* The Varnish Delivery Processor (VDP) filter API has been generalized
to also accommodate future use for backend request bodies
* VDPs with no vdp_bytes_f function are now supported if the vdp_init_f
returns a value greater than zero to signify that the filter is not to
be added to the chain. This is useful to support VDPs which only need to
work on headers.
* The epoll and kqueue waiters have been improved to correctly report
WAITER_REMCLOSE, which increases the WAITER.*.remclose counter.
* varnishtest now supports the shutdown command corresponding to the
shutdown(2) standard C library call
* VSC counters for waiters have been added:
+ conns to count waits on idle connections
+ remclose to count idle connections closed by the peer
+ timeout to count idle connections which timed out in the waiter
+ action to count idle connections which resulted in a read
* The port of a listen_endpoint given with the -a argument to varnishd
can now also be a numerical port range like 80-89
* To implement the aforementioned feature, VSS_resolver_range() as been
added to libvarnish
* The Warning: mlock() of VSM failed message is now emitted when locking
of shared memory segments (via mlock(2)) fails.
* A bug has been fixed where string comparisons in VCL could fail with the
nonsensical error message Comparison of different types: STRING '=='
STRING.
* An issue has been addressed in the builtin.vcl where backend responses
would fail if they contained a Content-Range header when no range was
requested.
* Additional SessError VSL events are now generated for various HTTP/2
protocol errors.
OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=133
- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note that *req_reset* events may lead to client tasks for which no
VCL is called ever. Presumably, this is thus the first time that
valid `vcl(7)` client transactions may not contain any ``VCL_call``
records.
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted. (forwarded request 1130176 from dirkmueller)
OBS-URL: https://build.opensuse.org/request/show/1130193
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/varnish?expand=0&rev=44
- update to 7.4.2 (bsc#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note that *req_reset* events may lead to client tasks for which no
VCL is called ever. Presumably, this is thus the first time that
valid `vcl(7)` client transactions may not contain any ``VCL_call``
records.
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted.
OBS-URL: https://build.opensuse.org/request/show/1130176
OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=125
- update to 7.2.0:
* Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and
``VRT_RemoveVFP()`` are deprecated.
* Cookie headers generated by vmod_cookie no longer have a spurious trailing
semi-colon (``';'``) at the end of the string. This could break VCL relying
on the previous incorrect behavior.
* The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which
previously output ``Failure receiving req.body``, has been rewritten
to ``Failure receiving body``.
* Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded
by the cache process. Unlike VMODs that have the combined lifetime of all
the VCLs that reference them, a VEXT has the lifetime of the cache process
itself. There are no built-in extensions so far.
* The VCC (compilation) process no longer loads VMODs with ``dlopen(3)`` to
collect their metadata.
* Stevedore initialization via the ``.init()`` callback has been moved
to the worker process.
* The parameter ``tcp_keepalive_time`` is supported on MacOS.
* Duration parameters can optionally take a unit, with the same syntax as
duration units in VCL. Example: ``param.set default_grace 1h``.
* Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside
client vcl subs now fail properly instead of triggering an
assertion failure (3846_).
* New ``"B"`` string for the package branch in ``VCS_String()``. For the 7.2.0
version, it would yield the 7.2 branch.
* The Varnish version and branch are available in ``varnishtest`` through the
``${pkg_version}`` and ``${pkg_branch}`` macros.
* New ``${topsrc}`` macro in ``varnishtest -i`` mode.
* New ``process pNAME -match-text`` command in ``varnishtest`` to expect
text matching a regular expression on screen.
OBS-URL: https://build.opensuse.org/request/show/1032206
OBS-URL: https://build.opensuse.org/package/show/server:http/varnish?expand=0&rev=117
