- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note that *req_reset* events may lead to client tasks for which no
VCL is called ever. Presumably, this is thus the first time that
valid `vcl(7)` client transactions may not contain any ``VCL_call``
records.
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted. (forwarded request 1130176 from dirkmueller)
OBS-URL: https://build.opensuse.org/request/show/1130193
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/varnish?expand=0&rev=44
- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note that *req_reset* events may lead to client tasks for which no
VCL is called ever. Presumably, this is thus the first time that
valid `vcl(7)` client transactions may not contain any ``VCL_call``
records.
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted.
OBS-URL: https://build.opensuse.org/request/show/1130176
OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
- update to 7.2.0:
* Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and
``VRT_RemoveVFP()`` are deprecated.
* Cookie headers generated by vmod_cookie no longer have a spurious trailing
semi-colon (``';'``) at the end of the string. This could break VCL relying
on the previous incorrect behavior.
* The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which
previously output ``Failure receiving req.body``, has been rewritten
to ``Failure receiving body``.
* Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded
by the cache process. Unlike VMODs that have the combined lifetime of all
the VCLs that reference them, a VEXT has the lifetime of the cache process
itself. There are no built-in extensions so far.
* The VCC (compilation) process no longer loads VMODs with ``dlopen(3)`` to
collect their metadata.
* Stevedore initialization via the ``.init()`` callback has been moved
to the worker process.
* The parameter ``tcp_keepalive_time`` is supported on MacOS.
* Duration parameters can optionally take a unit, with the same syntax as
duration units in VCL. Example: ``param.set default_grace 1h``.
* Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside
client vcl subs now fail properly instead of triggering an
assertion failure (3846_).
* New ``"B"`` string for the package branch in ``VCS_String()``. For the 7.2.0
version, it would yield the 7.2 branch.
* The Varnish version and branch are available in ``varnishtest`` through the
``${pkg_version}`` and ``${pkg_branch}`` macros.
* New ``${topsrc}`` macro in ``varnishtest -i`` mode.
* New ``process pNAME -match-text`` command in ``varnishtest`` to expect
text matching a regular expression on screen.
OBS-URL: https://build.opensuse.org/request/show/1032206
OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=117
