Update to 6.0.13

SOURCES/varnish-6.0.13-CVE-2025-47905.patch

@@ -1,418 +0,0 @@
-commit 1fef8cc747030259d61bf8e451b4317bff5b2ed5
-Author: Luboš Uhliarik <luhliari@redhat.com>
-Date:   Wed May 21 18:09:51 2025 +0200
-
-    Fix for CVE-2025-47905
-
-diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c
-index 374bcac..32176b3 100644
---- a/bin/varnishd/http1/cache_http1_vfp.c
-+++ b/bin/varnishd/http1/cache_http1_vfp.c
-@@ -90,76 +90,118 @@ v1f_read(const struct vfp_ctx *vc, struct http_conn *htc, void *d, ssize_t len)
- 
- 
- /*--------------------------------------------------------------------
-- * Read a chunked HTTP object.
-+ * read (CR)?LF at the end of a chunk
-+ */
-+static enum vfp_status
-+v1f_chunk_end(struct vfp_ctx *vc, struct http_conn *htc)
-+{
-+	char c;
-+
-+	if (v1f_read(vc, htc, &c, 1) <= 0)
-+		return (VFP_Error(vc, "chunked read err"));
-+	if (c == '\r' && v1f_read(vc, htc, &c, 1) <= 0)
-+		return (VFP_Error(vc, "chunked read err"));
-+	if (c != '\n')
-+		return (VFP_Error(vc, "chunked tail no NL"));
-+	return (VFP_OK);
-+}
-+
-+
-+/*--------------------------------------------------------------------
-+ * Parse a chunk header and, for VFP_OK, return size in a pointer
-  *
-  * XXX: Reading one byte at a time is pretty pessimal.
-  */
- 
--static enum vfp_status v_matchproto_(vfp_pull_f)
--v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
--    ssize_t *lp)
-+static enum vfp_status
-+v1f_chunked_hdr(struct vfp_ctx *vc, struct http_conn *htc, ssize_t *szp)
- {
--	struct http_conn *htc;
- 	char buf[20];		/* XXX: 20 is arbitrary */
--	char *q;
- 	unsigned u;
- 	uintmax_t cll;
--	ssize_t cl, l, lr;
-+	ssize_t cl, lr;
-+	char *q;
- 
- 	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
--	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
--	CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC);
--	AN(ptr);
--	AN(lp);
-+	CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
-+	AN(szp);
-+	assert(*szp == -1);
- 
--	l = *lp;
--	*lp = 0;
--	if (vfe->priv2 == -1) {
--		/* Skip leading whitespace */
--		do {
--			lr = v1f_read(vc, htc, buf, 1);
--			if (lr <= 0)
--				return (VFP_Error(vc, "chunked read err"));
--		} while (vct_islws(buf[0]));
--
--		if (!vct_ishex(buf[0]))
--			 return (VFP_Error(vc, "chunked header non-hex"));
--
--		/* Collect hex digits, skipping leading zeros */
--		for (u = 1; u < sizeof buf; u++) {
--			do {
--				lr = v1f_read(vc, htc, buf + u, 1);
--				if (lr <= 0)
--					return (VFP_Error(vc,
--					    "chunked read err"));
--			} while (u == 1 && buf[0] == '0' && buf[u] == '0');
--			if (!vct_ishex(buf[u]))
--				break;
--		}
-+	/* Skip leading whitespace */
-+	do {
-+		lr = v1f_read(vc, htc, buf, 1);
-+		if (lr <= 0)
-+			return (VFP_Error(vc, "chunked read err"));
-+	} while (vct_isows(buf[0]));
- 
--		if (u >= sizeof buf)
--			return (VFP_Error(vc, "chunked header too long"));
-+	if (!vct_ishex(buf[0]))
-+		return (VFP_Error(vc, "chunked header non-hex"));
- 
--		/* Skip trailing white space */
--		while (vct_islws(buf[u]) && buf[u] != '\n') {
-+	/* Collect hex digits, skipping leading zeros */
-+	for (u = 1; u < sizeof buf; u++) {
-+		do {
- 			lr = v1f_read(vc, htc, buf + u, 1);
- 			if (lr <= 0)
- 				return (VFP_Error(vc, "chunked read err"));
--		}
-+		} while (u == 1 && buf[0] == '0' && buf[u] == '0');
-+		if (!vct_ishex(buf[u]))
-+			break;
-+	}
- 
--		if (buf[u] != '\n')
--			return (VFP_Error(vc, "chunked header no NL"));
-+	if (u >= sizeof buf)
-+		return (VFP_Error(vc, "chunked header too long"));
- 
--		buf[u] = '\0';
-+	/* Skip trailing white space */
-+	while (vct_isows(buf[u])) {
-+		lr = v1f_read(vc, htc, buf + u, 1);
-+		if (lr <= 0)
-+			return (VFP_Error(vc, "chunked read err"));
-+	}
-+
-+	if (buf[u] == '\r' && v1f_read(vc, htc, buf + u, 1) <= 0)
-+		return (VFP_Error(vc, "chunked read err"));
-+	if (buf[u] != '\n')
-+		return (VFP_Error(vc, "chunked header no NL"));
- 
--		cll = strtoumax(buf, &q, 16);
--		if (q == NULL || *q != '\0')
--			return (VFP_Error(vc, "chunked header number syntax"));
--		cl = (ssize_t)cll;
--		if (cl < 0 || (uintmax_t)cl != cll)
--			return (VFP_Error(vc, "bogusly large chunk size"));
-+	buf[u] = '\0';
- 
--		vfe->priv2 = cl;
-+	cll = strtoumax(buf, &q, 16);
-+	if (q == NULL || *q != '\0')
-+		return (VFP_Error(vc, "chunked header number syntax"));
-+	cl = (ssize_t)cll;
-+	if (cl < 0 || (uintmax_t)cl != cll)
-+		return (VFP_Error(vc, "bogusly large chunk size"));
-+
-+	*szp = cl;
-+	return (VFP_OK);
-+}
-+
-+
-+/*--------------------------------------------------------------------
-+ * Read a chunked HTTP object.
-+ *
-+ */
-+
-+static enum vfp_status v_matchproto_(vfp_pull_f)
-+v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
-+    ssize_t *lp)
-+{
-+	static enum vfp_status vfps;
-+	struct http_conn *htc;
-+	ssize_t l, lr;
-+
-+	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
-+	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
-+	CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC);
-+	AN(ptr);
-+	AN(lp);
-+
-+	l = *lp;
-+	*lp = 0;
-+	if (vfe->priv2 == -1) {
-+		vfps = v1f_chunked_hdr(vc, htc, &vfe->priv2);
-+		if (vfps != VFP_OK)
-+			return (vfps);
- 	}
- 	if (vfe->priv2 > 0) {
- 		if (vfe->priv2 < l)
-@@ -169,30 +211,27 @@ v1f_pull_chunked(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr,
- 			return (VFP_Error(vc, "straight insufficient bytes"));
- 		*lp = lr;
- 		vfe->priv2 -= lr;
--		if (vfe->priv2 == 0)
--			vfe->priv2 = -1;
--		return (VFP_OK);
-+		if (vfe->priv2 != 0)
-+			return (VFP_OK);
-+
-+		vfe->priv2 = -1;
-+		return (v1f_chunk_end(vc, htc));
- 	}
- 	AZ(vfe->priv2);
--	if (v1f_read(vc, htc, buf, 1) <= 0)
--		return (VFP_Error(vc, "chunked read err"));
--	if (buf[0] == '\r' && v1f_read(vc, htc, buf, 1) <= 0)
--		return (VFP_Error(vc, "chunked read err"));
--	if (buf[0] != '\n')
--		return (VFP_Error(vc, "chunked tail no NL"));
--	return (VFP_END);
-+	vfps = v1f_chunk_end(vc, htc);
-+	return (vfps == VFP_OK ? VFP_END : vfps);
- }
- 
- static const struct vfp v1f_chunked = {
- 	.name = "V1F_CHUNKED",
--	.pull = v1f_pull_chunked,
-+	.pull = v1f_chunked_pull,
- };
- 
- 
- /*--------------------------------------------------------------------*/
- 
- static enum vfp_status v_matchproto_(vfp_pull_f)
--v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
-+v1f_straight_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
-     ssize_t *lp)
- {
- 	ssize_t l, lr;
-@@ -223,13 +262,13 @@ v1f_pull_straight(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p,
- 
- static const struct vfp v1f_straight = {
- 	.name = "V1F_STRAIGHT",
--	.pull = v1f_pull_straight,
-+	.pull = v1f_straight_pull,
- };
- 
- /*--------------------------------------------------------------------*/
- 
- static enum vfp_status v_matchproto_(vfp_pull_f)
--v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
-+v1f_eof_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
- {
- 	ssize_t l, lr;
- 	struct http_conn *htc;
-@@ -254,7 +293,7 @@ v1f_pull_eof(struct vfp_ctx *vc, struct vfp_entry *vfe, void *p, ssize_t *lp)
- 
- static const struct vfp v1f_eof = {
- 	.name = "V1F_EOF",
--	.pull = v1f_pull_eof,
-+	.pull = v1f_eof_pull,
- };
- 
- /*--------------------------------------------------------------------
-diff --git a/bin/varnishtest/tests/f00016.vtc b/bin/varnishtest/tests/f00016.vtc
-new file mode 100644
-index 0000000..a38b8b1
---- /dev/null
-+++ b/bin/varnishtest/tests/f00016.vtc
-@@ -0,0 +1,69 @@
-+varnishtest "Do not tolerate anything else than CRLF as chunked ending"
-+
-+server s0 {
-+	rxreq
-+	expect_close
-+} -dispatch
-+
-+varnish v1 -vcl+backend {} -start
-+
-+logexpect l1 -v v1 {
-+	expect * 1001 FetchError "chunked tail no NL"
-+	expect * 1004 FetchError "chunked tail no NL"
-+	expect * 1007 FetchError "chunked header non-hex"
-+	expect * 1010 FetchError "chunked header non-hex"
-+} -start
-+
-+client c1 {
-+	non_fatal
-+	txreq -req POST -hdr "Transfer-encoding: chunked"
-+	send "1\r\n"
-+	send "This is more than one byte of data\r\n"
-+	send "0\r\n"
-+	send "\r\n"
-+	fatal
-+	rxresp
-+	expect resp.status == 503
-+	expect_close
-+} -run
-+
-+client c2 {
-+	non_fatal
-+	txreq -req POST -hdr "Transfer-encoding: chunked"
-+	send "1\r\n"
-+	send "Z  2\r\n"
-+	send "3d\r\n"
-+	send "0\r\n\r\nPOST /evil HTTP/1.1\r\nHost: whatever\r\nContent-Length: 5\r\n\r\n"
-+	send "0\r\n"
-+	send "\r\n"
-+	fatal
-+	rxresp
-+	expect resp.status == 503
-+	expect_close
-+} -run
-+
-+client c3 {
-+	non_fatal
-+	txreq -req POST -hdr "Transfer-encoding: chunked"
-+	send "d\r\n"
-+	send "Spurious CRLF\r\n\r\n"
-+	send "0\r\n"
-+	send "\r\n"
-+	fatal
-+	rxresp
-+	expect resp.status == 503
-+	expect_close
-+} -run
-+
-+client c4 {
-+	non_fatal
-+	txreq -req POST -hdr "Transfer-encoding: chunked"
-+	send "\n0\r\n"
-+	send "\r\n"
-+	fatal
-+	rxresp
-+	expect resp.status == 503
-+	expect_close
-+} -run
-+
-+logexpect l1 -wait
-diff --git a/bin/varnishtest/tests/r01184.vtc b/bin/varnishtest/tests/r01184.vtc
-index d5aba32..f7cd8d7 100644
---- a/bin/varnishtest/tests/r01184.vtc
-+++ b/bin/varnishtest/tests/r01184.vtc
-@@ -62,6 +62,7 @@ server s1 {
- 		sendhex " 10 45 f3 a9 83 b8 18 1c  7b c2 30 55 04 17 13 c4"
- 		sendhex " 0f 07 5f 7a 38 f4 8e 50  b3 37 d4 3a 32 4a 34 07"
- 		sendhex " FF FF FF FF FF FF FF FF  72 ea 06 5f b3 1c fa dd"
-+	send "\n"
- 	expect_close
- } -start
- 
-@@ -93,6 +94,7 @@ server s1 {
- 		sendhex " 10 45 f3 a9 83 b8 18 1c  7b c2 30 55 04 17 13 c4"
- 		sendhex " 0f 07 5f 7a 38 f4 8e 50  b3 37 d4 3a 32 4a 34 07"
- 		sendhex " FF FF FF FF FF FF FF FF  72 ea 06 5f b3 1c fa dd"
-+	send "\n"
- 	expect_close
- } -start
- 
-diff --git a/bin/varnishtest/tests/r01729.vtc b/bin/varnishtest/tests/r01729.vtc
-index 883a60c..f6a01e9 100644
---- a/bin/varnishtest/tests/r01729.vtc
-+++ b/bin/varnishtest/tests/r01729.vtc
-@@ -11,7 +11,7 @@ server s1 {
- 	send "\r\n"
- 	send "14\r\n"
- 	send "0123456789"
--	send "0123456789"
-+	send "0123456789\n"
- 	send "0\r\n"
- 	send "\r\n"
- 
-@@ -29,7 +29,7 @@ client c1 {
- 	send "\r\n"
- 	send "14\r\n"
- 	send "0123456789"
--	send "0123456789"
-+	send "0123456789\n"
- 	send "0\r\n"
- 	send "\r\n"
- 
-@@ -45,7 +45,7 @@ client c1 {
- 	send "\r\n"
- 	send "14\r\n"
- 	send "0123456789"
--	send "0123456789"
-+	send "0123456789\n"
- 	send "0\r\n"
- 	send "\r\n"
- 
-diff --git a/include/vct.h b/include/vct.h
-index 1b7ffbd..e68e465 100644
---- a/include/vct.h
-+++ b/include/vct.h
-@@ -30,9 +30,9 @@
- 
- /* from libvarnish/vct.c */
- 
--#define VCT_SP			(1<<0)
-+#define VCT_OWS			(1<<0)
- #define VCT_CRLF		(1<<1)
--#define VCT_LWS			(VCT_CRLF | VCT_SP)
-+#define VCT_LWS			(VCT_CRLF | VCT_OWS)
- #define VCT_CTL			(1<<2)
- #define VCT_ALPHA		(1<<3)
- #define VCT_SEPARATOR		(1<<4)
-@@ -59,7 +59,8 @@ vct_is(int x, uint16_t y)
- 	return (vct_typtab[x] & (y));
- }
- 
--#define vct_issp(x) vct_is(x, VCT_SP)
-+#define vct_isows(x) vct_is(x, VCT_OWS)
-+#define vct_issp(x) vct_is(x, VCT_OWS)
- #define vct_ishex(x) vct_is(x, VCT_HEX)
- #define vct_islws(x) vct_is(x, VCT_LWS)
- #define vct_isctl(x) vct_is(x, VCT_CTL)
-diff --git a/lib/libvarnish/vct.c b/lib/libvarnish/vct.c
-index 73b784e..43853c9 100644
---- a/lib/libvarnish/vct.c
-+++ b/lib/libvarnish/vct.c
-@@ -54,7 +54,7 @@ const uint16_t vct_typtab[256] = {
- 	[0x06]	=	VCT_CTL,
- 	[0x07]	=	VCT_CTL,
- 	[0x08]	=	VCT_CTL,
--	[0x09]	=	VCT_CTL | VCT_SP,
-+	[0x09]	=	VCT_CTL | VCT_OWS,
- 	[0x0a]	=	VCT_CTL | VCT_CRLF,
- 	[0x0b]	=	VCT_CTL | VCT_VT,
- 	[0x0c]	=	VCT_CTL,
-@@ -77,7 +77,7 @@ const uint16_t vct_typtab[256] = {
- 	[0x1d]	=	VCT_CTL,
- 	[0x1e]	=	VCT_CTL,
- 	[0x1f]	=	VCT_CTL,
--	[0x20]  =	VCT_SP,
-+	[0x20]	=	VCT_OWS,
- 	[0x21]  =	VCT_TCHAR,
- 	[0x22]  =	VCT_SEPARATOR,
- 	[0x23]  =	VCT_TCHAR,

SOURCES/varnish-6.0.8-CVE-2022-45060.patch

@@ -0,0 +1,85 @@
+diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
+index d432629..b0dacb9 100644
+--- a/bin/varnishd/http2/cache_http2_hpack.c
++++ b/bin/varnishd/http2/cache_http2_hpack.c
+@@ -93,18 +93,25 @@ static h2_error
+ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ {
+ 	/* XXX: This might belong in cache/cache_http.c */
++	const char *b0;
+ 	unsigned n;
++	int disallow_empty;
++	char *p;
++	int i;
+ 
+ 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
+ 	AN(b);
+ 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
+ 	assert(namelen <= len);
++	
++	disallow_empty = 0;
+ 
+ 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
+ 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
+ 		return (H2SE_ENHANCE_YOUR_CALM);
+ 	}
+ 
++	b0 = b;
+ 	if (b[0] == ':') {
+ 		/* Match H/2 pseudo headers */
+ 		/* XXX: Should probably have some include tbl for
+@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_METHOD;
++			disallow_empty = 1;
++
++			/* First field cannot contain SP or CTL */
++			for (p = b, i = 0; i < len; p++, i++) {
++				if (vct_issp(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
+ 		} else if (!strncmp(b, ":path: ", namelen)) {
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_URL;
++			disallow_empty = 1;
++
++			/* Second field cannot contain LWS or CTL */
++			for (p = b, i = 0; i < len; p++, i++) {
++				if (vct_islws(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
+ 		} else if (!strncmp(b, ":scheme: ", namelen)) {
+ 			/* XXX: What to do about this one? (typically
+ 			   "http" or "https"). For now set it as a normal
+@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b++;
+ 			len-=1;
+ 			n = hp->nhd;
++
++			for (p = b + namelen, i = 0; i < len-namelen;
++			    p++, i++) {
++				if (vct_issp(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
++
++			if (!i)
++				return (H2SE_PROTOCOL_ERROR);
+ 		} else if (!strncmp(b, ":authority: ", namelen)) {
+ 			b+=6;
+ 			len-=6;
+@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 	hp->hd[n].b = b;
+ 	hp->hd[n].e = b + len;
+ 
++	if (disallow_empty && !Tlen(hp->hd[n])) {
++		VSLb(hp->vsl, SLT_BogoHeader,
++		    "Empty pseudo-header %.*s",
++		    (int)namelen, b0);
++		return (H2SE_PROTOCOL_ERROR);
++	}
++
+ 	return (0);
+ }
+ 

SOURCES/varnish-6.0.8-CVE-2023-44487-rate_limit.patch

@@ -0,0 +1,326 @@
+commit d5cc31b5e6824f8b031c045fab990f31010ee8a1
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Oct 18 17:02:33 2023 +0200
+
+    Upstream #3997 PR
+    
+    Fix CVE-2023-44487
+
+diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
+index f6925f3..b237f86 100644
+--- a/bin/varnishd/VSC_main.vsc
++++ b/bin/varnishd/VSC_main.vsc
+@@ -586,6 +586,14 @@
+ 
+ 	Number of session closes with Error VCL_FAILURE (VCL failure)
+ 
++.. varnish_vsc:: sc_rapid_reset
++       :level: diag
++       :oneliner:      Session Err RAPID_RESET
++
++       Number of times we failed an http/2 session because it hit its
++       configured limits for the number of permitted rapid stream
++       resets.
++
+ .. varnish_vsc:: client_resp_500
+ 	:level: diag
+ 	:group: wrk
+diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
+index 205b96c..36a21bc 100644
+--- a/bin/varnishd/http2/cache_http2.h
++++ b/bin/varnishd/http2/cache_http2.h
+@@ -184,6 +184,8 @@ struct h2_sess {
+ 	h2_error			error;
+ 
+ 	int				open_streams;
++	double				rst_budget;
++	vtim_real			last_rst;
+ };
+ 
+ #define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0)
+diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
+index 98f5dc4..270603a 100644
+--- a/bin/varnishd/http2/cache_http2_proto.c
++++ b/bin/varnishd/http2/cache_http2_proto.c
+@@ -43,6 +43,7 @@
+ #include "vtcp.h"
+ #include "vtim.h"
+ 
++#define H2_CUSTOM_ERRORS
+ #define H2EC1(U,v,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1}};
+ #define H2EC2(U,v,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0}};
+ #define H2EC3(U,v,d) H2EC1(U,v,d) H2EC2(U,v,d)
+@@ -301,9 +302,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+ /**********************************************************************
+  */
+ 
++static h2_error
++h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
++{
++	vtim_real now;
++	vtim_dur d;
++
++	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
++	ASSERT_RXTHR(h2);
++	CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC);
++
++	if (cache_param->h2_rapid_reset_limit == 0)
++		return (0);
++
++	now = VTIM_real();
++	CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC);
++	AN(r2->req->t_first);
++	if (now - r2->req->t_first > cache_param->h2_rapid_reset)
++		return (0);
++
++	d = now - h2->last_rst;
++	h2->rst_budget += cache_param->h2_rapid_reset_limit * d /
++	    cache_param->h2_rapid_reset_period;
++	h2->rst_budget = vmin_t(double, h2->rst_budget,
++	    cache_param->h2_rapid_reset_limit);
++	h2->last_rst = now;
++
++	if (h2->rst_budget < 1.0) {
++		Lck_Lock(&h2->sess->mtx);
++		VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session.");
++		Lck_Unlock(&h2->sess->mtx);
++		return (H2CE_RAPID_RESET);
++	}
++	h2->rst_budget -= 1.0;
++	return (0);
++}
++
+ static h2_error v_matchproto_(h2_rxframe_f)
+ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+ {
++	h2_error h2e;
+ 
+ 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
+ 	ASSERT_RXTHR(h2);
+@@ -313,8 +351,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
+ 		return (H2CE_FRAME_SIZE_ERROR);
+ 	if (r2 == NULL)
+ 		return (0);
++	h2e = h2_rapid_reset(wrk, h2, r2);
+ 	h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data)));
+-	return (0);
++	return (h2e);
+ }
+ 
+ /**********************************************************************
+diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
+index de10835..720b009 100644
+--- a/bin/varnishd/http2/cache_http2_session.c
++++ b/bin/varnishd/http2/cache_http2_session.c
+@@ -127,6 +127,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp,
+ 	h2_local_settings(&h2->local_settings);
+ 	h2->remote_settings = H2_proto_settings;
+ 	h2->decode = decode;
++	h2->rst_budget = cache_param->h2_rapid_reset_limit;
++	h2->last_rst = sp->t_open;
++	AZ(isnan(h2->last_rst));
+ 
+ 	AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size));
+ 
+diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc
+new file mode 100644
+index 0000000..3fee370
+--- /dev/null
++++ b/bin/varnishtest/tests/r03996.vtc
+@@ -0,0 +1,51 @@
++varnishtest "h2 rapid reset"
++
++barrier b1 sock 5
++
++server s1 {
++	rxreq
++	txresp
++} -start
++
++varnish v1 -cliok "param.set feature +http2"
++varnish v1 -cliok "param.set debug +syncvsl"
++varnish v1 -cliok "param.set h2_rapid_reset_limit 3"
++varnish v1 -cliok "param.set h2_rapid_reset 5"
++
++varnish v1 -vcl+backend {
++	import vtc;
++
++	sub vcl_recv {
++		vtc.barrier_sync("${b1_sock}");
++	}
++
++} -start
++
++client c1 {
++	stream 0 {
++		rxgoaway
++		expect goaway.err == ENHANCE_YOUR_CALM
++	} -start
++
++	stream 1 {
++		txreq
++		txrst
++	} -run
++	stream 3 {
++		txreq
++		txrst
++	} -run
++	stream 5 {
++		txreq
++		txrst
++	} -run
++	stream 7 {
++		txreq
++		txrst
++	} -run
++
++	barrier b1 sync
++	stream 0 -wait
++} -run
++
++varnish v1 -expect sc_rapid_reset == 1
+diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h
+index 02044db..0293539 100644
+--- a/include/tbl/h2_error.h
++++ b/include/tbl/h2_error.h
+@@ -46,6 +46,18 @@ H2_ERROR(CONNECT_ERROR,	      10,2, "TCP connection error for CONNECT method")
+ H2_ERROR(ENHANCE_YOUR_CALM,   11,3, "Processing capacity exceeded")
+ H2_ERROR(INADEQUATE_SECURITY, 12,1, "Negotiated TLS parameters not acceptable")
+ H2_ERROR(HTTP_1_1_REQUIRED,   13,1, "Use HTTP/1.1 for the request")
++
++#ifdef H2_CUSTOM_ERRORS
++H2_ERROR(
++       /* name */      RAPID_RESET,
++       /* val */       11, /* ENHANCE_YOUR_CALM */
++       /* types */     1,
++       /* descr */     "http/2 rapid reset detected"
++)
++
++#  undef H2_CUSTOM_ERRORS
++#endif
++
+ #undef H2_ERROR
+ 
+ /*lint -restore */
+diff --git a/include/tbl/params.h b/include/tbl/params.h
+index deecd20..61748e4 100644
+--- a/include/tbl/params.h
++++ b/include/tbl/params.h
+@@ -1901,6 +1901,53 @@ PARAM(
+ 	/* func */      NULL
+ )
+ 
++PARAM(
++	/* name */	h2_rapid_reset,
++	/* typ */	timeout,
++	/* min */	"0.000",
++	/* max */	NULL,
++	/* def */	"1.000",
++	/* units */	"seconds",
++	/* flags */	EXPERIMENTAL,
++	/* s-text */
++       "The upper threshold for how rapid an http/2 RST has to come for "
++       "it to be treated as suspect and subjected to the rate limits "
++       "specified by h2_rapid_reset_limit and h2_rapid_reset_period.",
++	/* l-text */    "",
++	/* func */      NULL
++)
++
++PARAM(
++	/* name */	h2_rapid_reset_limit,
++	/* typ */	uint,
++	/* min */	"0",
++	/* max */	NULL,
++	/* def */	"3600",
++	/* units */	NULL,
++	/* flags */	EXPERIMENTAL,
++	/* s-text */
++	"HTTP2 RST Allowance.\n"
++	"Specifies the maximum number of allowed stream resets issued by\n"
++	"a client over a time period before the connection is closed.\n"
++	"Setting this parameter to 0 disables the limit.",
++	/* l-text */    "",
++	/* func */      NULL
++)
++
++PARAM(
++	/* name */	h2_rapid_reset_period,
++	/* typ */	timeout,
++	/* min */	"1.000",
++	/* max */	NULL,
++	/* def */	"60.000",
++	/* units */	"seconds",
++	/* flags */	EXPERIMENTAL|WIZARD,
++	/* s-text */
++	"HTTP2 sliding window duration for h2_rapid_reset_limit.",
++	/* l-text */    "",
++	/* func */      NULL
++)
++
+ #undef PARAM
+ 
+ /*lint -restore */
+diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h
+index c20e71c..de130aa 100644
+--- a/include/tbl/sess_close.h
++++ b/include/tbl/sess_close.h
+@@ -47,6 +47,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1,	"Session pipe overflow")
+ SESS_CLOSE(RANGE_SHORT,   range_short,	1,	"Insufficient data for range")
+ SESS_CLOSE(REQ_HTTP20,	  req_http20,	1,	"HTTP2 not accepted")
+ SESS_CLOSE(VCL_FAILURE,	  vcl_failure,	1,	"VCL failure")
++SESS_CLOSE(RAPID_RESET,	  rapid_reset,  1,      "HTTP2 rapid reset")
+ #undef SESS_CLOSE
+ 
+ /*lint -restore */
+diff --git a/include/vdef.h b/include/vdef.h
+index 60d833c..327d506 100644
+--- a/include/vdef.h
++++ b/include/vdef.h
+@@ -93,6 +93,47 @@
+ #  define v_deprecated_
+ #endif
+ 
++/**********************************************************************
++ * Find the minimum or maximum values.
++ * Only evaluate the expression once and perform type checking.
++ */
++
++/* ref: https://stackoverflow.com/a/17624752 */
++
++#define VINDIRECT(a, b, c)	a ## b ## c
++#define VCOMBINE(a, b, c)	VINDIRECT(a, b, c)
++
++#if defined(__COUNTER__)
++#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, __COUNTER__)
++#else
++#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, 0)
++#endif
++
++#ifdef _lint
++#define typeof(x) __typeof__(x)
++#endif
++
++/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */
++
++#define _vtake(op, ta, tb, a, b, _va, _vb)				\
++	({								\
++	ta _va = (a);							\
++	tb _vb = (b);							\
++	(void)(&_va == &_vb);						\
++	_va op _vb ? _va : _vb;						\
++})
++
++#define opmin <
++#define opmax >
++#define vtake(n, ta, tb, a, b)	_vtake(op ## n, ta, tb, a, b,		\
++    VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B))
++
++#define vmin(a, b)		vtake(min, typeof(a), typeof(b), a, b)
++#define vmax(a, b)		vtake(max, typeof(a), typeof(b), a, b)
++
++#define vmin_t(type, a, b)	vtake(min, type, type, a, b)
++#define vmax_t(type, a, b)	vtake(max, type, type, a, b)
++
+ /*********************************************************************
+  * Pointer alignment magic
+  */

SOURCES/varnish-6.0.8-CVE-2023-44487-vcl_vrt.patch

@@ -0,0 +1,206 @@
+commit c344e21f23c6605caa257abbf46fd333b7015928
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Wed Oct 18 20:42:21 2023 +0200
+
+    vcl_vrt: Skip VCL execution if the client is gone
+    
+    Upstream PR #4006
+
+diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
+index b237f86..88a659f 100644
+--- a/bin/varnishd/VSC_main.vsc
++++ b/bin/varnishd/VSC_main.vsc
+@@ -324,6 +324,15 @@
+ 	Number of times an HTTP/2 stream was refused because the queue was
+ 	too long already. See also parameter thread_queue_limit.
+ 
++.. varnish_vsc:: req_reset
++	:group: wrk
++	:oneliner:	Requests reset
++
++	Number of times a client left before the VCL processing of its
++	requests completed. For HTTP/2 sessions, either the stream was
++	reset by an RST_STREAM frame from the client, or a stream or
++	connection error occurred.
++
+ .. varnish_vsc:: n_object
+ 	:type:	gauge
+ 	:group: wrk
+diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h
+index 5da5e35..8546411 100644
+--- a/bin/varnishd/cache/cache_transport.h
++++ b/bin/varnishd/cache/cache_transport.h
+@@ -42,6 +42,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *);
+ typedef void vtr_req_panic_f (struct vsb *, const struct req *);
+ typedef void vtr_req_fail_f (struct req *, enum sess_close);
+ typedef void vtr_reembark_f (struct worker *, struct req *);
++typedef int vtr_poll_f (struct req *);
+ typedef int vtr_minimal_response_f (struct req *, uint16_t status);
+ 
+ struct transport {
+@@ -62,6 +63,7 @@ struct transport {
+ 	vtr_sess_panic_f		*sess_panic;
+ 	vtr_req_panic_f			*req_panic;
+ 	vtr_reembark_f			*reembark;
++	vtr_poll_f			*poll;
+ 	vtr_minimal_response_f		*minimal_response;
+ 
+ 	VTAILQ_ENTRY(transport)		list;
+diff --git a/bin/varnishd/cache/cache_vcl_vrt.c b/bin/varnishd/cache/cache_vcl_vrt.c
+index 5f3bfee..e35ae59 100644
+--- a/bin/varnishd/cache/cache_vcl_vrt.c
++++ b/bin/varnishd/cache/cache_vcl_vrt.c
+@@ -37,8 +37,10 @@
+ #include "cache_varnishd.h"
+ 
+ #include "vcl.h"
++#include "vtim.h"
+ 
+ #include "cache_director.h"
++#include "cache_transport.h"
+ #include "cache_vcl.h"
+ 
+ /*--------------------------------------------------------------------*/
+@@ -338,6 +340,35 @@ VRT_rel_vcl(VRT_CTX, struct vclref **refp)
+  * The workspace argument is where random VCL stuff gets space from.
+  */
+ 
++static int
++req_poll(struct worker *wrk, struct req *req)
++{
++
++	CHECK_OBJ_NOTNULL(req->top, REQ_MAGIC);
++	CHECK_OBJ_NOTNULL(req->top->transport, TRANSPORT_MAGIC);
++
++	/* NB: Since a fail transition leads to vcl_synth, the request may be
++	 * short-circuited twice.
++	 */
++	if (req->req_reset) {
++		wrk->handling = VCL_RET_FAIL;
++		return (-1);
++	}
++
++	if (!FEATURE(FEATURE_VCL_REQ_RESET))
++		return (0);
++	if (req->top->transport->poll == NULL)
++		return (0);
++	if (req->top->transport->poll(req->top) >= 0)
++		return (0);
++
++	VSLb_ts_req(req, "Reset", W_TIM_real(wrk));
++	wrk->stats->req_reset++;
++	wrk->handling = VCL_RET_FAIL;
++	req->req_reset = 1;
++	return (-1);
++}
++
+ static void
+ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
+     void *specific, unsigned method, vcl_func_f *func)
+@@ -351,6 +382,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
+ 		CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
+ 		CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC);
+ 		CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC);
++		if (req_poll(wrk, req))
++			return;
+ 		VCL_Req2Ctx(&ctx, req);
+ 	}
+ 	if (bo != NULL) {
+diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
+index 720b009..1584740 100644
+--- a/bin/varnishd/http2/cache_http2_session.c
++++ b/bin/varnishd/http2/cache_http2_session.c
+@@ -440,6 +440,16 @@ h2_new_session(struct worker *wrk, void *arg)
+ 	h2_del_sess(wrk, h2, SC_RX_JUNK);
+ }
+ 
++static int v_matchproto_(vtr_poll_f)
++h2_poll(struct req *req)
++{
++	struct h2_req *r2;
++
++	CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
++	CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC);
++	return (r2->error ? -1 : 1);
++}
++
+ struct transport H2_transport = {
+ 	.name =			"H2",
+ 	.magic =		TRANSPORT_MAGIC,
+@@ -449,4 +459,5 @@ struct transport H2_transport = {
+ 	.req_body =		h2_req_body,
+ 	.req_fail =		h2_req_fail,
+ 	.sess_panic =		h2_sess_panic,
++	.poll =			h2_poll,
+ };
+diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c
+index 263d8a3..788d8f0 100644
+--- a/bin/varnishd/mgt/mgt_param_bits.c
++++ b/bin/varnishd/mgt/mgt_param_bits.c
+@@ -219,7 +219,12 @@ tweak_feature(struct vsb *vsb, const struct parspec *par, const char *arg)
+ 	(void)par;
+ 
+ 	if (arg != NULL && arg != JSON_FMT) {
+-		if (!strcmp(arg, "none")) {
++		if (!strcmp(arg, "default")) {
++			AZ(bit_tweak(vsb, mgt_param.feature_bits,
++				FEATURE_Reserved,
++				"+vcl_req_reset",
++				feature_tags, "feature bit", "+"));
++		}else if (!strcmp(arg, "none")) {
+ 			memset(mgt_param.feature_bits,
+ 			    0, sizeof mgt_param.feature_bits);
+ 		} else {
+@@ -271,6 +276,6 @@ struct parspec VSL_parspec[] = {
+ #define FEATURE_BIT(U, l, d, ld) "\n\t" #l "\t" d
+ #include "tbl/feature_bits.h"
+ #undef FEATURE_BIT
+-		, 0, "none", "" },
++		, 0, "default", "" },
+ 	{ NULL, NULL, NULL }
+ };
+diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst
+index 4d01f5b..b529562 100644
+--- a/doc/sphinx/reference/vsl.rst
++++ b/doc/sphinx/reference/vsl.rst
+@@ -71,6 +71,11 @@ Resp
+ Restart
+ 	Client request is being restarted.
+ 
++Reset
++        The client closed its connection, reset its stream or caused
++        a stream error that forced Varnish to reset the stream. Request
++        processing is interrupted and considered failed.
++
+ Pipe handling timestamps
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ 
+diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h
+index 23f1b01..844ecfa 100644
+--- a/include/tbl/feature_bits.h
++++ b/include/tbl/feature_bits.h
+@@ -83,6 +83,12 @@ FEATURE_BIT(HTTP_DATE_POSTEL,	http_date_postel,
+     "like Date:, Last-Modified:, Expires: etc."
+ )
+ 
++FEATURE_BIT(VCL_REQ_RESET,			vcl_req_reset,
++    "Stop processing client VCL once the client is gone.",
++    "Stop processing client VCL once the client is gone. "
++    "When this happens MAIN.req_reset is incremented."
++)
++
+ #undef FEATURE_BIT
+ 
+ /*lint -restore */
+diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h
+index 2c0dbe8..3d3f05f 100644
+--- a/include/tbl/req_flags.h
++++ b/include/tbl/req_flags.h
+@@ -39,6 +39,7 @@ REQ_FLAG(is_hitpass,		1, 0, "")
+ REQ_FLAG(waitinglist,		0, 0, "")
+ REQ_FLAG(want100cont,		0, 0, "")
+ REQ_FLAG(late100cont,		0, 0, "")
++REQ_FLAG(req_reset,		0, 0, "")
+ #undef REQ_FLAG
+ 
+ /*lint -restore */

SOURCES/varnish-6.0.8.CVE-2022-23959.patch

@@ -0,0 +1,13 @@
+diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
+index 463b75b..982bd73 100644
+--- a/bin/varnishd/cache/cache_req_body.c
++++ b/bin/varnishd/cache/cache_req_body.c
+@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
+ 	if (req->req_body_status == REQ_BODY_WITH_LEN ||
+ 	    req->req_body_status == REQ_BODY_WITHOUT_LEN)
+ 		(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
++	if (req->req_body_status == REQ_BODY_FAIL)
++		req->doclose = SC_RX_BODY;
+ 	return(0);
+ }
+ 

SPECS/varnish.spec

@@ -19,7 +19,7 @@
 Summary: High-performance HTTP accelerator
 Name: varnish
 Version: 6.0.13
-Release: 1%{?dist}.1
+Release: 1%{?dist}.alma.1
 License: BSD
 Group: System Environment/Daemons
 URL: https://www.varnish-cache.org/
@@ -32,10 +32,6 @@ Patch9:  varnish-5.1.1.fix_python_version.patch
 # https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
 Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
 
-# Security patches ...
-# https://bugzilla.redhat.com/show_bug.cgi?id=2364235
-Patch100: varnish-6.0.13-CVE-2025-47905.patch
-
 Obsoletes: varnish-libs
 
 %if %{with python3}
@@ -143,7 +139,6 @@ sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
 %patch9 -p0
 %patch11 -p0
 %endif
-%patch100 -p1
 
 %build
 %if 0%{?rhel} == 6
@@ -210,10 +205,6 @@ sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc
 %endif
 #make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1
 
-# disable test because of CVE-2023-44487 fix
-# https://github.com/varnishcache/varnish-cache/pull/3998#issuecomment-1764649216
-rm bin/varnishtest/tests/t02014.vtc
-
 %install
 rm -rf %{buildroot}
 make install DESTDIR=%{buildroot} INSTALL="install -p"
@@ -380,21 +371,19 @@ fi
 
 
 %changelog
-* Wed May 21 2025 Luboš Uhliarik <luhliari@redhat.com> - 6.0.13-1.1
-- Resolves: RHEL-89695 - varnish: request smuggling attacks (CVE-2025-47905)
+* Wed Apr 10 2024 Eduard Abdullin <eabdullin@almalinu.org> - 6.0.13-1.alma.1
+- Update to 6.0.13
 
-* Thu Mar 28 2024 Luboš Uhliarik <luhliari@redhat.com> - 6.0.13-1
-- new version 6.0.13
-- Resolves: RHEL-30379 - varnish:6/varnish: HTTP/2 Broken Window Attack may
-  result in denial of service (CVE-2024-30156)
-
-* Mon Oct 23 2023 Tomas Korbar <tkorbar@redhat.com> - 6.0.8-4
+* Mon Oct 23 2023 Tomas Korbar <tkorbar@redhat.com> - 6.0.8-3.1
 - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487
-- CVE-2022-45060 varnish:6/varnish: Request Forgery
 - Resolves: RHEL-12814
 
-* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1.1
-- Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
+* Mon Nov 14 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2.1
+- Resolves: #2142092 - CVE-2022-45060 varnish:6/varnish: Request Forgery
+  Vulnerability
+
+* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-2
+- Resolves: #2047650 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
   Smuggling Vulnerability
 
 * Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1