Accepting request 1130176 from home:dirkmueller:Factory

- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
  * The ``vcl_req_reset`` feature (controllable through the ``feature``
    parameter, see `varnishd(1)`) has been added and enabled by default
    to terminate client side VCL processing early when the client is
    gone.
    *req_reset* events trigger a VCL failure and are reported to
    `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
    in `vsc` as visible through ``varnishstat(1)``.
    In particular, this feature is used to reduce resource consumption
    of HTTP/2 "rapid reset" attacks (see below).
    Note that *req_reset* events may lead to client tasks for which no
    VCL is called ever. Presumably, this is thus the first time that
    valid `vcl(7)` client transactions may not contain any ``VCL_call``
    records.
  * Added mitigation options and visibility for HTTP/2 "rapid reset"
    attacks
    Global rate limit controls have been added as parameters, which can
    be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
    * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
      define a threshold duration for an ``RST_STREAM`` to be classified
      as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
      duration after a ``HEADERS`` frame, it is accounted against the
      rate limit described below.
    * The ``h2_rapid_reset_limit`` parameter and
      ``h2.rapid_reset_limit()`` function define how many "rapid" resets
      may be received during the time span defined by the
      ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
      function before the HTTP/2 connection is forcibly closed with a
      ``GOAWAY`` and all ongoing VCL client tasks of the connection are
      aborted.

OBS-URL: https://build.opensuse.org/request/show/1130176
OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
This commit is contained in:
Jan Engelhardt 2023-12-01 10:53:55 +00:00 committed by Git OBS Bridge
parent 55077aa5c7
commit 89fe4afca9
4 changed files with 65 additions and 16 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:874d837aaf49b8f2718cb60b8c8c7900e9ea10c264f218c88cd672d596f4b89f
size 3970921

3
varnish-7.4.2.tgz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6d3d03c67514e6bb4e8584e40a381f51e708607d39337a63dc4ae42061d9a46f
size 3977831

View File

@ -1,3 +1,52 @@
-------------------------------------------------------------------
Fri Dec 1 09:34:39 UTC 2023 - Dirk Müller <dmueller@suse.com>
- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note that *req_reset* events may lead to client tasks for which no
VCL is called ever. Presumably, this is thus the first time that
valid `vcl(7)` client transactions may not contain any ``VCL_call``
records.
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted.
The defaults are 100 and 60 seconds, corresponding to an allowance
of 100 "rapid" resets per minute.
* The ``h2.rapid_reset_budget()`` function can be used to query the
number of currently allowed "rapid" resets.
* Sessions closed due to rapid reset rate limiting are reported as
``SessClose RAPID_RESET`` in `vsl(7)` and accounted to
``main.sc_rapid_reset`` in `vsc` as visible through
``varnishstat(1)``.
* The ``cli_limit`` parameter default has been increased from 48KB to
64KB.
* ``VSUB_closefrom()`` now falls back to the base implementation not
only if ``close_range()`` was determined to be unusable at compile
time, but also at run time. That is to say, even if
``close_range()`` is compiled in, the fallback to the naive
implementation remains.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 21 02:13:28 UTC 2023 - Jan Engelhardt <jengelh@inai.de> Thu Sep 21 02:13:28 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
@ -101,7 +150,7 @@ Sat Oct 29 13:43:46 UTC 2022 - Dirk Müller <dmueller@suse.com>
incremented for requests coming back from the waiting list, incremented for requests coming back from the waiting list,
it was fixed. it was fixed.
- Delete varnish-5.1.2-add-fallthrough-comments.patch - Delete varnish-5.1.2-add-fallthrough-comments.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Sep 21 08:10:13 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com> Wed Sep 21 08:10:13 UTC 2022 - Bernhard Wiedemann <bwiedemann@suse.com>
@ -413,7 +462,7 @@ Tue Mar 8 08:47:30 UTC 2016 - jengelh@inai.de
Tue Feb 16 12:52:51 UTC 2016 - eshmarnev@suse.com Tue Feb 16 12:52:51 UTC 2016 - eshmarnev@suse.com
- disable silent rules in spec file. - disable silent rules in spec file.
- enable testsuite for varnish. - enable testsuite for varnish.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 16 12:16:47 UTC 2016 - eshmarnev@suse.com Tue Feb 16 12:16:47 UTC 2016 - eshmarnev@suse.com
@ -423,11 +472,11 @@ Tue Feb 16 12:16:47 UTC 2016 - eshmarnev@suse.com
* Support for PROXY protocol. * Support for PROXY protocol.
* Warm and cold VCL states. * Warm and cold VCL states.
* Backends defined through VMODs. * Backends defined through VMODs.
* A lot of bugs were fixed. * A lot of bugs were fixed.
- Delete 0001-Fail-fetch-on-malformed-Content-Length-header.patch, - Delete 0001-Fail-fetch-on-malformed-Content-Length-header.patch,
this issue was fixed in upstream. this issue was fixed in upstream.
- Add 'su varnish varnish' line to varnish.logrotate file. - Add 'su varnish varnish' line to varnish.logrotate file.
- Cleanup with spec-cleaner. - Cleanup with spec-cleaner.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Mar 27 10:34:15 UTC 2015 - jengelh@inai.de Fri Mar 27 10:34:15 UTC 2015 - jengelh@inai.de
@ -448,7 +497,7 @@ Fri Mar 27 10:34:15 UTC 2015 - jengelh@inai.de
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jan 3 10:57:19 UTC 2014 - danimo@owncloud.com Fri Jan 3 10:57:19 UTC 2014 - danimo@owncloud.com
- Updated to 3.0.5, contains fix for CVE-2013-4484 - Updated to 3.0.5, contains fix for CVE-2013-4484
* A bad interaction between -b, -c and -m in the varnishlog tool * A bad interaction between -b, -c and -m in the varnishlog tool
has been fixed. has been fixed.
* A malformed request could in some configurations lead to Varnish * A malformed request could in some configurations lead to Varnish
@ -523,18 +572,18 @@ Tue May 10 14:01:13 UTC 2011 - crrodriguez@opensuse.org
Sat Apr 16 17:26:10 UTC 2011 - crrodriguez@opensuse.org Sat Apr 16 17:26:10 UTC 2011 - crrodriguez@opensuse.org
- remove configure option --enable-debugging-symbols - remove configure option --enable-debugging-symbols
it overrides buildsystem optimization levels. it overrides buildsystem optimization levels.
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Apr 16 17:12:11 UTC 2011 - crrodriguez@opensuse.org Sat Apr 16 17:12:11 UTC 2011 - crrodriguez@opensuse.org
- Update to version 2.1.5 - Update to version 2.1.5
* Two bugs relating to Content-Length and possible duplication * Two bugs relating to Content-Length and possible duplication
of Content-Length headers have been resolved. of Content-Length headers have been resolved.
* Fixed an issue with re-using connections after Chunked-Encoding. * Fixed an issue with re-using connections after Chunked-Encoding.
* Use the time of cache-insertion for "If-Modified-Since" requests * Use the time of cache-insertion for "If-Modified-Since" requests
if a "Last-Modified" header isn't provided by the backend. if a "Last-Modified" header isn't provided by the backend.
* Merge multi-line Vary and Cache-Control headers from clients, * Merge multi-line Vary and Cache-Control headers from clients,
which Google Chromium seem to split up. which Google Chromium seem to split up.
------------------------------------------------------------------- -------------------------------------------------------------------
@ -576,13 +625,13 @@ Thu Aug 5 22:11:24 UTC 2010 - jengelh@medozas.de
* Add a new hashing method called critbit. This autoscales and * Add a new hashing method called critbit. This autoscales and
should work better on large object workloads than the classic should work better on large object workloads than the classic
hash. Critbit has been made the default hash algorithm. hash. Critbit has been made the default hash algorithm.
* Add support for authenticating CLI connections. * Add support for authenticating CLI connections.
* Add hash director that chooses which backend to use depending on * Add hash director that chooses which backend to use depending on
req.hash. req.hash.
* Add client director that chooses which backend to use depending * Add client director that chooses which backend to use depending
on the client's IP address. Note that this ignores the on the client's IP address. Note that this ignores the
X-Forwarded-For header. X-Forwarded-For header.
* Add a timestamp to bans, so you can know how old they are. * Add a timestamp to bans, so you can know how old they are.
* Varnish can now connect its CLI to a remote instance when * Varnish can now connect its CLI to a remote instance when
starting up, rather than just being connected to. starting up, rather than just being connected to.
* It is no longer needed to specify the maximum number of HTTP * It is no longer needed to specify the maximum number of HTTP

View File

@ -25,7 +25,7 @@
%define _fillupdir %_localstatedir/adm/fillup-templates %define _fillupdir %_localstatedir/adm/fillup-templates
%endif %endif
Name: varnish Name: varnish
Version: 7.4.1 Version: 7.4.2
Release: 0 Release: 0
Summary: Accelerator for HTTP services Summary: Accelerator for HTTP services
License: BSD-2-Clause License: BSD-2-Clause