diff --git a/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch b/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch deleted file mode 100644 index 52e39a7..0000000 --- a/0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 4bd5b7991bf602a6c46dd0d65fc04d4b8d9667a6 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Wed, 30 Oct 2013 13:48:20 +0100 -Subject: [PATCH] Make up our mind: Any req.* we receive from the client with - fundamental trouble gets failed back without VCL involvement. -References: https://www.varnish-cache.org/trac/ticket/1367 -References: CVE-2013-4484 -References: https://bugzilla.novell.com/show_bug.cgi?id=848451 - -Fixes #1367 ---- - bin/varnishd/cache_center.c | 28 +++++++++++++++------------- - bin/varnishd/cache_http.c | 2 +- - bin/varnishtest/tests/r01367.vtc | 30 ++++++++++++++++++++++++++++++ - 3 files changed, 46 insertions(+), 14 deletions(-) - create mode 100644 bin/varnishtest/tests/r01367.vtc - -diff --git a/bin/varnishd/cache_center.c b/bin/varnishd/cache_center.c -index 19eb2ce..fdf7cee 100644 ---- a/bin/varnishd/cache_center.c -+++ b/bin/varnishd/cache_center.c -@@ -1474,9 +1474,12 @@ DOT start -> recv [style=bold,color=green] - static int - cnt_start(struct sess *sp) - { -- uint16_t done; -+ uint16_t err_code; - char *p; -- const char *r = "HTTP/1.1 100 Continue\r\n\r\n"; -+ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n"; -+ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n"; -+ const char *r_413 = "HTTP/1.1 413 Request Entity Too Large\r\n\r\n"; -+ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n"; - - CHECK_OBJ_NOTNULL(sp, SESS_MAGIC); - AZ(sp->restarts); -@@ -1499,10 +1502,14 @@ cnt_start(struct sess *sp) - sp->wrk->vcl = NULL; - - http_Setup(sp->http, sp->ws); -- done = http_DissectRequest(sp); -+ err_code = http_DissectRequest(sp); - - /* If we could not even parse the request, just close */ -- if (done == 400) { -+ if (err_code == 400) -+ (void)write(sp->fd, r_400, strlen(r_400)); -+ else if (err_code == 413) -+ (void)write(sp->fd, r_413, strlen(r_413)); -+ if (err_code != 0) { - sp->step = STP_DONE; - vca_close_session(sp, "junk"); - return (0); -@@ -1514,12 +1521,6 @@ cnt_start(struct sess *sp) - /* Catch original request, before modification */ - HTTP_Copy(sp->http0, sp->http); - -- if (done != 0) { -- sp->err_code = done; -- sp->step = STP_ERROR; -- return (0); -- } -- - sp->doclose = http_DoConnection(sp->http); - - /* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */ -@@ -1529,13 +1530,14 @@ cnt_start(struct sess *sp) - */ - if (http_GetHdr(sp->http, H_Expect, &p)) { - if (strcasecmp(p, "100-continue")) { -- sp->err_code = 417; -- sp->step = STP_ERROR; -+ (void)write(sp->fd, r_417, strlen(r_417)); -+ sp->step = STP_DONE; -+ vca_close_session(sp, "junk"); - return (0); - } - - /* XXX: Don't bother with write failures for now */ -- (void)write(sp->fd, r, strlen(r)); -+ (void)write(sp->fd, r_100, strlen(r_100)); - /* XXX: When we do ESI includes, this is not removed - * XXX: because we use http0 as our basis. Believed - * XXX: safe, but potentially confusing. -diff --git a/bin/varnishd/cache_http.c b/bin/varnishd/cache_http.c -index 8753acc..605975b 100644 ---- a/bin/varnishd/cache_http.c -+++ b/bin/varnishd/cache_http.c -@@ -601,7 +601,7 @@ http_splitline(struct worker *w, int fd, struct http *hp, - hp->hd[h2].e = p; - - if (!Tlen(hp->hd[h2])) -- return (413); -+ return (400); - - /* Skip SP */ - for (; vct_issp(*p); p++) { -diff --git a/bin/varnishtest/tests/r01367.vtc b/bin/varnishtest/tests/r01367.vtc -new file mode 100644 -index 0000000..e1de20a ---- /dev/null -+++ b/bin/varnishtest/tests/r01367.vtc -@@ -0,0 +1,30 @@ -+varnishtest "blank GET" -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -vcl+backend { -+ sub vcl_error { -+ return (restart); -+ } -+} -start -+ -+client c1 { -+ send "GET \nHost: example.com\n\n" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -hdr "Expect: Santa-Claus" -+ rxresp -+ expect resp.status == 417 -+} -run -+ -+client c1 { -+ txreq -+ rxresp -+ expect resp.status == 200 -+} -run --- -1.8.2 - diff --git a/varnish-3.0.3.tar.xz b/varnish-3.0.3.tar.xz deleted file mode 100644 index a9a58f6..0000000 --- a/varnish-3.0.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e5ca91011229ca8d225aa1080dd827041b8121436d8dcddef507b95305533741 -size 1152008 diff --git a/varnish-3.0.5.tar.gz b/varnish-3.0.5.tar.gz new file mode 100644 index 0000000..ecc8f2f --- /dev/null +++ b/varnish-3.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:302fd6afc771524ca3912f5d945ab197a55762385c012b2054df7d86bf7ae2b7 +size 2116664 diff --git a/varnish-disable-pcrejit.diff b/varnish-disable-pcrejit.diff deleted file mode 100644 index 2d60e24..0000000 --- a/varnish-disable-pcrejit.diff +++ /dev/null @@ -1,27 +0,0 @@ -From: Piotr Jankowski -Date: 2013-09-10 10:55:57 CEST -References: http://bugzilla.novell.com/show_bug.cgi?id=839358 -References: https://www.varnish-cache.org/trac/ticket/1191 - -"The JIT compiler is broken on some versions of PCRE, at least on -i386, so disable it by default." - ---- - lib/libvarnish/vre.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -Index: varnish-3.0.3/lib/libvarnish/vre.c -=================================================================== ---- varnish-3.0.3.orig/lib/libvarnish/vre.c -+++ varnish-3.0.3/lib/libvarnish/vre.c -@@ -40,9 +40,8 @@ struct vre { - pcre_extra *re_extra; - }; - --#ifndef PCRE_STUDY_JIT_COMPILE -+#undef PCRE_STUDY_JIT_COMPILE - #define PCRE_STUDY_JIT_COMPILE 0 --#endif - - /* - * We don't want to spread or even expose the majority of PCRE options diff --git a/varnish.changes b/varnish.changes index 0d0b949..247bbca 100644 --- a/varnish.changes +++ b/varnish.changes @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Fri Jan 3 10:57:19 UTC 2014 - danimo@owncloud.com + +- Updated to 3.0.5, contains fix for CVE-2013-4484 + +- removed patches: + * 0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch +------------------------------------------------------------------- Fri Nov 1 18:52:49 UTC 2013 - jengelh@inai.de - Add 0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch diff --git a/varnish.spec b/varnish.spec index dd92db6..6dff52c 100644 --- a/varnish.spec +++ b/varnish.spec @@ -17,7 +17,7 @@ Name: varnish %define library_name libvarnishapi1 -Version: 3.0.3 +Version: 3.0.5 Release: 0 Summary: Varnish is a high-performance HTTP accelerator License: BSD-2-Clause @@ -27,7 +27,7 @@ URL: http://varnish-cache.org/ #Git-Clone: git://git.varnish-cache.org/varnish-cache #Git-Web: https://varnish-cache.org/trac/browser #DL-URL: http://downloads.sf.net/varnish/%name-%version.tar.bz2 -Source: %name-%version.tar.xz +Source: %name-%version.tar.gz Source2: varnish.init Source3: varnish.sysconfig Source4: vcl.conf @@ -35,11 +35,9 @@ Source5: varnish.logrotate Source6: varnishlog.init Source7: varnish.service Source8: varnishlog.service -Patch1: varnish-disable-pcrejit.diff -Patch2: 0001-Make-up-our-mind-Any-req.-we-receive-from-the-client.patch BuildRoot: %_tmppath/%name-%version-build -BuildRequires: libxslt, ncurses-devel, pcre-devel +BuildRequires: libxslt, ncurses-devel, pcre-devel, readline-devel BuildRequires: pkgconfig, xz Prereq(post): %_sbindir/useradd %_sbindir/groupadd %if 0%{?suse_version} >= 1010 @@ -99,7 +97,6 @@ This package holds the development files for varnish. %prep %setup -q -%patch -P 1 -P 2 -p1 %build export CFLAGS="%optflags -fstack-protector"