forked from pool/varnish
Accepting request 1130193 from server:http
- update to 7.4.2 (bsc#1216123, CVE-2023-44487): * The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone. *req_reset* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). Note that *req_reset* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records. * Added mitigation options and visibility for HTTP/2 "rapid reset" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``: * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below. * The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many "rapid" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. (forwarded request 1130176 from dirkmueller) OBS-URL: https://build.opensuse.org/request/show/1130193 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/varnish?expand=0&rev=44
This commit is contained in:
commit
4368f0cf74
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:874d837aaf49b8f2718cb60b8c8c7900e9ea10c264f218c88cd672d596f4b89f
|
||||
size 3970921
|
3
varnish-7.4.2.tgz
Normal file
3
varnish-7.4.2.tgz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6d3d03c67514e6bb4e8584e40a381f51e708607d39337a63dc4ae42061d9a46f
|
||||
size 3977831
|
@ -1,3 +1,52 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Dec 1 09:34:39 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
|
||||
* The ``vcl_req_reset`` feature (controllable through the ``feature``
|
||||
parameter, see `varnishd(1)`) has been added and enabled by default
|
||||
to terminate client side VCL processing early when the client is
|
||||
gone.
|
||||
*req_reset* events trigger a VCL failure and are reported to
|
||||
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
|
||||
in `vsc` as visible through ``varnishstat(1)``.
|
||||
In particular, this feature is used to reduce resource consumption
|
||||
of HTTP/2 "rapid reset" attacks (see below).
|
||||
Note that *req_reset* events may lead to client tasks for which no
|
||||
VCL is called ever. Presumably, this is thus the first time that
|
||||
valid `vcl(7)` client transactions may not contain any ``VCL_call``
|
||||
records.
|
||||
* Added mitigation options and visibility for HTTP/2 "rapid reset"
|
||||
attacks
|
||||
Global rate limit controls have been added as parameters, which can
|
||||
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
|
||||
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
|
||||
define a threshold duration for an ``RST_STREAM`` to be classified
|
||||
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
|
||||
duration after a ``HEADERS`` frame, it is accounted against the
|
||||
rate limit described below.
|
||||
* The ``h2_rapid_reset_limit`` parameter and
|
||||
``h2.rapid_reset_limit()`` function define how many "rapid" resets
|
||||
may be received during the time span defined by the
|
||||
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
|
||||
function before the HTTP/2 connection is forcibly closed with a
|
||||
``GOAWAY`` and all ongoing VCL client tasks of the connection are
|
||||
aborted.
|
||||
The defaults are 100 and 60 seconds, corresponding to an allowance
|
||||
of 100 "rapid" resets per minute.
|
||||
* The ``h2.rapid_reset_budget()`` function can be used to query the
|
||||
number of currently allowed "rapid" resets.
|
||||
* Sessions closed due to rapid reset rate limiting are reported as
|
||||
``SessClose RAPID_RESET`` in `vsl(7)` and accounted to
|
||||
``main.sc_rapid_reset`` in `vsc` as visible through
|
||||
``varnishstat(1)``.
|
||||
* The ``cli_limit`` parameter default has been increased from 48KB to
|
||||
64KB.
|
||||
* ``VSUB_closefrom()`` now falls back to the base implementation not
|
||||
only if ``close_range()`` was determined to be unusable at compile
|
||||
time, but also at run time. That is to say, even if
|
||||
``close_range()`` is compiled in, the fallback to the naive
|
||||
implementation remains.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 21 02:13:28 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
|
@ -25,7 +25,7 @@
|
||||
%define _fillupdir %_localstatedir/adm/fillup-templates
|
||||
%endif
|
||||
Name: varnish
|
||||
Version: 7.4.1
|
||||
Version: 7.4.2
|
||||
Release: 0
|
||||
Summary: Accelerator for HTTP services
|
||||
License: BSD-2-Clause
|
||||
|
Loading…
Reference in New Issue
Block a user