diff --git a/CVE-2025-30346.patch b/CVE-2025-30346.patch deleted file mode 100644 index 63f976dbac013c83af293a0340e4a961e7a1d917..0000000000000000000000000000000000000000 --- a/CVE-2025-30346.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8ef69a03b36aeac5f364c01eb20f821860e47f14 Mon Sep 17 00:00:00 2001 -From: Dag Haavi Finstad -Date: Fri, 10 Jan 2025 13:07:54 +0100 -Subject: [PATCH] req_fsm: Close the connection on a malformed request - ---- - bin/varnishd/cache/cache_req_fsm.c | 2 ++ - bin/varnishtest/tests/b00037.vtc | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c -index 1004cbc5f47..803810210ef 100644 ---- a/bin/varnishd/cache/cache_req_fsm.c -+++ b/bin/varnishd/cache/cache_req_fsm.c -@@ -962,6 +962,7 @@ cnt_recv(struct worker *wrk, struct req *req) - if (http_CountHdr(req->http0, H_Host) > 1) { - VSLb(req->vsl, SLT_BogoHeader, "Multiple Host: headers"); - wrk->stats->client_req_400++; -+ req->doclose = SC_RX_BAD; - (void)req->transport->minimal_response(req, 400); - return (REQ_FSM_DONE); - } -@@ -969,6 +970,7 @@ cnt_recv(struct worker *wrk, struct req *req) - if (http_CountHdr(req->http0, H_Content_Length) > 1) { - VSLb(req->vsl, SLT_BogoHeader, "Multiple Content-Length: headers"); - wrk->stats->client_req_400++; -+ req->doclose = SC_RX_BAD; - (void)req->transport->minimal_response(req, 400); - return (REQ_FSM_DONE); - } -diff --git a/bin/varnishtest/tests/b00037.vtc b/bin/varnishtest/tests/b00037.vtc -index ce0e841123e..e6185bd0764 100644 ---- a/bin/varnishtest/tests/b00037.vtc -+++ b/bin/varnishtest/tests/b00037.vtc -@@ -11,6 +11,7 @@ client c1 { - - varnish v1 -vsl_catchup - varnish v1 -expect client_req_400 == 1 -+varnish v1 -expect sc_rx_bad == 1 - - client c1 { - txreq -method POST -hdr "Content-Length: 12" -hdr "Content-Length: 12" -bodylen 12 -@@ -20,6 +21,7 @@ client c1 { - - varnish v1 -vsl_catchup - varnish v1 -expect client_req_400 == 2 -+varnish v1 -expect sc_rx_bad == 2 - - varnish v1 -cliok "param.set feature +http2" - diff --git a/CVE-2025-47905-1.patch b/CVE-2025-47905-1.patch deleted file mode 100644 index 2a3c93c5fa0bf3f2fbcd6c9cb4dd70f52de1a11d..0000000000000000000000000000000000000000 --- a/CVE-2025-47905-1.patch +++ /dev/null @@ -1,165 +0,0 @@ -From b5f1faba6e8d9848cfe0cba566986e7e5cc5f65b Mon Sep 17 00:00:00 2001 -From: Nils Goroll -Date: Mon, 30 May 2022 13:09:11 +0200 -Subject: [PATCH] v1f: Read end-of-chunk as part of the chunk - -Until now, we read the (CR)?LF at the end of a chunk as part of the -next chunk header (see: /* Skip leading whitespace */). - -For a follow up commit, we are going to want to know if the next chunk -header is available for read, so we now consume the chunk end as part -of the chunk itself. - -This also fixes a corner case: We previously accepted chunks with a -missing end-of-chunk (see fix of r01729.vtc). - -Ref: https://datatracker.ietf.org/doc/html/rfc7230#section-4.1 ---- - bin/varnishd/http1/cache_http1_vfp.c | 36 ++++++++++++++++++++-------- - bin/varnishtest/tests/r01184.vtc | 2 ++ - bin/varnishtest/tests/r01506.vtc | 16 ++++++------- - bin/varnishtest/tests/r01729.vtc | 6 ++--- - 4 files changed, 39 insertions(+), 21 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c -index 20f349d1c2e..aceb5a628ce 100644 ---- a/bin/varnishd/http1/cache_http1_vfp.c -+++ b/bin/varnishd/http1/cache_http1_vfp.c -@@ -89,6 +89,24 @@ v1f_read(const struct vfp_ctx *vc, struct http_conn *htc, void *d, ssize_t len) - } - - -+/*-------------------------------------------------------------------- -+ * read (CR)?LF at the end of a chunk -+ */ -+static enum vfp_status -+v1f_chunk_end(struct vfp_ctx *vc, struct http_conn *htc) -+{ -+ char c; -+ -+ if (v1f_read(vc, htc, &c, 1) <= 0) -+ return (VFP_Error(vc, "chunked read err")); -+ if (c == '\r' && v1f_read(vc, htc, &c, 1) <= 0) -+ return (VFP_Error(vc, "chunked read err")); -+ if (c != '\n') -+ return (VFP_Error(vc, "chunked tail no NL")); -+ return (VFP_OK); -+} -+ -+ - /*-------------------------------------------------------------------- - * Read a chunked HTTP object. - * -@@ -99,6 +117,7 @@ static enum vfp_status v_matchproto_(vfp_pull_f) - v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, - ssize_t *lp) - { -+ static enum vfp_status vfps; - struct http_conn *htc; - char buf[20]; /* XXX: 20 is arbitrary */ - char *q; -@@ -168,18 +187,15 @@ v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, - return (VFP_Error(vc, "chunked insufficient bytes")); - *lp = lr; - vfe->priv2 -= lr; -- if (vfe->priv2 == 0) -- vfe->priv2 = -1; -- return (VFP_OK); -+ if (vfe->priv2 != 0) -+ return (VFP_OK); -+ -+ vfe->priv2 = -1; -+ return (v1f_chunk_end(vc, htc)); - } - AZ(vfe->priv2); -- if (v1f_read(vc, htc, buf, 1) <= 0) -- return (VFP_Error(vc, "chunked read err")); -- if (buf[0] == '\r' && v1f_read(vc, htc, buf, 1) <= 0) -- return (VFP_Error(vc, "chunked read err")); -- if (buf[0] != '\n') -- return (VFP_Error(vc, "chunked tail no NL")); -- return (VFP_END); -+ vfps = v1f_chunk_end(vc, htc); -+ return (vfps == VFP_OK ? VFP_END : vfps); - } - - static const struct vfp v1f_chunked = { -diff --git a/bin/varnishtest/tests/r01184.vtc b/bin/varnishtest/tests/r01184.vtc -index 0988e65a35a..94ecd3c23d9 100644 ---- a/bin/varnishtest/tests/r01184.vtc -+++ b/bin/varnishtest/tests/r01184.vtc -@@ -62,6 +62,7 @@ server s1 { - sendhex " 10 45 f3 a9 83 b8 18 1c 7b c2 30 55 04 17 13 c4" - sendhex " 0f 07 5f 7a 38 f4 8e 50 b3 37 d4 3a 32 4a 34 07" - sendhex " FF FF FF FF FF FF FF FF 72 ea 06 5f b3 1c fa dd" -+ send "\n" - expect_close - } -start - -@@ -93,6 +94,7 @@ server s1 { - sendhex " 10 45 f3 a9 83 b8 18 1c 7b c2 30 55 04 17 13 c4" - sendhex " 0f 07 5f 7a 38 f4 8e 50 b3 37 d4 3a 32 4a 34 07" - sendhex " FF FF FF FF FF FF FF FF 72 ea 06 5f b3 1c fa dd" -+ send "\n" - expect_close - } -start - -diff --git a/bin/varnishtest/tests/r01506.vtc b/bin/varnishtest/tests/r01506.vtc -index 96b7b54c9ad..f7f89a716ba 100644 ---- a/bin/varnishtest/tests/r01506.vtc -+++ b/bin/varnishtest/tests/r01506.vtc -@@ -7,15 +7,15 @@ server s0 { - txresp -nolen \ - -hdr "Transfer-Encoding: chunked" \ - -hdr "Connection: close" -- send "11\r\n0_23456789abcdef\n" -- send "11\r\n1_23456789abcdef\n" -- send "11\r\n2_23456789abcdef\n" -- send "11\r\n3_23456789abcdef\n" -+ send "11\r\n0_23456789abcdef\n\n" -+ send "11\r\n1_23456789abcdef\n\n" -+ send "11\r\n2_23456789abcdef\n\n" -+ send "11\r\n3_23456789abcdef\n\n" - barrier b1 sync -- send "11\r\n4_23456789abcdef\n" -- send "11\r\n5_23456789abcdef\n" -- send "11\r\n6_23456789abcdef\n" -- send "11\r\n7_23456789abcdef\n" -+ send "11\r\n4_23456789abcdef\n\n" -+ send "11\r\n5_23456789abcdef\n\n" -+ send "11\r\n6_23456789abcdef\n\n" -+ send "11\r\n7_23456789abcdef\n\n" - chunkedlen 0 - - } -dispatch -diff --git a/bin/varnishtest/tests/r01729.vtc b/bin/varnishtest/tests/r01729.vtc -index 883a60cc680..f6a01e97692 100644 ---- a/bin/varnishtest/tests/r01729.vtc -+++ b/bin/varnishtest/tests/r01729.vtc -@@ -11,7 +11,7 @@ server s1 { - send "\r\n" - send "14\r\n" - send "0123456789" -- send "0123456789" -+ send "0123456789\n" - send "0\r\n" - send "\r\n" - -@@ -29,7 +29,7 @@ client c1 { - send "\r\n" - send "14\r\n" - send "0123456789" -- send "0123456789" -+ send "0123456789\n" - send "0\r\n" - send "\r\n" - -@@ -45,7 +45,7 @@ client c1 { - send "\r\n" - send "14\r\n" - send "0123456789" -- send "0123456789" -+ send "0123456789\n" - send "0\r\n" - send "\r\n" - diff --git a/CVE-2025-47905-2.patch b/CVE-2025-47905-2.patch deleted file mode 100644 index 35461147ed947d0324a8f6705567c2139df22db1..0000000000000000000000000000000000000000 --- a/CVE-2025-47905-2.patch +++ /dev/null @@ -1,165 +0,0 @@ -From 13904252859cf9848db5999b08c42d83a03ed812 Mon Sep 17 00:00:00 2001 -From: Nils Goroll -Date: Mon, 30 May 2022 13:42:58 +0200 -Subject: [PATCH] v1f: pull chunk header parsing into an own function - -... which we are going to need in a follow up commit. - -No functional changes, diff best viewed with -b ---- - bin/varnishd/http1/cache_http1_vfp.c | 122 ++++++++++++++++----------- - 1 file changed, 72 insertions(+), 50 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c -index aceb5a628ce..d684f104392 100644 ---- a/bin/varnishd/http1/cache_http1_vfp.c -+++ b/bin/varnishd/http1/cache_http1_vfp.c -@@ -108,76 +108,98 @@ v1f_chunk_end(struct vfp_ctx *vc, struct http_conn *htc) - - - /*-------------------------------------------------------------------- -- * Read a chunked HTTP object. -+ * Parse a chunk header and, for VFP_OK, return size in a pointer - * - * XXX: Reading one byte at a time is pretty pessimal. - */ - --static enum vfp_status v_matchproto_(vfp_pull_f) --v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, -- ssize_t *lp) -+static enum vfp_status -+v1f_chunked_hdr(struct vfp_ctx *vc, struct http_conn *htc, ssize_t *szp) - { -- static enum vfp_status vfps; -- struct http_conn *htc; - char buf[20]; /* XXX: 20 is arbitrary */ -- char *q; - unsigned u; - uintmax_t cll; -- ssize_t cl, l, lr; -+ ssize_t cl, lr; -+ char *q; - - CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC); -- CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC); -- CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC); -- AN(ptr); -- AN(lp); -+ CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC); -+ AN(szp); -+ assert(*szp == -1); - -- l = *lp; -- *lp = 0; -- if (vfe->priv2 == -1) { -- /* Skip leading whitespace */ -- do { -- lr = v1f_read(vc, htc, buf, 1); -- if (lr <= 0) -- return (VFP_Error(vc, "chunked read err")); -- } while (vct_islws(buf[0])); -- -- if (!vct_ishex(buf[0])) -- return (VFP_Error(vc, "chunked header non-hex")); -- -- /* Collect hex digits, skipping leading zeros */ -- for (u = 1; u < sizeof buf; u++) { -- do { -- lr = v1f_read(vc, htc, buf + u, 1); -- if (lr <= 0) -- return (VFP_Error(vc, "chunked read err")); -- } while (u == 1 && buf[0] == '0' && buf[u] == '0'); -- if (!vct_ishex(buf[u])) -- break; -- } -+ /* Skip leading whitespace */ -+ do { -+ lr = v1f_read(vc, htc, buf, 1); -+ if (lr <= 0) -+ return (VFP_Error(vc, "chunked read err")); -+ } while (vct_islws(buf[0])); - -- if (u >= sizeof buf) -- return (VFP_Error(vc, "chunked header too long")); -+ if (!vct_ishex(buf[0])) -+ return (VFP_Error(vc, "chunked header non-hex")); - -- /* Skip trailing white space */ -- while (vct_islws(buf[u]) && buf[u] != '\n') { -+ /* Collect hex digits, skipping leading zeros */ -+ for (u = 1; u < sizeof buf; u++) { -+ do { - lr = v1f_read(vc, htc, buf + u, 1); - if (lr <= 0) - return (VFP_Error(vc, "chunked read err")); -- } -+ } while (u == 1 && buf[0] == '0' && buf[u] == '0'); -+ if (!vct_ishex(buf[u])) -+ break; -+ } - -- if (buf[u] != '\n') -- return (VFP_Error(vc, "chunked header no NL")); -+ if (u >= sizeof buf) -+ return (VFP_Error(vc, "chunked header too long")); -+ -+ /* Skip trailing white space */ -+ while (vct_islws(buf[u]) && buf[u] != '\n') { -+ lr = v1f_read(vc, htc, buf + u, 1); -+ if (lr <= 0) -+ return (VFP_Error(vc, "chunked read err")); -+ } - -- buf[u] = '\0'; -+ if (buf[u] != '\n') -+ return (VFP_Error(vc, "chunked header no NL")); - -- cll = strtoumax(buf, &q, 16); -- if (q == NULL || *q != '\0') -- return (VFP_Error(vc, "chunked header number syntax")); -- cl = (ssize_t)cll; -- if (cl < 0 || (uintmax_t)cl != cll) -- return (VFP_Error(vc, "bogusly large chunk size")); -+ buf[u] = '\0'; - -- vfe->priv2 = cl; -+ cll = strtoumax(buf, &q, 16); -+ if (q == NULL || *q != '\0') -+ return (VFP_Error(vc, "chunked header number syntax")); -+ cl = (ssize_t)cll; -+ if (cl < 0 || (uintmax_t)cl != cll) -+ return (VFP_Error(vc, "bogusly large chunk size")); -+ -+ *szp = cl; -+ return (VFP_OK); -+} -+ -+ -+/*-------------------------------------------------------------------- -+ * Read a chunked HTTP object. -+ * -+ */ -+ -+static enum vfp_status v_matchproto_(vfp_pull_f) -+v1f_chunked_pull(struct vfp_ctx *vc, struct vfp_entry *vfe, void *ptr, -+ ssize_t *lp) -+{ -+ static enum vfp_status vfps; -+ struct http_conn *htc; -+ ssize_t l, lr; -+ -+ CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC); -+ CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC); -+ CAST_OBJ_NOTNULL(htc, vfe->priv1, HTTP_CONN_MAGIC); -+ AN(ptr); -+ AN(lp); -+ -+ l = *lp; -+ *lp = 0; -+ if (vfe->priv2 == -1) { -+ vfps = v1f_chunked_hdr(vc, htc, &vfe->priv2); -+ if (vfps != VFP_OK) -+ return (vfps); - } - if (vfe->priv2 > 0) { - if (vfe->priv2 < l) diff --git a/CVE-2025-47905-3.patch b/CVE-2025-47905-3.patch deleted file mode 100644 index 2fa62deda52481bc8014f63c7c463b543edc01b2..0000000000000000000000000000000000000000 --- a/CVE-2025-47905-3.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3d9a9abff1c6734feea9d48d5852ccad7e7d0a42 Mon Sep 17 00:00:00 2001 -From: Dridi Boukelmoune -Date: Wed, 2 Apr 2025 16:03:43 +0200 -Subject: [PATCH] v1f: Parse CRLF separately from other white space - -It's a little bit harder to follow the CRLF logic when it is intertwined -with the skipped surrounding white space. ---- - bin/varnishd/http1/cache_http1_vfp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/bin/varnishd/http1/cache_http1_vfp.c b/bin/varnishd/http1/cache_http1_vfp.c -index d684f10439..fbc3dcb8b3 100644 ---- a/bin/varnishd/http1/cache_http1_vfp.c -+++ b/bin/varnishd/http1/cache_http1_vfp.c -@@ -132,7 +132,7 @@ v1f_chunked_hdr(struct vfp_ctx *vc, struct http_conn *htc, ssize_t *szp) - lr = v1f_read(vc, htc, buf, 1); - if (lr <= 0) - return (VFP_Error(vc, "chunked read err")); -- } while (vct_islws(buf[0])); -+ } while (vct_isows(buf[0])); - - if (!vct_ishex(buf[0])) - return (VFP_Error(vc, "chunked header non-hex")); -@@ -152,12 +152,14 @@ v1f_chunked_hdr(struct vfp_ctx *vc, struct http_conn *htc, ssize_t *szp) - return (VFP_Error(vc, "chunked header too long")); - - /* Skip trailing white space */ -- while (vct_islws(buf[u]) && buf[u] != '\n') { -+ while (vct_isows(buf[u])) { - lr = v1f_read(vc, htc, buf + u, 1); - if (lr <= 0) - return (VFP_Error(vc, "chunked read err")); - } - -+ if (buf[u] == '\r' && v1f_read(vc, htc, buf + u, 1) <= 0) -+ return (VFP_Error(vc, "chunked read err")); - if (buf[u] != '\n') - return (VFP_Error(vc, "chunked header no NL")); - diff --git a/CVE-2025-47905-4.patch b/CVE-2025-47905-4.patch deleted file mode 100644 index 504183d4ba0bacfeb67d85d8ce9de070b5739aeb..0000000000000000000000000000000000000000 --- a/CVE-2025-47905-4.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 00cb14931a53efafbdfec9843453fb1347bc9f59 Mon Sep 17 00:00:00 2001 -From: Dridi Boukelmoune -Date: Thu, 3 Apr 2025 15:52:56 +0200 -Subject: [PATCH] vtc: Test coverage for VSV16 - ---- - bin/varnishtest/tests/f00016.vtc | 69 ++++++++++++++++++++++++++++++++ - 1 file changed, 69 insertions(+) - create mode 100644 bin/varnishtest/tests/f00016.vtc - -diff --git a/bin/varnishtest/tests/f00016.vtc b/bin/varnishtest/tests/f00016.vtc -new file mode 100644 -index 0000000000..a38b8b1eff ---- /dev/null -+++ b/bin/varnishtest/tests/f00016.vtc -@@ -0,0 +1,69 @@ -+varnishtest "Do not tolerate anything else than CRLF as chunked ending" -+ -+server s0 { -+ rxreq -+ expect_close -+} -dispatch -+ -+varnish v1 -vcl+backend {} -start -+ -+logexpect l1 -v v1 { -+ expect * 1001 FetchError "chunked tail no NL" -+ expect * 1004 FetchError "chunked tail no NL" -+ expect * 1007 FetchError "chunked header non-hex" -+ expect * 1010 FetchError "chunked header non-hex" -+} -start -+ -+client c1 { -+ non_fatal -+ txreq -req POST -hdr "Transfer-encoding: chunked" -+ send "1\r\n" -+ send "This is more than one byte of data\r\n" -+ send "0\r\n" -+ send "\r\n" -+ fatal -+ rxresp -+ expect resp.status == 503 -+ expect_close -+} -run -+ -+client c2 { -+ non_fatal -+ txreq -req POST -hdr "Transfer-encoding: chunked" -+ send "1\r\n" -+ send "Z 2\r\n" -+ send "3d\r\n" -+ send "0\r\n\r\nPOST /evil HTTP/1.1\r\nHost: whatever\r\nContent-Length: 5\r\n\r\n" -+ send "0\r\n" -+ send "\r\n" -+ fatal -+ rxresp -+ expect resp.status == 503 -+ expect_close -+} -run -+ -+client c3 { -+ non_fatal -+ txreq -req POST -hdr "Transfer-encoding: chunked" -+ send "d\r\n" -+ send "Spurious CRLF\r\n\r\n" -+ send "0\r\n" -+ send "\r\n" -+ fatal -+ rxresp -+ expect resp.status == 503 -+ expect_close -+} -run -+ -+client c4 { -+ non_fatal -+ txreq -req POST -hdr "Transfer-encoding: chunked" -+ send "\n0\r\n" -+ send "\r\n" -+ fatal -+ rxresp -+ expect resp.status == 503 -+ expect_close -+} -run -+ -+logexpect l1 -wait diff --git a/CVE-2025-8671-1.patch b/CVE-2025-8671-1.patch deleted file mode 100644 index 84060bd9022ce5e5f8b0fe660d9119e4beafa9e8..0000000000000000000000000000000000000000 --- a/CVE-2025-8671-1.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 1ce9a6df61555bdc8bd491feb3b5f1ed3f5cbdaf Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Tue, 1 Jul 2025 14:57:56 +0200 -Subject: [PATCH] H2: Add a H2_Send_GOAWAY method - -This method sends a goaway frame. Change h2_tx_goaway() so that it uses this method. ---- - bin/varnishd/http2/cache_http2.h | 2 ++ - bin/varnishd/http2/cache_http2_proto.c | 7 +------ - bin/varnishd/http2/cache_http2_send.c | 20 ++++++++++++++++++++ - 3 files changed, 23 insertions(+), 6 deletions(-) - -diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h -index ba036b84d6..ea25e89bd6 100644 ---- a/bin/varnishd/http2/cache_http2.h -+++ b/bin/varnishd/http2/cache_http2.h -@@ -259,6 +259,8 @@ void H2_Send_Frame(struct worker *, struct h2_sess *, - - void H2_Send_RST(struct worker *wrk, struct h2_sess *h2, - const struct h2_req *r2, uint32_t stream, h2_error h2e); -+void H2_Send_GOAWAY(struct worker *wrk, struct h2_sess *h2, -+ const struct h2_req *r2, h2_error h2e); - - void H2_Send(struct worker *, struct h2_req *, h2_frame type, uint8_t flags, - uint32_t len, const void *, uint64_t *acct); -diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c -index 6e9e5bdc96..de4ba424a6 100644 ---- a/bin/varnishd/http2/cache_http2_proto.c -+++ b/bin/varnishd/http2/cache_http2_proto.c -@@ -414,19 +414,14 @@ h2_rx_goaway(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - static void - h2_tx_goaway(struct worker *wrk, struct h2_sess *h2, h2_error h2e) - { -- char b[8]; -- - ASSERT_RXTHR(h2); - AN(h2e); - - if (h2->goaway || !h2e->send_goaway) - return; - -- h2->goaway = 1; -- vbe32enc(b, h2->highest_stream); -- vbe32enc(b + 4, h2e->val); - H2_Send_Get(wrk, h2, h2->req0); -- H2_Send_Frame(wrk, h2, H2_F_GOAWAY, 0, 8, 0, b); -+ H2_Send_GOAWAY(wrk, h2, h2->req0, h2e); - H2_Send_Rel(h2, h2->req0); - } - -diff --git a/bin/varnishd/http2/cache_http2_send.c b/bin/varnishd/http2/cache_http2_send.c -index d4e66aab8c..5f7a11d352 100644 ---- a/bin/varnishd/http2/cache_http2_send.c -+++ b/bin/varnishd/http2/cache_http2_send.c -@@ -427,6 +427,26 @@ H2_Send_RST(struct worker *wrk, struct h2_sess *h2, const struct h2_req *r2, - H2_Send_Frame(wrk, h2, H2_F_RST_STREAM, 0, sizeof b, stream, b); - } - -+void -+H2_Send_GOAWAY(struct worker *wrk, struct h2_sess *h2, const struct h2_req *r2, -+ h2_error h2e) -+{ -+ char b[8]; -+ -+ CHECK_OBJ_NOTNULL(h2, H2_SESS_MAGIC); -+ CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC); -+ AN(H2_SEND_HELD(h2, r2)); -+ AN(h2e); -+ -+ if (h2->goaway) -+ return; -+ -+ vbe32enc(b, h2->highest_stream); -+ vbe32enc(b + 4, h2e->val); -+ H2_Send_Frame(wrk, h2, H2_F_GOAWAY, 0, 8, 0, b); -+ h2->goaway = 1; -+} -+ - void - H2_Send(struct worker *wrk, struct h2_req *r2, h2_frame ftyp, uint8_t flags, - uint32_t len, const void *ptr, uint64_t *counter) diff --git a/CVE-2025-8671-2.patch b/CVE-2025-8671-2.patch deleted file mode 100644 index 73c98304cc03d18a087aaa491c42f8be9997ddb2..0000000000000000000000000000000000000000 --- a/CVE-2025-8671-2.patch +++ /dev/null @@ -1,145 +0,0 @@ -From a629c334c98a3b946e529b9d4ae4c07c0967b8bb Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Tue, 1 Jul 2025 15:32:25 +0200 -Subject: [PATCH] H2: Make rapid reset handling be calleable from any context - -This patch splits the rapid reset handling into a check and a charge -step. The check determines if this was a benign reset, that is whether it -should be charged against the budgest or not. - -The charge step subtracts from the budget, and handles raises an error -when exceeded. On error it will send a GOAWAY frame on the session -immediately. To allow an error to be sent from this function, and to give -protection to the rapid reset state variables, it is required that the -caller holds the send mutex when calling. ---- - bin/varnishd/http2/cache_http2.h | 5 +++ - bin/varnishd/http2/cache_http2_proto.c | 44 ++++++++++++++++++++------ - bin/varnishd/http2/cache_http2_send.c | 2 -- - 3 files changed, 39 insertions(+), 12 deletions(-) - -diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h -index 3765d50..d54fd71 100644 ---- a/bin/varnishd/http2/cache_http2.h -+++ b/bin/varnishd/http2/cache_http2.h -@@ -244,6 +244,7 @@ h2_error h2h_decode_bytes(struct h2_sess *h2, const uint8_t *ptr, - size_t len); - - /* cache_http2_send.c */ -+#define H2_SEND_HELD(h2, r2) (VTAILQ_FIRST(&(h2)->txqueue) == (r2)) - void H2_Send_Get(struct worker *, struct h2_sess *, struct h2_req *); - void H2_Send_Rel(struct h2_sess *, const struct h2_req *); - -@@ -267,6 +268,10 @@ void h2_kill_req(struct worker *, struct h2_sess *, struct h2_req *, h2_error); - int h2_rxframe(struct worker *, struct h2_sess *); - h2_error h2_set_setting(struct h2_sess *, const uint8_t *); - void h2_req_body(struct req*); -+int h2_rapid_reset_check(struct worker *wrk, struct h2_sess *h2, -+ const struct h2_req *r2); -+h2_error h2_rapid_reset_charge(struct worker *wrk, struct h2_sess *h2, -+ const struct h2_req *r2); - task_func_t h2_do_req; - #ifdef TRANSPORT_MAGIC - vtr_req_fail_f h2_req_fail; -diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c -index 1f779f5..6c65db2 100644 ---- a/bin/varnishd/http2/cache_http2_proto.c -+++ b/bin/varnishd/http2/cache_http2_proto.c -@@ -329,14 +329,14 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - /********************************************************************** - */ - --static h2_error --h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) -+int -+h2_rapid_reset_check(struct worker *wrk, struct h2_sess *h2, -+ const struct h2_req *r2) - { - vtim_real now; -- vtim_dur d; - - CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); -- ASSERT_RXTHR(h2); -+ CHECK_OBJ_NOTNULL(h2, H2_SESS_MAGIC); - CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC); - - if (h2->rapid_reset_limit == 0) -@@ -348,6 +348,23 @@ h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - if (now - r2->req->t_first > h2->rapid_reset) - return (0); - -+ return (1); -+} -+ -+h2_error -+h2_rapid_reset_charge(struct worker *wrk, struct h2_sess *h2, -+ const struct h2_req *r2) -+{ -+ vtim_real now; -+ vtim_dur d; -+ h2_error h2e = NULL; -+ -+ CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); -+ AN(H2_SEND_HELD(h2, r2)); -+ CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC); -+ -+ now = VTIM_real(); -+ - d = now - h2->last_rst; - h2->rst_budget += h2->rapid_reset_limit * d / - h2->rapid_reset_period; -@@ -355,20 +372,23 @@ h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - h2->rapid_reset_limit); - h2->last_rst = now; - -- if (h2->rst_budget < 1.0) { -+ h2->rst_budget -= 1.0; -+ -+ if (h2->rst_budget < 0) { - Lck_Lock(&h2->sess->mtx); - VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session."); - Lck_Unlock(&h2->sess->mtx); -- return (H2CE_RAPID_RESET); -+ h2e = H2CE_RAPID_RESET; -+ H2_Send_GOAWAY(wrk, h2, r2, h2e); - } -- h2->rst_budget -= 1.0; -- return (0); -+ -+ return (h2e); - } - - static h2_error v_matchproto_(h2_rxframe_f) - h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - { -- h2_error h2e; -+ h2_error h2e = NULL; - - CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); - ASSERT_RXTHR(h2); -@@ -378,7 +398,11 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2) - return (H2CE_FRAME_SIZE_ERROR); - if (r2 == NULL) - return (0); -- h2e = h2_rapid_reset(wrk, h2, r2); -+ if (h2_rapid_reset_check(wrk, h2, r2)) { -+ H2_Send_Get(wrk, h2, r2); -+ h2e = h2_rapid_reset_charge(wrk, h2, r2); -+ H2_Send_Rel(h2, r2); -+ } - h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data))); - return (h2e); - } -diff --git a/bin/varnishd/http2/cache_http2_send.c b/bin/varnishd/http2/cache_http2_send.c -index 0745cd3..cfa2028 100644 ---- a/bin/varnishd/http2/cache_http2_send.c -+++ b/bin/varnishd/http2/cache_http2_send.c -@@ -41,8 +41,6 @@ - #include "vend.h" - #include "vtim.h" - --#define H2_SEND_HELD(h2, r2) (VTAILQ_FIRST(&(h2)->txqueue) == (r2)) -- - static h2_error - h2_errcheck(const struct h2_req *r2, const struct h2_sess *h2) - { diff --git a/CVE-2025-8671-3.patch b/CVE-2025-8671-3.patch deleted file mode 100644 index 46bdc13546ac3d26cb888de5ba7d44b46e0e5ccd..0000000000000000000000000000000000000000 --- a/CVE-2025-8671-3.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 5202a6e329651cd0121e9eac78e60b66351a50bf Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Tue, 1 Jul 2025 15:50:10 +0200 -Subject: [PATCH] H2: Check rapid reset whenever we send a RST frame for a - stream - -This checks and charges the rapid reset budget whenever we send a RST -frame, causing a session error if the budget is exhausted. - -This fixes the reverse rapid reset vulnerability. ---- - bin/varnishd/http2/cache_http2_send.c | 6 +++ - bin/varnishtest/tests/f00017.vtc | 63 +++++++++++++++++++++++++++ - 2 files changed, 69 insertions(+) - create mode 100644 bin/varnishtest/tests/f00017.vtc - -diff --git a/bin/varnishd/http2/cache_http2_send.c b/bin/varnishd/http2/cache_http2_send.c -index 41c45961b3..3461bdb380 100644 ---- a/bin/varnishd/http2/cache_http2_send.c -+++ b/bin/varnishd/http2/cache_http2_send.c -@@ -413,6 +413,7 @@ H2_Send_RST(struct worker *wrk, struct h2_sess *h2, const struct h2_req *r2, - uint32_t stream, h2_error h2e) - { - char b[4]; -+ h2_error h2e_rr = NULL; - - CHECK_OBJ_NOTNULL(h2, H2_SESS_MAGIC); - CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC); -@@ -423,6 +424,11 @@ H2_Send_RST(struct worker *wrk, struct h2_sess *h2, const struct h2_req *r2, - vbe32enc(b, h2e->val); - - H2_Send_Frame(wrk, h2, H2_F_RST_STREAM, 0, sizeof b, stream, b); -+ -+ if (h2_rapid_reset_check(wrk, h2, r2)) -+ h2e_rr = h2_rapid_reset_charge(wrk, h2, r2); -+ if (h2e_rr != NULL) -+ h2->error = h2e_rr; - } - - void -diff --git a/bin/varnishtest/tests/f00017.vtc b/bin/varnishtest/tests/f00017.vtc -new file mode 100644 -index 0000000000..6370652bef ---- /dev/null -+++ b/bin/varnishtest/tests/f00017.vtc -@@ -0,0 +1,63 @@ -+varnishtest "h2 reverse rapid reset" -+ -+barrier b1 sock 2 -cyclic -+barrier b2 sock 5 -cyclic -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -cliok "param.set feature +http2" -+varnish v1 -cliok "param.set debug +syncvsl" -+varnish v1 -cliok "param.set h2_rapid_reset_limit 3" -+varnish v1 -cliok "param.set h2_rapid_reset 5" -+ -+varnish v1 -vcl+backend { -+ import vtc; -+ -+ sub vcl_recv { -+ if (req.http.barrier) { -+ vtc.barrier_sync(req.http.barrier); -+ } -+ vtc.barrier_sync("${b2_sock}"); -+ } -+ -+} -start -+ -+client c1 { -+ stream 0 { -+ rxgoaway -+ expect goaway.err == ENHANCE_YOUR_CALM -+ } -start -+ -+ stream 1 { -+ txreq -hdr barrier ${b1_sock} -+ barrier b1 sync -+ txwinup -size 0 -+ rxrst -+ } -run -+ stream 3 { -+ txreq -hdr barrier ${b1_sock} -+ barrier b1 sync -+ txwinup -size 0 -+ rxrst -+ } -run -+ stream 5 { -+ txreq -hdr barrier ${b1_sock} -+ barrier b1 sync -+ txwinup -size 0 -+ rxrst -+ } -run -+ stream 7 { -+ txreq -hdr barrier ${b1_sock} -+ barrier b1 sync -+ txwinup -size 0 -+ rxrst -+ } -run -+ -+ barrier b2 sync -+ stream 0 -wait -+} -run -+ -+varnish v1 -expect sc_rapid_reset == 1 diff --git a/fix-varnish-devel-installation-failure.patch b/fix-varnish-devel-installation-failure.patch index 93f99e3a2d3bf004bd8c05d128a87e46c060f660..02c570924e93ab23e4151279c5c6d8db49cef7bb 100644 --- a/fix-varnish-devel-installation-failure.patch +++ b/fix-varnish-devel-installation-failure.patch @@ -4,25 +4,14 @@ Date: Fri, 21 Jan 2022 15:52:05 +0800 Subject: [PATCH] fix varnish-devel installation failure --- - bin/varnishtest/huffman_gen.py | 2 +- doc/sphinx/vtc-syntax.py | 2 +- lib/libvarnishapi/generate.py | 2 +- lib/libvcc/generate.py | 2 +- lib/libvcc/vmodtool.py | 2 +- lib/libvcc/vsctool.py | 2 +- wflags.py | 2 +- - 7 files changed, 7 insertions(+), 7 deletions(-) + 6 files changed, 6 insertions(+), 6 deletions(-) -diff --git a/bin/varnishtest/huffman_gen.py b/bin/varnishtest/huffman_gen.py -index 1320424..a9666fb 100755 ---- a/bin/varnishtest/huffman_gen.py -+++ b/bin/varnishtest/huffman_gen.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python3 -+#!/usr/bin/python3 - - import re - import sys diff --git a/doc/sphinx/vtc-syntax.py b/doc/sphinx/vtc-syntax.py index f5533e8..7009142 100644 --- a/doc/sphinx/vtc-syntax.py @@ -76,3 +65,4 @@ index 9e9e4e9..90605a2 100644 -- 2.23.0 + diff --git a/varnish-7.5.0.tgz b/varnish-8.0.0.tgz similarity index 35% rename from varnish-7.5.0.tgz rename to varnish-8.0.0.tgz index 7db1847061b59c80befb6e34ce5203bcbfbf856b..c0e430b22c9261c0cc3fd1f0ae9d1c9a9e3d3be3 100644 Binary files a/varnish-7.5.0.tgz and b/varnish-8.0.0.tgz differ diff --git a/varnish.spec b/varnish.spec index f755cf2a86c119bfbd6428fb1baffe7c248d68ac..50f260b4cb30a253039f5c5531730189cf7ea9e7 100644 --- a/varnish.spec +++ b/varnish.spec @@ -2,8 +2,8 @@ Name: varnish Summary: A web application accelerator -Version: 7.5.0 -Release: 3 +Version: 8.0.0 +Release: 1 License: BSD-2-Clause URL: https://www.varnish-cache.org/ Source0: http://varnish-cache.org/downloads/varnish-%{version}.tgz @@ -12,17 +12,6 @@ Source0: http://varnish-cache.org/downloads/varnish-%{version}.tgz Source1: https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2f22629c4a368959c423a19e352c9c6c79682/pkg-varnish-cache-0ad2f22.tar.gz Patch0001: fix-varnish-devel-installation-failure.patch Patch0002: fix-varnish.service-reload-failed.patch -Patch0003: CVE-2025-30346.patch -Patch0004: CVE-2025-47905-1.patch -Patch0005: CVE-2025-47905-2.patch -Patch0006: CVE-2025-47905-3.patch -Patch0007: CVE-2025-47905-4.patch -# https://github.com/varnishcache/varnish-cache/commit/1ce9a6df61555bdc8bd491feb3b5f1ed3f5cbdaf -Patch0008: CVE-2025-8671-1.patch -# https://github.com/varnishcache/varnish-cache/commit/a629c334c98a3b946e529b9d4ae4c07c0967b8bb -Patch0009: CVE-2025-8671-2.patch -# https://github.com/varnishcache/varnish-cache/commit/5202a6e329651cd0121e9eac78e60b66351a50bf -Patch0010: CVE-2025-8671-3.patch BuildRequires: python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units BuildRequires: ncurses-devel pcre2-devel libedit-devel gcc @@ -173,6 +162,13 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc %{_mandir}/man7/*.7* %changelog +* Mon Sep 29 2025 Ge Wang - 8.0.0-1 +- Update package to version 8.0.0 + * A regression has been fixed which prevented vcl controlled custom Range requests with ``http_range_support`` enabled + * The ``Content-Length`` response header is now also sent in response to all ``HEAD`` requests + * ``builtin.vcl`` has been updated to return a synthetic 501 response and close the connection when receiving requests with an unknown/unsupported http method instead of piping them + * A scalability limit with private (uncacheable) objects has been addressed + * Fri Aug 15 2025 liweigang - 7.5.0-3 - Fix CVE-2025-8671