tbl/req_flags.h
+++ b/include/tbl/req_flags.h
@@ -41,6 +41,7 @@ REQ_FLAG(is_hitpass, 1, 0, "")
REQ_FLAG(waitinglist, 0, 0, "")
REQ_FLAG(want100cont, 0, 0, "")
REQ_FLAG(late100cont, 0, 0, "")
+REQ_FLAG(req_reset, 0, 0, "")
#undef REQ_FLAG
/*lint -restore */

1063
SOURCES/varnish-6.6.2-CVE-2024-30156.patch Normal file
View File

File diff suppressed because it is too large Load Diff

508
SPECS/varnish.spec
View File

@ -1,90 +1,135 @@
%global _hardened_build 1
%global debug_package %{nil}
%global _hardened_build 0
# https://github.com/varnishcache/varnish-cache/issues/2269
%global debug_package %{nil}
%if 0%{?rhel} == 7
%global _use_internal_dependency_generator 0
%global __find_provides %{_builddir}/%{name}-%{version}/find-provides %__find_provides
%global __python /usr/bin/python3.4
%else
%global __python %{__python3}
%endif
%global __provides_exclude_from ^%{_libdir}/varnish/vmods
%global abi 17c51b08e037fc8533fb3687a042a867235fc72f
%global vrt 13.0
# Package scripts are now external
# https://github.com/varnishcache/pkg-varnish-cache
%global commit1 0ad2f22629c4a368959c423a19e352c9c6c79682
%global commit1 ec7ad9e6c6dd7c9b4f4ba60c5b223376908c3ca6
%global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
%bcond_without python2
%bcond_with python3
%if %{with python2} == %{with python3}
%error Pick exactly one Python version
%endif
Summary: High-performance HTTP accelerator
Name: varnish
Version: 6.0.8
Release: 2%{?dist}.1
Version: 6.6.2
Release: 6%{?dist}
License: BSD
Group: System Environment/Daemons
URL: https://www.varnish-cache.org/
Source0: http://varnish-cache.org/_downloads/%{name}-%{version}%{?vd_rc}.tgz
Source0: http://varnish-cache.org/_downloads/%{name}-%{version}.tgz
Source1: https://github.com/varnishcache/pkg-varnish-cache/archive/%{commit1}.tar.gz#/pkg-varnish-cache-%{shortcommit1}.tar.gz
Patch1: varnish-5.1.1.fix_ld_library_path_in_doc_build.patch
Patch4: varnish-4.0.3_fix_varnish4_selinux.el6.patch
Patch9: varnish-5.1.1.fix_python_version.patch
# https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
# Patches:
# Patch 001: Because of Fedora's libtool no-rpath requirement, it is still
# necessary to add LD_LIBRARY_PATH when building the documentation
# (Fixed by using LT_SYS_LIBRARY_PATH)
#Patch1: varnish-6.1.1_fix_ld_library_path_in_doc_build.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2045031
Patch100: varnish-6.0.8.CVE-2022-23959.patch
# Patch 004: varnish selinux support for el6
#Patch4: varnish-4.0.3_fix_varnish4_selinux.el6.patch
# Patch 009: Hard code older python support in configure for older el releases
#Patch9: varnish-5.1.1.fix_python_version.patch
# Patch 012: Fix test for variants of ncurses, based on upstream commit 9bdc5f75, upstream issue #2668
#Patch12: varnish-6.0.1_fix_bug2668.patch
# Patch 013: Just a simple format error
#Patch13: varnish-6.1.0_fix_testu00008.patch
# Patch 014: Another formatting error fixed upstream, issue 2879
#Patch14: varnish-6.1.1_fix_upstrbug_2879.patch
# Patch 015: pcre-jit fixed upstream, issue #2912
#Patch15: varnish-6.1.1_fix_issue_2912.patch
# Patch 016: Fix some warnings that prohibited clean -Werror compilation
# on el6. Will not be fixed upstream. Patch grows more stupid
# for each iteration :-(
#Patch16: varnish-6.5.0_el6_fix_warning_from_old_gcc.patch
# Patch 017: Fix stack size on ppc64 in test c_00057, upstream commit 88948d9
#Patch17: varnish-6.2.0_fix_ppc64_for_test_c00057.patch
# Patch 018: gcc-10.0.1/s390x compilation fix, upstream commit b0af060
#Patch18: varnish-6.3.2_fix_s390x.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2141844
Patch101: varnish-6.0.8-CVE-2022-45060.patch
Patch100: varnish-6.6.2-CVE-2022-45060.patch
Obsoletes: varnish-libs
# https://issues.redhat.com/browse/RHEL-12818
Patch101: varnish-6.6.2-CVE-2023-44487-rate_limit.patch
%if %{with python3}
BuildRequires: python3, python3-sphinx, python3-docutils
# https://issues.redhat.com/browse/RHEL-12818
Patch102: varnish-6.6.2-CVE-2023-44487-vcl_vrt.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2271486
Patch103: varnish-6.6.2-CVE-2024-30156.patch
%if 0%{?fedora} > 29
Provides: varnish%{_isa} = %{version}-%{release}
Provides: varnishd(abi)%{_isa} = %{abi}
Provides: varnishd(vrt)%{_isa} = %{vrt}
Provides: vmod(blob)%{_isa} = %{version}-%{release}
Provides: vmod(directors)%{_isa} = %{version}-%{release}
Provides: vmod(proxy)%{_isa} = %{version}-%{release}
Provides: vmod(purge)%{_isa} = %{version}-%{release}
Provides: vmod(std)%{_isa} = %{version}-%{release}
Provides: vmod(unix)%{_isa} = %{version}-%{release}
Provides: vmod(vtc)%{_isa} = %{version}-%{release}
%endif
Obsoletes: varnish-libs < %{version}-%{release}
%if 0%{?rhel} == 7
BuildRequires: python34 python34-sphinx python34-docutils
%else
%if 0%{?rhel} >= 6
BuildRequires: python-sphinx
%endif
BuildRequires: python-docutils
BuildRequires: python3, python3-sphinx, python3-docutils
%endif
# Drop jemalloc dependency in RHEL-9
# BuildRequires: jemalloc-devel
BuildRequires: libedit-devel
BuildRequires: ncurses-devel
BuildRequires: pcre-devel
BuildRequires: pkgconfig
BuildRequires: gcc
BuildRequires: make
BuildRequires: graphviz
# Extra requirements for the build suite
BuildRequires: nghttp2
%if 0%{?rhel} == 6
BuildRequires: selinux-policy
%endif
# haproxy is broken in rawhide now
#if 0#{?fedora} || 0#{?rhel} >= 8
#BuildRequires: haproxy
#endif
Requires: logrotate
Requires: ncurses
Requires: pcre
# Drop jemalloc dependency in RHEL-9
# Requires: jemalloc
Requires: redhat-rpm-config
Requires(pre): shadow-utils
Requires(post): /usr/bin/uuidgen
# Varnish actually needs gcc installed to work. It uses the C compiler
# at runtime to compile the VCL configuration files. This is by design.
Requires: gcc
%if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
Requires(post): systemd-units
Requires(post): systemd-sysv
Requires(preun): systemd-units
Requires(postun): systemd-units
BuildRequires: systemd-units
%endif
%if 0%{?rhel} == 6
Requires: %{name}-selinux
Requires(post): policycoreutils,
Requires(preun): policycoreutils
Requires(postun): policycoreutils
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
%endif
%description
This is Varnish Cache, a high-performance HTTP accelerator.
@ -99,124 +144,95 @@ available on: https://www.varnish-cache.org/
%package devel
Summary: Development files for %{name}
Group: Development/Libraries
BuildRequires: ncurses-devel
#BuildRequires: ncurses-devel
Provides: varnish-libs-devel%{?isa} = %{version}-%{release}
Provides: varnish-libs-devel = %{version}-%{release}
Obsoletes: varnish-libs-devel
%if %{with python2}
Requires: python
%endif
Obsoletes: varnish-libs-devel < %{version}-%{release}
Requires: %{name} = %{version}-%{release}
Requires: python3
%description devel
Development files for %{name}
Varnish Cache is a high-performance HTTP accelerator
%package docs
Summary: Documentation files for %name
Group: Documentation
%description docs
Documentation files for %name
%if 0%{?rhel} == 6
%package selinux
Summary: Minimal selinux policy for running varnish
Group: System Environment/Daemons
%description selinux
Minimal selinux policy for running varnish4
%endif
%prep
%setup -q -n varnish-%{version}%{?vd_rc}
%setup -q
tar xzf %SOURCE1
ln -s pkg-varnish-cache-%{commit1}/redhat redhat
ln -s pkg-varnish-cache-%{commit1}/debian debian
cp redhat/find-provides .
%if 0%{?rhel} == 6
cp pkg-varnish-cache-%{commit1}/sysv/redhat/* redhat/
sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
%endif
sed -i 's,rst2man-3.6,rst2man-3.4,g; s,rst2html-3.6,rst2html-3.4,g; s,phinx-build-3.6,phinx-build-3.4,g' configure
%patch1 -p1
%if 0%{?rhel} == 6
%patch4 -p0
%patch9 -p0
%patch11 -p0
%endif
%patch100 -p1
%patch101 -p1
%patch100 -p1 -b .CVE-2022-45060
%patch101 -p1 -b .CVE-2023-44487
%patch102 -p1 -b .CVE-2023-44487-vcl
%patch103 -p1 -b .CVE-2024-30156
%build
%if 0%{?rhel} == 6
export CFLAGS="%{optflags} -fPIC"
export LDFLAGS=" -pie"
%endif
# https://gcc.gnu.org/wiki/FAQ#PR323
%ifarch %ix86
%if 0%{?fedora} > 21
export CFLAGS="%{optflags} -ffloat-store -fexcess-precision=standard"
%endif
%if 0%{?rhel} >= 6
export CFLAGS="%{optflags} -fPIC -ffloat-store"
%endif
%ifarch s390x
export CFLAGS="%{optflags} -Wno-error=free-nonheap-object"
%endif
# What gcc version is this?
gcc --version
# What is the page size
getconf PAGESIZE
# Man pages are prebuilt. No need to regenerate them.
export RST2MAN=/bin/true
# Explicit python, please
export PYTHON=%{__python}
%configure --disable-static \
--with-jemalloc=no \
%configure LT_SYS_LIBRARY_PATH=%_libdir \
--disable-static \
--localstatedir=/var/lib \
--docdir=%{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
#ifarch x86_64 #arm
--docdir=%{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} \
--without-jemalloc \
# --disable-pcre-jit \
#endif
# We have to remove rpath - not allowed in Fedora
# (This problem only visible on 64 bit arches)
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g;
s|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
# I'll never understand libtool
mkdir lib/libvarnishapi/.libs
pushd lib/libvarnishapi/.libs
ln -s libvarnishapi.so libvarnishapi.so.1
popd
# Upstream github issue #2265
%if 0%{?rhel} == 6
sed -i 's/-Werror$//g;' bin/varnishd/Makefile
sed -i 's/-Werror$//g;' lib/libvarnishapi/Makefile
%endif
make %{?_smp_mflags} V=1
# One varnish user is enough
sed -i 's,User=varnishlog,User=varnish,g;' redhat/varnishncsa.service
# Explicit python, please
%if %{with python2}
sed -i 's/env python3/python2/g;' lib/libvcc/vmodtool.py lib/libvcc/vsctool.py
%else
sed -i 's/env python3/python3/g;' lib/libvcc/vmodtool.py lib/libvcc/vsctool.py
%endif
# Clean up the html documentation
rm -rf doc/html/_sources
%check
%ifarch ppc64 ppc64le aarch64
sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc
# Remove this for now. Hard to get the size and timing right
%ifarch s390 s390x aarch64
rm bin/varnishtest/tests/o00005.vtc
%endif
#make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1
# disable test because of CVE-2023-44487 fix
# https://github.com/varnishcache/varnish-cache/pull/3998#issuecomment-1764649216
rm bin/varnishtest/tests/t02014.vtc
make %{?_smp_mflags} check VERBOSE=1
%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot} INSTALL="install -p"
# mock el7 defaults to LANG=C, which makes python3 fail when parsing utf8 text
%if 0%{?rhel} == 7
export LANG=en_US.UTF-8
%endif
%{make_install}
# None of these for fedora
find %{buildroot}/%{_libdir}/ -name '*.la' -exec rm -f {} ';'
@ -230,33 +246,20 @@ install -D -m 0644 redhat/varnish.logrotate %{buildroot}%{_sysconfdir}/logrotate
install -D -m 0644 include/vcs_version.h %{buildroot}%{_includedir}/varnish
install -D -m 0644 include/vrt.h %{buildroot}%{_includedir}/varnish
# systemd support
%if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
mkdir -p %{buildroot}%{_unitdir}
install -D -m 0644 redhat/varnish.service %{buildroot}%{_unitdir}/varnish.service
install -D -m 0644 redhat/varnishncsa.service %{buildroot}%{_unitdir}/varnishncsa.service
# default is standard sysvinit
%else
install -D -m 0644 redhat/varnish.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/varnish
install -D -m 0755 redhat/varnish.initrc %{buildroot}%{_initrddir}/varnish
install -D -m 0755 redhat/varnishncsa.initrc %{buildroot}%{_initrddir}/varnishncsa
%endif
install -D -m 0755 redhat/varnishreload %{buildroot}%{_sbindir}/varnishreload
echo %{_libdir}/varnish > %{buildroot}%{_sysconfdir}/ld.so.conf.d/varnish-%{_arch}.conf
# No idea why these ends up with mode 600 in the debug package
%if 0%{debug_package}
chmod 644 lib/libvmod_*/*.c
chmod 644 lib/libvmod_*/*.h
# selinux module for el6
%if 0%{?rhel} == 6
cd selinux
make -f %{_datadir}/selinux/devel/Makefile
install -p -m 644 -D varnish4.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/varnish4.pp
%endif
%files
%{_sbindir}/*
%{_bindir}/*
@ -276,18 +279,9 @@ install -p -m 644 -D varnish4.pp %{buildroot}%{_datadir}/selinux/packages/%{name
%config %{_sysconfdir}/ld.so.conf.d/varnish-%{_arch}.conf
# systemd from fedora 17 and rhel 7
%if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
%{_unitdir}/varnish.service
%{_unitdir}/varnishncsa.service
# default is standard sysvinit
%else
%config(noreplace) %{_sysconfdir}/sysconfig/varnish
%{_initrddir}/varnish
%{_initrddir}/varnishncsa
%endif
%files devel
%license LICENSE
%doc README.rst
@ -302,10 +296,6 @@ install -p -m 644 -D varnish4.pp %{buildroot}%{_datadir}/selinux/packages/%{name
%doc doc/html
%doc doc/changes*.html
%if 0%{?rhel} == 6
%files selinux
%{_datadir}/selinux/packages/%{name}/varnish4.pp
%endif
%pre
getent group varnish >/dev/null || groupadd -r varnish
@ -314,98 +304,180 @@ getent passwd varnish >/dev/null || \
-c "Varnish Cache" varnish
exit 0
%post
%if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
%systemd_post varnish.service
# Other distros: Use chkconfig
%else
/sbin/chkconfig --add varnish
/sbin/chkconfig --add varnishncsa
%endif
%systemd_post varnish varnishncsa
/sbin/ldconfig
# Previous versions had varnishlog and varnishncsa running as root
chown varnish:varnish /var/log/varnish/varnishncsa.log 2>/dev/null || true
test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc/varnish/secret)
# selinux module for el6
%if 0%{?rhel} == 6
%post selinux
if [ "$1" -le "1" ] ; then # First install
semodule -i %{_datadir}/selinux/packages/%{name}/varnish4.pp 2>/dev/null || :
fi
%preun selinux
if [ "$1" -lt "1" ] ; then # Final removal
semodule -r varnish4 2>/dev/null || :
fi
%postun
%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
%systemd_postun_with_restart varnish.service
%endif
%systemd_postun_with_restart varnish varnishncsa
/sbin/ldconfig
%postun selinux
if [ "$1" -ge "1" ] ; then # Upgrade
semodule -i %{_datadir}/selinux/packages/%{name}/varnish4.pp 2>/dev/null || :
fi
%endif
%preun
%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
%systemd_preun varnish.service
%else
if [ $1 -lt 1 ]; then
# Package removal, not upgrade
%if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
/bin/systemctl --no-reload disable varnish.service > /dev/null 2>&1 || :
/bin/systemctl stop varnish.service > /dev/null 2>&1 || :
/bin/systemctl stop varnishncsa.service > /dev/null 2>&1 || :
%else
/sbin/service varnish stop > /dev/null 2>&1
/sbin/service varnishncsa stop > /dev/null 2>%1
/sbin/chkconfig --del varnish
/sbin/chkconfig --del varnishncsa
%endif
fi
%endif
%systemd_preun varnish varnishncsa
%changelog
* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2.1
- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery
Vulnerability
* Tue Apr 16 2024 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-6
- Resolves: RHEL-30337 - varnish: HTTP/2 Broken Window Attack may result
in denial of service (CVE-2024-30156)
* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2
- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
Smuggling Vulnerability
* Fri Oct 20 2023 Tomas Korbar <tkorbar@redhat.com> - 6.6.2-5
- Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487
- Resolves: RHEL-12818
* Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1
- new version 6.0.8
- Resolves: #1982862 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request
smuggling attack via a large Content-Length header for a POST request
* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-3
- Resolves: #2142096 - CVE-2022-45060 varnish: Request Forgery Vulnerability
* Tue Apr 14 2020 Lubos Uhliarik <luhliari@redhat.com> - 6.0.6-2
- new version 6.0.6
- Resolves: #1795673 - RFE: rebase varnish:6 to latest 6.0.x LTS
- Resolves: #1790907 - CVE-2019-20637 varnish: not clearing pointer between two
client requests leads to information disclosure
- Resolves: #1763958 - CVE-2019-15892 varnish:6/varnish: denial of service
handling certain crafted HTTP/1 requests
* Thu Feb 17 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-2
- new version 6.6.2
- Resolves: #2007641 - rebase Varnish to 6.6.2
* Mon Oct 08 2018 Lubos Uhliarik <luhliari@redhat.com> - 6.0.2-1
- new version 6.0.2 (#1633338)
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 6.5.2-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Aug 01 2018 Luboš Uhliarik <luhliari@redhat.com> - 6.0.0-3
- Resolves: #1591765 - varnish: Remove dependency on jemalloc
* Wed Jul 21 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.5.2-1
- new version 6.5.2
- Resolves: #1984185 - Rebase varnish to 6.5.2
- Resolves: #1982858 - CVE-2021-36740 varnish: HTTP/2 request smuggling attack
via a large Content-Length header for a POST request
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 6.5.1-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Feb 24 2021 Lubos Uhliarik <luhliari@redhat.com> - 6.5.1-4
- Resolves: #1918406 - Drop jemalloc dependency in RHEL 9
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.5.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Jan 21 2021 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.5.1-2
- Pulled support for el6
- Pulled support for sysvinit
- aarch64 builds now with jemalloc again on el7
* Fri Sep 25 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.5.1-1
- New upstream release varnish-6.5.1
* Wed Sep 16 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.5.0-1
- New upstream release varnish-6.5.0
- Respun silly patch to get rid of compiler warnings on el6
* Tue Aug 04 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.4.0-4
- Added -Wno-error=free-nonheap-object to CFLAGS to build on s390x
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.0-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Mar 16 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.4.0-1
- New upstream release
- Respin patches for 6.4.0
- Removed patches merged upstream
- Deactivated a test on s390*. Too hard to get size and timing right
* Wed Feb 12 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.2-3
- Got corrected compilation fix patch from upstream
* Tue Feb 11 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.2-2
- Added simple compilation fix for gcc-10.0.1/s390x
* Tue Feb 11 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.2-1
- New upstream release, a security release. Includes fix for VSV00005
- Added new checkout of pkg-varnish
- Temporarily disable haproxy unit tests, as haproxy seems broken in rawhide
* Mon Feb 10 2020 Joe Orton <jorton@redhat.com> - 6.3.1-3
- drop buildreq on (retired) vttest (#1800232)
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Tue Oct 22 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.1-1
- New upstream release. A security release. Includes fix for VSV00004
* Fri Sep 20 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.0-2
- Respin patch for el6
* Mon Sep 16 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.0-1
- New upstream release
* Wed Sep 04 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.1-4
- New upstream release. A security release. Includes fix for CVE-2019-15892
* Thu Aug 08 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.0-4
- Pull in extra requirements to the build requirements to run more
tests (on fedora: haproxy, vttest)
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Apr 04 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.0-2
- Run configure with LT_SYS_LIBRARY_PATH, removing the need for
killing RPATH in libtool with sed and scattering LD_LIBRARY_PATH around
with patches
- Some explicit python version fixes needed for el7 python34 vs python36
- aarch64 now builds with jemalloc again on fedora
* Fri Mar 15 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.0-1
- New upstream release varnish-6.2
- Removed patches merged upstream
- Remove misc sed hacks for bugs that are fixed upstream
- Added a patch for gcc-4.4 -Werror support on el6
- Added a patch from upstream to fix too small thread pool stack in a test
- Override macro __python to make brp-python-bytecompile choose python3
- Explicitly use python-3.4
- Switch to make_install macro
- Better documentation of patches
- Updated checkout of pkg-varnish-cache
* Thu Mar 07 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-5
- Adding a patch based on upstream commits, fixing pcre-jit, see
upstream bug 2912
* Thu Feb 14 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-4
- Adding a patch from upstream fixing a simple formatting bug on gcc-9
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Nov 07 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-2
- Respun ld_library_path patch for varnish-6.1.1
* Wed Nov 07 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-1
- New upstream release
* Tue Nov 06 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.0-3
- Dropped the depricated external dependency generator in Fedora
- Hard coded vmod, abi and vrt provides
* Fri Nov 02 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.0-2
- Added a patch to fix a failing test in the testsuite
* Fri Nov 02 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.0-1
- New upstream release
- Respin patches for 6.1.0
- Disable pcre-jit for now, ref upstream bug #2817
* Tue Oct 09 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.0.1-3
- Explicitly using utf8 under install on el6 and el7 for python quirks
* Tue Oct 09 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.0.1-2
- Explicitly using python3 on all targets
* Thu Sep 27 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.0.1-1
- New upstream release
- Removed graphciz from BuildRequires. It is not used
- Removed patch for fortify_source on el6. It is merged upstream
- Small workaround for test suite problem with old readline/curses on el6
- Supports bcond_with python3, for simpler future deprication of python2
- Added -fno-exceptions to CFLAGS on el6, see upstream issue #2793
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild