Accepting request 1130176 from home:dirkmueller:Factory

- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
  * The ``vcl_req_reset`` feature (controllable through the ``feature``
    parameter, see `varnishd(1)`) has been added and enabled by default
    to terminate client side VCL processing early when the client is
    gone.
    *req_reset* events trigger a VCL failure and are reported to
    `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
    in `vsc` as visible through ``varnishstat(1)``.
    In particular, this feature is used to reduce resource consumption
    of HTTP/2 "rapid reset" attacks (see below).
    Note that *req_reset* events may lead to client tasks for which no
    VCL is called ever. Presumably, this is thus the first time that
    valid `vcl(7)` client transactions may not contain any ``VCL_call``
    records.
  * Added mitigation options and visibility for HTTP/2 "rapid reset"
    attacks
    Global rate limit controls have been added as parameters, which can
    be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
    * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
      define a threshold duration for an ``RST_STREAM`` to be classified
      as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
      duration after a ``HEADERS`` frame, it is accounted against the
      rate limit described below.
    * The ``h2_rapid_reset_limit`` parameter and
      ``h2.rapid_reset_limit()`` function define how many "rapid" resets
      may be received during the time span defined by the
      ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
      function before the HTTP/2 connection is forcibly closed with a
      ``GOAWAY`` and all ongoing VCL client tasks of the connection are
      aborted.

OBS-URL: https://build.opensuse.org/request/show/1130176
OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125

varnish-7.4.1.tgz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:874d837aaf49b8f2718cb60b8c8c7900e9ea10c264f218c88cd672d596f4b89f
-size 3970921

varnish-7.4.2.tgz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6d3d03c67514e6bb4e8584e40a381f51e708607d39337a63dc4ae42061d9a46f
+size 3977831

varnish.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Fri Dec  1 09:34:39 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
+  * The ``vcl_req_reset`` feature (controllable through the ``feature``
+    parameter, see `varnishd(1)`) has been added and enabled by default
+    to terminate client side VCL processing early when the client is
+    gone.
+    *req_reset* events trigger a VCL failure and are reported to
+    `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
+    in `vsc` as visible through ``varnishstat(1)``.
+    In particular, this feature is used to reduce resource consumption
+    of HTTP/2 "rapid reset" attacks (see below).
+    Note that *req_reset* events may lead to client tasks for which no
+    VCL is called ever. Presumably, this is thus the first time that
+    valid `vcl(7)` client transactions may not contain any ``VCL_call``
+    records.
+  * Added mitigation options and visibility for HTTP/2 "rapid reset"
+    attacks
+    Global rate limit controls have been added as parameters, which can
+    be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
+    * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
+      define a threshold duration for an ``RST_STREAM`` to be classified
+      as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
+      duration after a ``HEADERS`` frame, it is accounted against the
+      rate limit described below.
+    * The ``h2_rapid_reset_limit`` parameter and
+      ``h2.rapid_reset_limit()`` function define how many "rapid" resets
+      may be received during the time span defined by the
+      ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
+      function before the HTTP/2 connection is forcibly closed with a
+      ``GOAWAY`` and all ongoing VCL client tasks of the connection are
+      aborted.
+      The defaults are 100 and 60 seconds, corresponding to an allowance
+      of 100 "rapid" resets per minute.
+    * The ``h2.rapid_reset_budget()`` function can be used to query the
+      number of currently allowed "rapid" resets.
+    * Sessions closed due to rapid reset rate limiting are reported as
+      ``SessClose RAPID_RESET`` in `vsl(7)` and accounted to
+      ``main.sc_rapid_reset`` in `vsc` as visible through
+      ``varnishstat(1)``.
+  * The ``cli_limit`` parameter default has been increased from 48KB to
+    64KB.
+  * ``VSUB_closefrom()`` now falls back to the base implementation not
+    only if ``close_range()`` was determined to be unusable at compile
+    time, but also at run time. That is to say, even if
+    ``close_range()`` is compiled in, the fallback to the naive
+    implementation remains.
+
 -------------------------------------------------------------------
 Thu Sep 21 02:13:28 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
 

varnish.spec

@@ -25,7 +25,7 @@
 %define _fillupdir %_localstatedir/adm/fillup-templates
 %endif
 Name:           varnish
-Version:        7.4.1
+Version:        7.4.2
 Release:        0
 Summary:        Accelerator for HTTP services
 License:        BSD-2-Clause