diff --git a/CVE-2022-23959.patch b/CVE-2022-23959.patch deleted file mode 100644 index bf73e0685404402527fea5be56edbf609092c8c8..0000000000000000000000000000000000000000 --- a/CVE-2022-23959.patch +++ /dev/null @@ -1,28 +0,0 @@ -From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Fri, 17 Dec 2021 22:10:16 +0100 -Subject: [PATCH] Mark req doclose when failing to ignore req body - -Previously we would ignore errors to iterate the request body into -oblivion in VRB_Ignore(), keeping the connection open. This opens an -out-of-sync vulnerability on H/1 connections. - -This patch tests the status of the request body in VRB_Ignore(), marking -the request failed and that it should be closed on errors. ---- - bin/varnishd/cache/cache_req_body.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c -index 6391f928d6..5ffd08b77d 100644 ---- a/bin/varnishd/cache/cache_req_body.c -+++ b/bin/varnishd/cache/cache_req_body.c -@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req) - if (req->req_body_status->avail > 0) - (void)VRB_Iterate(req->wrk, req->vsl, req, - httpq_req_body_discard, NULL); -+ if (req->req_body_status == BS_ERROR) -+ req->doclose = SC_RX_BODY; - return (0); - } - diff --git a/CVE-2022-38150.patch b/CVE-2022-38150.patch deleted file mode 100644 index f7c6dd49c636ec48ea7ef15166a670ae3b30bcab..0000000000000000000000000000000000000000 --- a/CVE-2022-38150.patch +++ /dev/null @@ -1,72 +0,0 @@ -From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 4 Aug 2022 10:59:33 +0200 -Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers - -In http_EstimateWS(), all headers are passed to the http_isfiltered() -function to calculate how many bytes is needed to serialize the entire -struct http. http_isfiltered() will check the headers for whether they are -going to be filtered out later and if so skip them. - -However http_isfiltered() would attempt to treat all elements of struct -http as regular headers with an implicit structure. That does not hold for -the first three pseudo-header entries, which would lead to asserts in -later steps. - -This patch skips the filter step for pseudo-headers. - -Fixes: #3830 ---- - bin/varnishd/cache/cache_http.c | 2 ++ - bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++ - 2 files changed, 31 insertions(+) - create mode 100644 bin/varnishtest/tests/r03830.vtc - -diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c -index ed15e07f9e..d48c0bb366 100644 ---- a/bin/varnishd/cache/cache_http.c -+++ b/bin/varnishd/cache/cache_http.c -@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how) - - if (fm->hdf[u] & HDF_FILTER) - return (1); -+ if (u < HTTP_HDR_FIRST) -+ return (0); - e = strchr(fm->hd[u].b, ':'); - if (e == NULL) - return (0); -diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc -new file mode 100644 -index 0000000000..5155981923 ---- /dev/null -+++ b/bin/varnishtest/tests/r03830.vtc -@@ -0,0 +1,29 @@ -+varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers" -+ -+server s1 { -+ rxreq -+ txresp -reason ":x" -+ -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -vcl+backend { -+ sub vcl_recv { -+ return (hash); -+ } -+} -start -+ -+client c1 { -+ txreq -+ rxresp -+ expect resp.status == 200 -+} -run -+ -+client c2 { -+ txreq -url :x -method :x -+ rxresp -+ expect resp.status == 200 -+} -run -+ -+varnish v1 -vsl_catchup diff --git a/CVE-2022-45060.patch b/CVE-2022-45060.patch deleted file mode 100644 index 701c787872ba7feeb7dd7aa215af3191e1c84bea..0000000000000000000000000000000000000000 --- a/CVE-2022-45060.patch +++ /dev/null @@ -1,207 +0,0 @@ -From 515a93df894430767073ccd8265497b6b25b54b5 Mon Sep 17 00:00:00 2001 -From: Asad Sajjad Ahmed -Date: Fri, 30 Sep 2022 14:42:53 +0200 -Subject: [PATCH] hpack: fix pseudo-headers handling - -We should apply the same restrictions on the list of allowed characters inside -H/2 pseudo-headers as we do for H/1. This error is translated into the -headers we send to a backend over H/1. - -Failure to do so could permit various exploits against a backend not handling -malformed H/1 requests. - -Signed-off-by: Asad Sajjad Ahmed ---- - bin/varnishd/http2/cache_http2_hpack.c | 35 +++++++++++++++++++ - bin/varnishtest/tests/t02023.vtc | 48 ++++++++++++++++++++++++++ - bin/varnishtest/tests/t02024.vtc | 48 ++++++++++++++++++++++++++ - 3 files changed, 131 insertions(+) - create mode 100644 bin/varnishtest/tests/t02023.vtc - create mode 100644 bin/varnishtest/tests/t02024.vtc - -diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c -index 6e67b55c50..f58788b126 100644 ---- a/bin/varnishd/http2/cache_http2_hpack.c -+++ b/bin/varnishd/http2/cache_http2_hpack.c -@@ -96,13 +96,18 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - { - /* XXX: This might belong in cache/cache_http.c */ - const char *b0; -+ int disallow_empty; - unsigned n; -+ char *p; -+ int i; - - CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); - AN(b); - assert(namelen >= 2); /* 2 chars from the ': ' that we added */ - assert(namelen <= len); - -+ disallow_empty = 0; -+ - if (len > UINT_MAX) { /* XXX: cache_param max header size */ - VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b); - return (H2SE_ENHANCE_YOUR_CALM); -@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b += namelen; - len -= namelen; - n = HTTP_HDR_METHOD; -+ disallow_empty = 1; -+ -+ /* First field cannot contain SP or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":path: ", namelen)) { - b += namelen; - len -= namelen; - n = HTTP_HDR_URL; -+ disallow_empty = 1; -+ -+ /* Second field cannot contain LWS or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_islws(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":scheme: ", namelen)) { - /* XXX: What to do about this one? (typically - "http" or "https"). For now set it as a normal -@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b++; - len-=1; - n = hp->nhd; -+ -+ for (p = b + namelen, i = 0; i < len-namelen; -+ p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ -+ if (!i) -+ return (H2SE_PROTOCOL_ERROR); - } else if (!strncmp(b, ":authority: ", namelen)) { - b+=6; - len-=6; -@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - hp->hd[n].b = b; - hp->hd[n].e = b + len; - -+ if (disallow_empty && !Tlen(hp->hd[n])) { -+ VSLb(hp->vsl, SLT_BogoHeader, -+ "Empty pseudo-header %.*s", -+ (int)namelen, b0); -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ - return (0); - } - -diff --git a/bin/varnishtest/tests/t02023.vtc b/bin/varnishtest/tests/t02023.vtc -new file mode 100644 -index 0000000000..cfd843da3e ---- /dev/null -+++ b/bin/varnishtest/tests/t02023.vtc -@@ -0,0 +1,48 @@ -+varnishtest "Empty pseudo-headers" -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -arg "-p feature=+http2" -vcl+backend { -+} -start -+ -+client c1 { -+ txreq -url "" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -req "" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -proto "" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -url "" -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -scheme "" -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -req "" -+ rxrst -+ } -run -+} -run -diff --git a/bin/varnishtest/tests/t02024.vtc b/bin/varnishtest/tests/t02024.vtc -new file mode 100644 -index 0000000000..0d0a1abc5d ---- /dev/null -+++ b/bin/varnishtest/tests/t02024.vtc -@@ -0,0 +1,48 @@ -+varnishtest "Garbage pseudo-headers" -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -arg "-p feature=+http2" -vcl+backend { -+} -start -+ -+client c1 { -+ txreq -url " " -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -req " " -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -proto " " -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -url " " -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -scheme " " -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -req " " -+ rxrst -+ } -run -+} -run diff --git a/fix-varnish-devel-installation-failure.patch b/fix-varnish-devel-installation-failure.patch index a125e9921aac36888e8a1f1005cdb7dc0835573b..93f99e3a2d3bf004bd8c05d128a87e46c060f660 100644 --- a/fix-varnish-devel-installation-failure.patch +++ b/fix-varnish-devel-installation-failure.patch @@ -63,16 +63,6 @@ index 0eb77c5..6b3af4d 100755 # # Copyright (c) 2010-2016 Varnish Software # All rights reserved. -diff --git a/lib/libvcc/vsctool.py b/lib/libvcc/vsctool.py -index 9df1dc4..82c8f33 100755 ---- a/lib/libvcc/vsctool.py -+++ b/lib/libvcc/vsctool.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python3 -+#!/usr/bin/python3 - # -*- encoding: utf-8 -*- - # - # Copyright (c) 2017 Varnish Software AS diff --git a/wflags.py b/wflags.py index 9e9e4e9..90605a2 100644 --- a/wflags.py diff --git a/varnish-7.0.1.tgz b/varnish-7.4.1.tgz similarity index 34% rename from varnish-7.0.1.tgz rename to varnish-7.4.1.tgz index 5fb6398c92aaecea021d15542d74f3a0431cebf0..afee1673e2c93b60b3b0f2a621aaa7c671c5f720 100644 Binary files a/varnish-7.0.1.tgz and b/varnish-7.4.1.tgz differ diff --git a/varnish.spec b/varnish.spec index 685bbdf9cc6f90a3aaf125cffa707a24d3fe5d7f..5d5a08004d0f9a763829c2073a9b3c534784ac41 100644 --- a/varnish.spec +++ b/varnish.spec @@ -1,7 +1,7 @@ Name: varnish Summary: A web application accelerator -Version: 7.0.1 -Release: 5 +Version: 7.4.1 +Release: 1 License: BSD-2-Clause URL: https://www.varnish-cache.org/ Source0: http://varnish-cache.org/_downloads/varnish-%{version}.tgz @@ -10,10 +10,6 @@ Source0: http://varnish-cache.org/_downloads/varnish-%{version}.tgz Source1: https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2f22629c4a368959c423a19e352c9c6c79682/pkg-varnish-cache-0ad2f22.tar.gz Patch0001: fix-varnish-devel-installation-failure.patch Patch0002: fix-varnish.service-reload-failed.patch -##https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 -Patch0003: CVE-2022-23959.patch -Patch0004: CVE-2022-38150.patch -Patch0005: CVE-2022-45060.patch BuildRequires: python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units BuildRequires: ncurses-devel pcre2-devel libedit-devel gcc @@ -162,6 +158,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc %{_mandir}/man7/*.7* %changelog +* Tue Oct 10 2023 xu_ping <707078654@qq.com> - 7.4.1-1 +- Upgrade version to 7.4.1 + * Tue Nov 22 2022 jiangpeng - 7.0.1-5 - Fix CVE-2022-45060