SHA256
1
0
forked from pool/varnish
varnish/varnish.changes

792 lines
34 KiB
Plaintext
Raw Normal View History

2024-10-05 17:38:04 +02:00
-------------------------------------------------------------------
Sat Oct 5 15:23:58 UTC 2024 - Andrea Manzini <andrea.manzini@suse.com>
- Update to release 7.6.0
* The Varnish Delivery Processor (VDP) filter API has
been generalized to also accommodate future use for
backend request bodies.
* VDPs with no vdp_bytes_f function are now supported if
the vdp_init_f returns a value greater than zero to
signify that the filter is not to be added to the
chain. This is useful to support VDPs which only need
to work on headers.
* The epoll and kqueue waiters have been improved to
correctly report WAITER_REMCLOSE, which increases the
WAITER.*.remclose counter.
* varnishtest now supports the shutdown command
corresponding to the shutdown(2) standard C library
call.
* VSC counters for waiters have been added:
* conns to count waits on idle connections
* remclose to count idle connections closed by the peer
* timeout to count idle connections which timed out in the waiter
* action to count idle connections which resulted in a read
* The port of a listen_endpoint given with the -a
argument to varnishd can now also be a numerical port
range like "80-89".
* The warning "mlock() of VSM failed" message is now
emitted when locking of shared memory segments (via
mlock(2)) fails.
* A bug has been fixed where string comparisons in VCL
could fail with the nonsensical error message
"Comparison of different types: STRING '==' STRING".
* An issue has been addressed in the builtin.vcl where
backend responses would fail if they contained a
Content-Range header when no range was requested.
* Additional SessError VSL events are now generated for
various HTTP/2 protocol errors.
* A new Linux jail has been added which is now the
default on Linux. For now, it is almost identical to
the Unix jail with one addition:
* When the new Linux jail is used, the working directory
not mounted on tmpfs partition.
* A race condition with VCL temperature transitions has
been addressed.
* Internal management of probes has been reworked to
address race conditions.
* Backend tasks can now be instructed to queue if the
backend has reached its max_connections.
* The size of the buffer to hold panic messages is now
tunable through the new panic_buffer parameter.
* The Varnish Shared Memory (VSM) and Varnish Shared
Counters (VSC) consumer implementation in libvarnishapi
have been improved for stability and performance.
* An issue has been fixed where Varnish Shared Log (VSL)
queries (for example using ``varnishlog -q``) with
numerical values would fail in unexpected ways due to
truncation.
* The ``ObjWaitExtend()`` Object API function gained a
statep argument to optionally return the busy object
state consistent with the current extension. A NULL
value may be passed if the caller does not require it.
* For backends using the ``.via`` attribute to connect
through a proxy, the connect_timeout,
``first_byte_timeout`` and ``between_bytes_timeout``
attributes are now inherited from proxy unless
explicitly given.
* varnishd now creates a worker_tmpdir which can be used
by VMODs for temporary files. The VMOD developer
documentation has details.
* The environment variable VARNISH_DEFAULT_N now provides
the default "varnish name" / "workdir" as otherwise
specified by the ``-n`` argument to varnishd and
varnish* utilities except varnishtest.
* A glitch with TTL comparisons has been fixed which
could, for example, lead to unexpected behavior with
purge.soft().
-------------------------------------------------------------------
Tue Mar 26 18:27:32 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Update to release 7.5.0
* Resolved CVE-2023-44487, CVE-2024-30156 [boo#1221942]
* The default value of cli_limit has been increased from 48KB
to 64KB.
* A new ``pipe_task_deadline`` directive specifies the maximum
duration of a pipe transaction.
* All the timeout parameters that can be disabled accept the
"never" value.
* Added parameters to control the HTTP/2 Rapid Reset attach.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
-------------------------------------------------------------------
Tue Feb 6 19:45:13 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
- Use sysuser-tools to generate varnish user
-------------------------------------------------------------------
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
Fri Dec 1 09:34:39 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note that *req_reset* events may lead to client tasks for which no
VCL is called ever. Presumably, this is thus the first time that
valid `vcl(7)` client transactions may not contain any ``VCL_call``
records.
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted.
The defaults are 100 and 60 seconds, corresponding to an allowance
of 100 "rapid" resets per minute.
* The ``h2.rapid_reset_budget()`` function can be used to query the
number of currently allowed "rapid" resets.
* Sessions closed due to rapid reset rate limiting are reported as
``SessClose RAPID_RESET`` in `vsl(7)` and accounted to
``main.sc_rapid_reset`` in `vsc` as visible through
``varnishstat(1)``.
* The ``cli_limit`` parameter default has been increased from 48KB to
64KB.
* ``VSUB_closefrom()`` now falls back to the base implementation not
only if ``close_range()`` was determined to be unusable at compile
time, but also at run time. That is to say, even if
``close_range()`` is compiled in, the fallback to the naive
implementation remains.
-------------------------------------------------------------------
Thu Sep 21 02:13:28 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
- Update to release 7.4.1
* Response status codes other than 200 and 204 are now considered
errors for ESI fragments.
* Support for abstract AF_LOCAL sockets.
* HTTP/2 header field validation is now more strict with respect
to allowed characters.
* VCL tracing now needs to be explicitly activated by setting the
req.trace or bereq.trace VCL variables.
-------------------------------------------------------------------
Wed Nov 9 17:16:51 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Update to release 7.2.1
* Attempts to mark well-known headers like Content-Length and
Host hop-by-hop through a Connection-header will now cause a
400 "Bad request" response.
(VSV00010, CVE-2022-45059, boo#1205243)
* Apply the same character set rules to HTTP/2 pseudo-headers
as is done on the corresponding HTTP/1 request-line field
parsing. (VSV00011, CVE-2022-45060, boo#1205242)
Accepting request 1032206 from home:dirkmueller:Factory - update to 7.2.0: * Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and ``VRT_RemoveVFP()`` are deprecated. * Cookie headers generated by vmod_cookie no longer have a spurious trailing semi-colon (``';'``) at the end of the string. This could break VCL relying on the previous incorrect behavior. * The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which previously output ``Failure receiving req.body``, has been rewritten to ``Failure receiving body``. * Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded by the cache process. Unlike VMODs that have the combined lifetime of all the VCLs that reference them, a VEXT has the lifetime of the cache process itself. There are no built-in extensions so far. * The VCC (compilation) process no longer loads VMODs with ``dlopen(3)`` to collect their metadata. * Stevedore initialization via the ``.init()`` callback has been moved to the worker process. * The parameter ``tcp_keepalive_time`` is supported on MacOS. * Duration parameters can optionally take a unit, with the same syntax as duration units in VCL. Example: ``param.set default_grace 1h``. * Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside client vcl subs now fail properly instead of triggering an assertion failure (3846_). * New ``"B"`` string for the package branch in ``VCS_String()``. For the 7.2.0 version, it would yield the 7.2 branch. * The Varnish version and branch are available in ``varnishtest`` through the ``${pkg_version}`` and ``${pkg_branch}`` macros. * New ``${topsrc}`` macro in ``varnishtest -i`` mode. * New ``process pNAME -match-text`` command in ``varnishtest`` to expect text matching a regular expression on screen. OBS-URL: https://build.opensuse.org/request/show/1032206 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=117
2022-10-30 21:01:40 +01:00
-------------------------------------------------------------------
Sat Oct 29 13:43:46 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 7.2.0:
* Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``,
``VRT_RemoveVDP()`` and ``VRT_RemoveVFP()`` are deprecated.
* Cookie headers generated by vmod_cookie no longer have a
spurious trailing semicolon at the end of the string. This
could break VCL relying on the previous incorrect behavior.
* The ``SessClose`` and ``BackendClose`` reason ``rx_body``,
which previously output ``Failure receiving req.body``, has
been rewritten to ``Failure receiving body``.
* Prototypical Varnish Extensions (VEXT). Similar to VMODs, a
VEXT is loaded by the cache process. Unlike VMODs that have
the combined lifetime of all the VCLs that reference them, a
VEXT has the lifetime of the cache process itself. There are
no built-in extensions so far.
* Duration parameters can optionally take a unit, with the same
syntax as duration units in VCL.
* Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body``
from outside client vcl subs now fail properly instead of
triggering an assertion failure.
* New "B" string for the package branch in ``VCS_String()``.
For the 7.2.0 version, it would yield the 7.2 branch.
* The new ``vcc_feature`` bits parameter replaces previous
``vcc_*`` boolean parameters. The latter still exist as
deprecated aliases.
* The ``-k`` option from ``varnishlog`` is now supported by
``varnishncsa``.
* New functions ``std.now()`` and ``std.timed_call()`` in
vmod_std.
Accepting request 1032206 from home:dirkmueller:Factory - update to 7.2.0: * Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and ``VRT_RemoveVFP()`` are deprecated. * Cookie headers generated by vmod_cookie no longer have a spurious trailing semi-colon (``';'``) at the end of the string. This could break VCL relying on the previous incorrect behavior. * The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which previously output ``Failure receiving req.body``, has been rewritten to ``Failure receiving body``. * Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded by the cache process. Unlike VMODs that have the combined lifetime of all the VCLs that reference them, a VEXT has the lifetime of the cache process itself. There are no built-in extensions so far. * The VCC (compilation) process no longer loads VMODs with ``dlopen(3)`` to collect their metadata. * Stevedore initialization via the ``.init()`` callback has been moved to the worker process. * The parameter ``tcp_keepalive_time`` is supported on MacOS. * Duration parameters can optionally take a unit, with the same syntax as duration units in VCL. Example: ``param.set default_grace 1h``. * Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside client vcl subs now fail properly instead of triggering an assertion failure (3846_). * New ``"B"`` string for the package branch in ``VCS_String()``. For the 7.2.0 version, it would yield the 7.2 branch. * The Varnish version and branch are available in ``varnishtest`` through the ``${pkg_version}`` and ``${pkg_branch}`` macros. * New ``${topsrc}`` macro in ``varnishtest -i`` mode. * New ``process pNAME -match-text`` command in ``varnishtest`` to expect text matching a regular expression on screen. OBS-URL: https://build.opensuse.org/request/show/1032206 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=117
2022-10-30 21:01:40 +01:00
* New ``MAIN.shm_bytes`` counter.
* A ``req.http.via`` header is set before entering
``vcl_recv``. Via headers are generated using the
``server.identity`` value. It defaults to the host name and
can be turned into a pseudonym with the ``varnishd -i``
option. Via headers are appended in both directions, to work
with other hops that may advertise themselves.
* A ``resp.http.via`` header is no longer overwritten by
varnish, but rather appended to.
* The ``server.identity`` syntax is now limited to a "token" as
defined in the HTTP grammar to be suitable for Via headers.
* In ``varnishtest`` a Varnish instance will use its VTC
instance name as its instance name (``varnishd -i``) by
default for predictable Via headers in test cases.
Accepting request 1032206 from home:dirkmueller:Factory - update to 7.2.0: * Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and ``VRT_RemoveVFP()`` are deprecated. * Cookie headers generated by vmod_cookie no longer have a spurious trailing semi-colon (``';'``) at the end of the string. This could break VCL relying on the previous incorrect behavior. * The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which previously output ``Failure receiving req.body``, has been rewritten to ``Failure receiving body``. * Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded by the cache process. Unlike VMODs that have the combined lifetime of all the VCLs that reference them, a VEXT has the lifetime of the cache process itself. There are no built-in extensions so far. * The VCC (compilation) process no longer loads VMODs with ``dlopen(3)`` to collect their metadata. * Stevedore initialization via the ``.init()`` callback has been moved to the worker process. * The parameter ``tcp_keepalive_time`` is supported on MacOS. * Duration parameters can optionally take a unit, with the same syntax as duration units in VCL. Example: ``param.set default_grace 1h``. * Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside client vcl subs now fail properly instead of triggering an assertion failure (3846_). * New ``"B"`` string for the package branch in ``VCS_String()``. For the 7.2.0 version, it would yield the 7.2 branch. * The Varnish version and branch are available in ``varnishtest`` through the ``${pkg_version}`` and ``${pkg_branch}`` macros. * New ``${topsrc}`` macro in ``varnishtest -i`` mode. * New ``process pNAME -match-text`` command in ``varnishtest`` to expect text matching a regular expression on screen. OBS-URL: https://build.opensuse.org/request/show/1032206 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=117
2022-10-30 21:01:40 +01:00
* VMOD and VEXT authors can use functions from ``vnum.h``.
* Do not filter pseudo-headers as regular headers.
* The termination rules for ``WRK_BgThread()`` were relaxed to
allow VMODs to use it.
* ``(struct worker).handling`` has been moved to the newly
introduced ``struct wrk_vpi`` and replaced by a pointer to
it, as well as ``(struct vrt_ctx).handling`` has been
replaced by that pointer. ``struct wrk_vpi`` is for state at
the interface between VRT and VGC and, in particular, is not
const as ``struct vrt_ctx`` aka ``VRT_CTX``.
* Panics now contain information about VCL source files and
lines.
* The ``Begin`` log record has a 4th field for subtasks like
ESI sub-requests.
* The ``-E`` option for log utilities now works as documented,
with any type of sub-task based on the ``Begin[4]`` field.
This covers ESI like before, and sub-tasks spawned by VMODs
(provided that they log the new field).
Accepting request 1032206 from home:dirkmueller:Factory - update to 7.2.0: * Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and ``VRT_RemoveVFP()`` are deprecated. * Cookie headers generated by vmod_cookie no longer have a spurious trailing semi-colon (``';'``) at the end of the string. This could break VCL relying on the previous incorrect behavior. * The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which previously output ``Failure receiving req.body``, has been rewritten to ``Failure receiving body``. * Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded by the cache process. Unlike VMODs that have the combined lifetime of all the VCLs that reference them, a VEXT has the lifetime of the cache process itself. There are no built-in extensions so far. * The VCC (compilation) process no longer loads VMODs with ``dlopen(3)`` to collect their metadata. * Stevedore initialization via the ``.init()`` callback has been moved to the worker process. * The parameter ``tcp_keepalive_time`` is supported on MacOS. * Duration parameters can optionally take a unit, with the same syntax as duration units in VCL. Example: ``param.set default_grace 1h``. * Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside client vcl subs now fail properly instead of triggering an assertion failure (3846_). * New ``"B"`` string for the package branch in ``VCS_String()``. For the 7.2.0 version, it would yield the 7.2 branch. * The Varnish version and branch are available in ``varnishtest`` through the ``${pkg_version}`` and ``${pkg_branch}`` macros. * New ``${topsrc}`` macro in ``varnishtest -i`` mode. * New ``process pNAME -match-text`` command in ``varnishtest`` to expect text matching a regular expression on screen. OBS-URL: https://build.opensuse.org/request/show/1032206 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=117
2022-10-30 21:01:40 +01:00
* No more ``req.http.transfer-encoding`` for ESI sub-requests.
* The thread pool reserve is now limited to tasks that can be
queued. A backend background fetch is no longer eligible for
queueing. It would otherwise slow a grace hit down
significantly when thread pools are saturated.
* The unused ``fetch_no_thread`` counter was renamed to
``bgfetch_no_thread`` because regular backend fetch tasks are
always scheduled.
Accepting request 1032206 from home:dirkmueller:Factory - update to 7.2.0: * Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and ``VRT_RemoveVFP()`` are deprecated. * Cookie headers generated by vmod_cookie no longer have a spurious trailing semi-colon (``';'``) at the end of the string. This could break VCL relying on the previous incorrect behavior. * The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which previously output ``Failure receiving req.body``, has been rewritten to ``Failure receiving body``. * Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded by the cache process. Unlike VMODs that have the combined lifetime of all the VCLs that reference them, a VEXT has the lifetime of the cache process itself. There are no built-in extensions so far. * The VCC (compilation) process no longer loads VMODs with ``dlopen(3)`` to collect their metadata. * Stevedore initialization via the ``.init()`` callback has been moved to the worker process. * The parameter ``tcp_keepalive_time`` is supported on MacOS. * Duration parameters can optionally take a unit, with the same syntax as duration units in VCL. Example: ``param.set default_grace 1h``. * Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside client vcl subs now fail properly instead of triggering an assertion failure (3846_). * New ``"B"`` string for the package branch in ``VCS_String()``. For the 7.2.0 version, it would yield the 7.2 branch. * The Varnish version and branch are available in ``varnishtest`` through the ``${pkg_version}`` and ``${pkg_branch}`` macros. * New ``${topsrc}`` macro in ``varnishtest -i`` mode. * New ``process pNAME -match-text`` command in ``varnishtest`` to expect text matching a regular expression on screen. OBS-URL: https://build.opensuse.org/request/show/1032206 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=117
2022-10-30 21:01:40 +01:00
* The macros ``FEATURE()``, ``EXPERIMENT()``, ``DO_DEBUG()``,
``MGT_FEATURE()``, ``MGT_EXPERIMENT()``, ``MGT_DO_DEBUG()``
and ``MGT_VCC_FEATURE()`` now return a boolean value (``0``
or ``1``) instead of the (private) flag value.
* A regression in the transport code led MAIN.client_req to be
incremented for requests coming back from the waiting list,
it was fixed.
- Delete varnish-5.1.2-add-fallthrough-comments.patch
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
-------------------------------------------------------------------
Wed Sep 21 08:10:13 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com>
- Make reload fail nicely on vcl syntax error
- Set TasksMax=16384 because default thread_pool_max is 5000
-------------------------------------------------------------------
Mon Sep 19 02:44:04 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com>
- Fix varnish.service stop
-------------------------------------------------------------------
Sun Sep 18 03:26:45 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com>
- Fix logrotate
- Add service reload
-------------------------------------------------------------------
Fri Aug 12 10:32:58 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Update to release 7.1.1 [boo#1202350] [CVE-2022-38150]
* Resolve a denial of service attack involving reason phrases.
-------------------------------------------------------------------
Mon May 16 20:10:21 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Update to release 7.1.0 [boo#1195188] [CVE-2022-23959]
* VCL: It is now possible to assign a BLOB value to a BODY
variable, in addition to STRING as before.
* VMOD: New STRING strftime(TIME time, STRING format) function
for UTC formatting.
-------------------------------------------------------------------
Wed Dec 1 10:27:19 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* varnish.service
* varnishlog.service
-------------------------------------------------------------------
Fri Aug 6 10:02:27 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.6.1
* Fix an HTTP/2.0 request smuggling vulnerability. [bnc#1188470]
-------------------------------------------------------------------
Sun Jul 4 20:13:29 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 6.6.0:
* The ban_cutoff parameter now refers to the overall length of
the ban list, including completed bans, where before only
non-completed (“active”) bans were counted towards ban_cutoff.
* Body bytes accounting has been fixed to always represent the
number of body bytes moved on the wire, exclusive of
protocol-specific overhead like HTTP/1 chunked encoding or
HTTP/2 framing.
* The connection close reason has been fixed to properly report
SC_RESP_CLOSE where previously only SC_REQ_CLOSE was reported.
* Unless the new validate_headers feature is disabled, all newly
set headers are now validated to contain only characters
allowed by RFC7230.
* The filter_re, keep_re and get_re functions from the bundled
cookie vmod have been changed to take the VCL_REGEX type. This
implies that their regular expression arguments now need to be
literal, not e.g. string.
* The interface for private pointers in VMODs has been changed,
the VRT backend interface has been changed, many filter
(VDP/VFP) related signatures have been changed, and the
stevedore API has been changed. (Details thereto, see online
changelog.)
-------------------------------------------------------------------
Fri Oct 2 12:27:56 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.5.1
* Bump the VRT_MAJOR_VERSION number defined in the vrt.h
-------------------------------------------------------------------
Thu Sep 17 08:34:30 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.5.0
* `PRIV_TOP` is now thread-safe to support parallel ESI
implementations.
* varnishstat's JSON output format (-j option) has been changed.
* Behavior for 304-type responses was changed not to update the
Content-Encoding response header of the stored object.
-------------------------------------------------------------------
Tue Jun 23 07:35:15 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Disable LTO, this randomly fails during link stage.
-------------------------------------------------------------------
Tue Jun 9 19:33:32 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Update Git-Web repository link
- Set CFLAGS+=-fcommon.
-------------------------------------------------------------------
Tue Mar 17 12:59:44 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.4.0
* The MAIN.sess_drop counter is gone.
* backend "none" was added for "no backend".
* The hash algorithm of the hash director was changed, so
backend selection will change once only when upgrading.
* It is now possible for VMOD authors to customize the
connection pooling of a dynamic backend.
* For more, see changes.rst.
-------------------------------------------------------------------
Tue Feb 25 08:39:21 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.3.2
* Fix a denial of service vulnerability when using the proxy
protocol version 2.
-------------------------------------------------------------------
Tue Sep 17 11:23:27 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.3.0
* The Host: header is folded to lower-case in the builtin_vcl.
* Improved performance of shared memory statistics counters.
* Synthetic objects created from vcl_backend_error {} now
replace existing stale objects as ordinary backend fetches
would (for details see changes.rst)
-------------------------------------------------------------------
Wed Sep 4 10:27:37 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Update to release 6.2.1
* Bugfix for CVE-2019-15892 [boo#1149382]
-------------------------------------------------------------------
Mon Aug 26 10:52:05 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Add uninit.patch.
-------------------------------------------------------------------
Wed Mar 27 10:01:08 UTC 2019 - Samu Voutilainen <smar@smar.fi>
- Updated to 6.2.0
* Added a thread pool watchdog which will restart the worker
process if scheduling tasks onto worker threads appears
stuck. The new parameter "thread_pool_watchdog" configures
it.
- Disabled error for clobbering, which caused bogus
error in varnishtest
-------------------------------------------------------------------
Wed May 2 06:47:32 UTC 2018 - jengelh@inai.de
- Put %fillup back into %post
-------------------------------------------------------------------
Mon Mar 19 22:22:35 UTC 2018 - jengelh@inai.de
- Update to new upstream release 6.0.0
* Added support for Unix Domain Sockets, both for clients and
for backend servers. This brings a new level of the VCL
language, version 4.1.
* Always use HTTP/1.1 on backend connections for pass fetch.
-------------------------------------------------------------------
Thu Nov 23 13:50:41 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Fri Jun 23 19:42:07 UTC 2017 - antoine.belvire@opensuse.org
- Update to version 5.1.2:
* Fix an endless loop in Backend Polling (#2295)
* Fix a Chunked bug in tight workspaces (#2207, #2275)
* Fix a bug relating to req.body when on waitinglist (#2266)
* Handle EPIPE on broken TCP connections (#2267)
* Work around the x86 arch's turbo-double FP format in parameter
setup code. (#1875)
* Fix race related to backend probe with proxy header (#2278)
* Keep VCL temperature consistent between mgt/worker also when
worker protests.
* A lot of HTTP/2 fixes.
- Changes introduced by version 5.1.1:
* Fix bug introduced by stubborn old bugger right before release
5.1.0 was cut.
- Changes introduced by version 5.1.0:
* Added varnishd command-line options -I, -x and -?, and
tightened restrictions on permitted combinations of options.
* More progress on support for HTTP/2.
* Add ``return(fail)`` to almost all VCL subroutines.
* Restored the old hit-for-pass, invoked with
``return(pass(DURATION))`` from
``vcl_backend_response``. hit-for-miss remains the default.
Added the cache_hitmiss stat, and cache_hitpass only counts the
new/old hit-for-pass cases. Restored HitPass to the Varnish
log, and added HitMiss. Added the HFP prefix to TTL log entries
to log a hit-for-pass duration.
* Rolled back the fix for #1206. Client delivery decides solely
whether to send a 304 client response, based on client request
and response headers.
* Added vtest.sh.
* Added vxid as a lefthand side for VSL queries.
* Added the setenv and write_body commands for Varnish test cases
(VTCs). err_shell is deprecated. Also added the operators
-cliexpect, -match and -hdrlen, and -reason replaces -msg.
Added the ${bad_backend} macro.
* varnishtest can be stopped with the TERM, INT and KILL signals,
but not with HUP.
* The fallback director has now an extra, optional parameter to
keep using the current backend until it falls sick.
* VMOD shared libraries are now copied to the workdir, to avoid
problems when VMODs are updated via packaging systems.
* Bump the VRT version to 6.0.
* Export more symbols from libvarnishapi.so.
* The size of the VSL log is limited to 4G-1b, placing upper
bounds on the -l option and the vsl_space and vsm_space
parameters.
* Added parameters clock_step, thread_pool_reserve and
ban_cutoff.
* Parameters vcl_dir and vmod_dir are deprecated, use vcl_path
and vmod_path instead.
* All parameters are defined, even on platforms that don't
support them. An unsupported parameter is documented as such in
param.show. Setting such a parameter is not an error, but has
no effect.
* Clarified the interpretations of the + and - operators in VCL
with operands of the various data types.
* DURATION types may be used in boolean contexts.
* INT, DURATION and REAL values can now be negative.
* Response codes 1000 or greater may now be set in VCL
internally. resp.status is delivered modulo 1000 in client
responses.
* IP addresses can be compared for equality in VCL.
* Introduce the STEVEDORE data type, and the objects
storage.SNAME in VCL. Added req.storage and beresp.storage;
beresp.storage_hint is deprecated.
* Retired the umem stevedore.
* req.ttl is deprecated.
* Added std.getenv() and std.late_100_continue().
* The fetch_failed stat is incremented for any kind of fetch
failure.
* Added the stats n_test_gunzip and
bans_lurker_obj_killed_cutoff.
* Clarified the meanings of the %r, %{X}i and %{X}o formatters in
varnishncsa.
- Add varnish-5.1.2-add-fallthrough-comments.patch to fix build
with GCC 7 (boo#1041259).
-------------------------------------------------------------------
Tue May 16 20:14:01 UTC 2017 - dimstar@opensuse.org
- BuildRequire python3-docutils instead of python-docutils.
-------------------------------------------------------------------
Sun Sep 25 13:44:37 UTC 2016 - jengelh@inai.de
- Update to new upstream release 5.0.0
- The varnishd "-u NNN" option, which may be remaining in
/etc/sysconfig/varnish, has been replaced with "-j unix,user=NNN".
* Varnish 5.0 changes some (mostly) internal APIs and adds some
major new features over Varnish 4.1.
* 5.0 supports jumping from the active VCL's vcl_recv{} to another
VCL via a VCL label.
* Very Experimental HTTP/2 support
* We have added to the "directors" VMOD — an overhauled version of
a director which was available as an out-of-tree VMOD under the
name VSLP for a couple of years. It is basically a better hash
director which uses consistent hashing to provide improved
stability of backend node selection when the configuration and/or
health state of backends changes.
* Hit-For-Pass is now actually Hit-For-Miss
* We have made the ban lurker even more efficient by example of
some real live situations with tens of thousands of bans using
inefficient regular expressions.
* The waitinglist logic for ESI subrequests now uses condition
variables to trigger immediate continuation of ESI processing
when an object being waited for becomes available.
* Backend PROXY protocol requests are now supported through the
.proxy_header attribute of the backend definition.
* VCL files are now also being searched for in
/usr/share/varnish/vcl if not found in /etc/varnish.
* The basic device detection vcl is now bundled with varnish.
-------------------------------------------------------------------
Thu Aug 18 07:08:52 UTC 2016 - dimstar@opensuse.org
- Add "-ffloat-store -fexcess-precision=standard" to CFLAGS when
building for ix86, working around bug gcc#323. See also
gh#varnish/Varnish-Cache#88.
-------------------------------------------------------------------
Fri Apr 22 14:15:43 UTC 2016 - jengelh@inai.de
- Update to new upstream release 4.1.2
* vmods: Passing VCL ACL to a vmod is now possible.
* vmods: VRT_MINOR_VERSION increase due to new function:
VRT_acl_match()
* Be stricter when parsing a HTTP request to avoid potential HTTP
smuggling attacks against vulnerable backends.
-------------------------------------------------------------------
Tue Mar 8 08:47:30 UTC 2016 - jengelh@inai.de
- Report testsuite failure to build log and make testsuite nonfatal
as there seems to be one swaying test, tests/r01478.vtc.
-------------------------------------------------------------------
Tue Feb 16 12:52:51 UTC 2016 - eshmarnev@suse.com
- disable silent rules in spec file.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
- enable testsuite for varnish.
-------------------------------------------------------------------
Tue Feb 16 12:16:47 UTC 2016 - eshmarnev@suse.com
- Update to new upstream release 4.1.1
* Improved security features (jails).
* Support for PROXY protocol.
* Warm and cold VCL states.
* Backends defined through VMODs.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
* A lot of bugs were fixed.
- Delete 0001-Fail-fetch-on-malformed-Content-Length-header.patch,
this issue was fixed in upstream.
- Add 'su varnish varnish' line to varnish.logrotate file.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
- Cleanup with spec-cleaner.
-------------------------------------------------------------------
Fri Mar 27 10:34:15 UTC 2015 - jengelh@inai.de
- Update to new upstream release 4.0.3
* Full support for streaming objects through from the backend on a
cache miss. Bytes will be sent to 1..n requesting clients as they
come in from the backend server.
* Background (re)fetch of expired objects. On a cache miss where a
stale copy is available, serve the client the stale copy while
fetching an updated copy from the backend in the background.
* New varnishlog query language, allowing automatic grouping of
requests when debugging ESI or a failed backend request.
* Comprehensive request timestamp and byte counters.
- Add 0001-Fail-fetch-on-malformed-Content-Length-header.patch
[bnc#921316]
-------------------------------------------------------------------
Fri Jan 3 10:57:19 UTC 2014 - danimo@owncloud.com
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
- Updated to 3.0.5, contains fix for CVE-2013-4484
* A bad interaction between -b, -c and -m in the varnishlog tool
has been fixed.
* A malformed request could in some configurations lead to Varnish
crashing has been corrected. (CVE-2013-4484)
* Duplicate Content-Length headers were in some cases sent to
clients when streaming is enabled, this has been fixed.
* ESI parse errors are no longer printed to standard output.
* Stop segfaulting if the first part of a synthetic page is NULL.
- Remove 0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch
and varnish-disable-pcrejit.diff (merged upstream)
-------------------------------------------------------------------
Fri Nov 1 18:52:49 UTC 2013 - jengelh@inai.de
- Add 0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch
(CVE-2013-4484, bnc#48451)
-------------------------------------------------------------------
Fri Oct 4 21:48:01 UTC 2013 - jengelh@inai.de
- Deactivate libpcre JIT (bnc#839358), add varnish-disable-pcrejit.diff
-------------------------------------------------------------------
Sun Sep 23 21:30:35 UTC 2012 - nmo.marques@gmail.com
- Update to version 3.0.3
* Fixed excessive session workspace allocations.
* Fixed some crashes in the case of out of memory
* Fixed an infinite loop in the regex parser.
* DNS director now uses port 80 by default if not specified.
* Introduce idle_send_timeout and increase default value for
send_timeout to 600s. This allows a long send timeout for slow
clients while still being able to disconnect idle clients.
* Fixed a crash when passing with streaming on.
* Fixed a crash in the idle session timeout code.
* Fixed an issue where the poll waiter did not timeout clients if
all clients were idle.
* Log regex errors instead of crashing.
* Introduce pcre_match_limit, and pcre_match_limit_recursion
parameters.
* Add CLI commands to manually control health state of a
backend.
-------------------------------------------------------------------
Wed Feb 8 23:26:10 UTC 2012 - jengelh@medozas.de
- Update to new upstream release 3.0.2
* Add support for ESI and gzip
* Handle objects larger than 2G
* HTTP Range support is now enabled by default
* "307 Temporary redirect" is now considered cacheable
* see ChangeLog (packaged) or
http://varnish-cache.org/trac/browser/doc/changes.rst
for details
- Note that the -s file,/var/cache/varnish,524288 argument (check
/etc/sysconfig/varnish) needs at least "1M" instead of 524288
or the daemon will not start anymore.
- Add systemd unit files
-------------------------------------------------------------------
Thu Dec 8 13:51:14 UTC 2011 - coolo@suse.com
- fix license to be in spdx.org format
-------------------------------------------------------------------
Tue May 10 14:01:13 UTC 2011 - crrodriguez@opensuse.org
- Varnish Requires a C compiler, the vcl scripts are compiled
and loaded as DSO.
-------------------------------------------------------------------
Sat Apr 16 17:26:10 UTC 2011 - crrodriguez@opensuse.org
- remove configure option --enable-debugging-symbols
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
it overrides buildsystem optimization levels.
-------------------------------------------------------------------
Sat Apr 16 17:12:11 UTC 2011 - crrodriguez@opensuse.org
- Update to version 2.1.5
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
* Two bugs relating to Content-Length and possible duplication
of Content-Length headers have been resolved.
* Fixed an issue with re-using connections after Chunked-Encoding.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
* Use the time of cache-insertion for "If-Modified-Since" requests
if a "Last-Modified" header isn't provided by the backend.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
* Merge multi-line Vary and Cache-Control headers from clients,
which Google Chromium seem to split up.
-------------------------------------------------------------------
Fri Apr 15 22:36:02 UTC 2011 - mrueckert@suse.de
- use pkgconfig instead of pkg-config on SLES 9
-------------------------------------------------------------------
Sun Apr 3 23:38:24 UTC 2011 - jengelh@medozas.de
- Fix security-problematic ownership of /etc/varnish files
(bnc#678811)
- Run spec-beautifier over it
- Replace default shipped vcl.conf by something working
- Run as varnish user
- Start varnishlog together with varnishd
- Properly use PID files in init script
-------------------------------------------------------------------
Sat Oct 9 04:31:06 UTC 2010 - jengelh@medozas.de
- Create and package /var/log/varnish
-------------------------------------------------------------------
Thu Aug 5 22:11:24 UTC 2010 - jengelh@medozas.de
- Update to new upstream release: 2.1.3
* fixed an off-by-one error in the ESI handling causing includes to
fail a large part of the time.
* Avoid triggering an assert if the other end closes the connection
while we are lingering and waiting for another request from them.
* Make it possible to specify the per-thread stack size. This might
be useful on 32 bit systems with their limited address space.
* Persistent storage is now experimentally supported using the
persistent stevedore. It has the same command line arguments as
the file stevedore.
* The regular expression engine is now PCRE instead of POSIX
regular expressions.
* Add a new hashing method called critbit. This autoscales and
should work better on large object workloads than the classic
hash. Critbit has been made the default hash algorithm.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
* Add support for authenticating CLI connections.
* Add hash director that chooses which backend to use depending on
req.hash.
* Add client director that chooses which backend to use depending
on the client's IP address. Note that this ignores the
X-Forwarded-For header.
Accepting request 1130176 from home:dirkmueller:Factory - update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. OBS-URL: https://build.opensuse.org/request/show/1130176 OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
2023-12-01 11:53:55 +01:00
* Add a timestamp to bans, so you can know how old they are.
* Varnish can now connect its CLI to a remote instance when
starting up, rather than just being connected to.
* It is no longer needed to specify the maximum number of HTTP
headers to allow from backends. This is now a run-time parameter.
* HEAD requests would be converted to GET requests too early, which
affected pass and pipe. This has been fixed.
* Add experimental support for the Range header. This has to be
enabled using the parameter http_range_support.
- Add PreReqs for %post
- Run %setup quietly
- Remove unneeded .la files from installation - libraries are in
a standard directory already
- Avoid use of bash-specific &>/dev/null during %post
- Refine file lists
- Remove old changelog from .spec - changelog is in .changes
-------------------------------------------------------------------
Tue Dec 15 15:03.01 CEST 2009 - jg@internetx.de
- update 2.0.5
-------------------------------------------------------------------
Fri Apr 3 13:48:01 CEST 2009 - mrueckert@suse.de
- update to 2.0.4
-------------------------------------------------------------------
Tue Mar 10 17:47:23 CET 2009 - mrueckert@suse.de
- update to 2.0.3
-------------------------------------------------------------------
Wed Jul 25 22:16:29 CEST 2007 - mrueckert@suse.de
- updated to 1.1
-------------------------------------------------------------------
Tue Feb 20 18:28:29 CET 2007 - mrueckert@suse.de
- update to version 1.0.3
Consistency issues with statistics and backend parameters were
fixed. Parsing of -w command-line options was fixed. A
short-lived DNS cache was added to avoid thrashing DNS servers
when the backend fails.
-------------------------------------------------------------------
Sat Dec 2 17:14:16 CET 2006 - mrueckert@suse.de
- fixing build on sles9
- added files from the official rh4 rpm:
o init scripts for non suse distros
o the default configs for all distros
- added init/sysconfig script for suse.
- we create a user now. Remaining TODO item: how to run varnish as
non root user on port 80?
-------------------------------------------------------------------
Sun Nov 19 03:37:50 CET 2006 - mrueckert@suse.de
- update to 1.0.2