diff --git a/CVE-2022-23959.patch b/CVE-2022-23959.patch deleted file mode 100644 index bf73e0685404402527fea5be56edbf609092c8c8..0000000000000000000000000000000000000000 --- a/CVE-2022-23959.patch +++ /dev/null @@ -1,28 +0,0 @@ -From fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Fri, 17 Dec 2021 22:10:16 +0100 -Subject: [PATCH] Mark req doclose when failing to ignore req body - -Previously we would ignore errors to iterate the request body into -oblivion in VRB_Ignore(), keeping the connection open. This opens an -out-of-sync vulnerability on H/1 connections. - -This patch tests the status of the request body in VRB_Ignore(), marking -the request failed and that it should be closed on errors. ---- - bin/varnishd/cache/cache_req_body.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c -index 6391f928d6..5ffd08b77d 100644 ---- a/bin/varnishd/cache/cache_req_body.c -+++ b/bin/varnishd/cache/cache_req_body.c -@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req) - if (req->req_body_status->avail > 0) - (void)VRB_Iterate(req->wrk, req->vsl, req, - httpq_req_body_discard, NULL); -+ if (req->req_body_status == BS_ERROR) -+ req->doclose = SC_RX_BODY; - return (0); - } - diff --git a/CVE-2022-38150.patch b/CVE-2022-38150.patch deleted file mode 100644 index f7c6dd49c636ec48ea7ef15166a670ae3b30bcab..0000000000000000000000000000000000000000 --- a/CVE-2022-38150.patch +++ /dev/null @@ -1,72 +0,0 @@ -From c5fd097e5cce8b461c6443af02b3448baef2491d Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 4 Aug 2022 10:59:33 +0200 -Subject: [PATCH] Do not call http_hdr_flags() on pseudo-headers - -In http_EstimateWS(), all headers are passed to the http_isfiltered() -function to calculate how many bytes is needed to serialize the entire -struct http. http_isfiltered() will check the headers for whether they are -going to be filtered out later and if so skip them. - -However http_isfiltered() would attempt to treat all elements of struct -http as regular headers with an implicit structure. That does not hold for -the first three pseudo-header entries, which would lead to asserts in -later steps. - -This patch skips the filter step for pseudo-headers. - -Fixes: #3830 ---- - bin/varnishd/cache/cache_http.c | 2 ++ - bin/varnishtest/tests/r03830.vtc | 29 +++++++++++++++++++++++++++++ - 2 files changed, 31 insertions(+) - create mode 100644 bin/varnishtest/tests/r03830.vtc - -diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c -index ed15e07f9e..d48c0bb366 100644 ---- a/bin/varnishd/cache/cache_http.c -+++ b/bin/varnishd/cache/cache_http.c -@@ -1147,6 +1147,8 @@ http_isfiltered(const struct http *fm, unsigned u, unsigned how) - - if (fm->hdf[u] & HDF_FILTER) - return (1); -+ if (u < HTTP_HDR_FIRST) -+ return (0); - e = strchr(fm->hd[u].b, ':'); - if (e == NULL) - return (0); -diff --git a/bin/varnishtest/tests/r03830.vtc b/bin/varnishtest/tests/r03830.vtc -new file mode 100644 -index 0000000000..5155981923 ---- /dev/null -+++ b/bin/varnishtest/tests/r03830.vtc -@@ -0,0 +1,29 @@ -+varnishtest "3830: Do not call http_hdr_flags() on pseudo-headers" -+ -+server s1 { -+ rxreq -+ txresp -reason ":x" -+ -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -vcl+backend { -+ sub vcl_recv { -+ return (hash); -+ } -+} -start -+ -+client c1 { -+ txreq -+ rxresp -+ expect resp.status == 200 -+} -run -+ -+client c2 { -+ txreq -url :x -method :x -+ rxresp -+ expect resp.status == 200 -+} -run -+ -+varnish v1 -vsl_catchup diff --git a/CVE-2022-45059-pre.patch b/CVE-2022-45059-pre.patch deleted file mode 100644 index 55159463d6588ecfca5352d29e221c1d350baeee..0000000000000000000000000000000000000000 --- a/CVE-2022-45059-pre.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0fb3baff7963604a55be0ed6ebdf1e4654ead219 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 4 Aug 2022 11:04:37 +0200 -Subject: [PATCH] Clean up assertions in http_hdr_flags() - -Origin: https://github.com/varnishcache/varnish-cache/commit/0fb3baff7963604a55be0ed6ebdf1e4654ead219 - -The input argument assertions and checks in http_hdr_flags() were -misleading and lacking. With this patch it returns (NULL) on either input -being NULL, and also when called with an empty string instead of -asserting. ---- - bin/varnishd/cache/cache_http.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c -index 3f5ee0384a..194055c3ca 100644 ---- a/bin/varnishd/cache/cache_http.c -+++ b/bin/varnishd/cache/cache_http.c -@@ -140,9 +140,9 @@ http_hdr_flags(const char *b, const char *e) - unsigned u; - struct http_hdrflg *retval; - -- if (e == NULL) -- return(NULL); -- assert(e > b); -+ if (b == NULL || e == NULL) -+ return (NULL); -+ assert(b <= e); - u = (unsigned)(e - b); - assert(b + u == e); - if (u < 2 || u > 19) // MIN_WORD_LENGTH & MAX_WORD_LENGTH diff --git a/CVE-2022-45059.patch b/CVE-2022-45059.patch deleted file mode 100644 index d89059fceeff3d6ed7af007864454a2e8ac0bd55..0000000000000000000000000000000000000000 --- a/CVE-2022-45059.patch +++ /dev/null @@ -1,241 +0,0 @@ -From fcf5722af75fdbf58dd425dd68d0beaa49bab4f4 Mon Sep 17 00:00:00 2001 -From: Martin Blix Grydeland -Date: Thu, 29 Sep 2022 14:38:05 +0200 -Subject: [PATCH] Add all well-known headers to the perfect hash lookup table - -Origin: https://github.com/varnishcache/varnish-cache/commit/fcf5722af75fdbf58dd425dd68d0beaa49bab4f4 - -This expands the perfect hash lookup table to be able to match any entry -in the list of well-known headers from tbl/http_headers.h. - -Previously only the headers that had a non-zero filter flag section was -kept in the fast match table. - -Fixes: VSV00010 ---- - bin/varnishd/cache/cache_http.c | 148 +++++++++++++++++++------------ - bin/varnishtest/tests/f00010.vtc | 19 ++++ - 2 files changed, 112 insertions(+), 55 deletions(-) - create mode 100644 bin/varnishtest/tests/f00010.vtc - -diff --git a/bin/varnishd/cache/cache_http.c b/bin/varnishd/cache/cache_http.c -index 194055c3ca..827197dedf 100644 ---- a/bin/varnishd/cache/cache_http.c -+++ b/bin/varnishd/cache/cache_http.c -@@ -65,73 +65,113 @@ const char H__Reason[] = "\010:reason:"; - * A suitable algorithm can be found with `gperf`: - * - * tr '" ,' ' ' < include/tbl/http_headers.h | -- * awk '$1 == "H(" && $4 != "0" {print$2}' | -+ * awk '$1 == "H(" {print $2}' | - * gperf --ignore-case - * - */ - -+#define GPERF_MIN_WORD_LENGTH 2 -+#define GPERF_MAX_WORD_LENGTH 19 -+#define GPERF_MAX_HASH_VALUE 79 -+ - static const unsigned char http_asso_values[256] = { -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 25, 39, 0, 20, 5, 39, 39, 39, 15, 0, 39, -- 10, 39, 0, 39, 15, 10, 39, 39, 0, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 25, 39, 0, 20, 5, 39, 39, 39, 15, 0, 39, -- 10, 39, 0, 39, 15, 10, 39, 39, 0, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, -- 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39, 39 -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 0, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 5, 80, 20, 0, 0, -+ 5, 10, 5, 5, 80, 0, 15, 0, 20, 80, -+ 40, 80, 0, 35, 10, 20, 55, 45, 0, 0, -+ 80, 80, 80, 80, 80, 80, 80, 5, 80, 20, -+ 0, 0, 5, 10, 5, 5, 80, 0, 15, 0, -+ 20, 80, 40, 80, 0, 35, 10, 20, 55, 45, -+ 0, 0, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80, 80, 80, 80, 80, -+ 80, 80, 80, 80, 80, 80 - }; - - static struct http_hdrflg { - char *hdr; - unsigned flag; --} http_hdrflg[38 + 1] = { // MAX_HASH_VALUE -- { NULL }, -- { NULL }, -- { H_TE }, -- { H_Age }, -- { NULL }, -+} http_hdrflg[GPERF_MAX_HASH_VALUE + 1] = { -+ { NULL }, { NULL }, { NULL }, { NULL }, -+ { H_Date }, - { H_Range }, - { NULL }, -- { H_Upgrade }, -+ { H_Referer }, -+ { H_Age }, -+ { H_From }, -+ { H_Keep_Alive }, -+ { H_Retry_After }, -+ { H_TE }, - { H_If_Range }, -- { NULL }, -- { H_Connection }, -- { NULL }, -+ { H_ETag }, -+ { H_X_Forwarded_For }, -+ { H_Expect }, - { H_Trailer }, -- { H_If_None_Match }, -- { NULL }, -- { NULL }, -- { NULL }, -- { H_Transfer_Encoding }, -- { H_Proxy_Authenticate }, -- { H_Proxy_Authorization }, -- { H_Keep_Alive }, -- { NULL }, -- { NULL }, - { H_If_Match }, -- { H_HTTP2_Settings }, -- { NULL }, -- { NULL }, -- { NULL }, -- { H_Content_Range }, -+ { H_Host }, -+ { H_Accept_Language }, -+ { H_Accept }, -+ { H_If_Modified_Since }, -+ { H_If_None_Match }, - { H_If_Unmodified_Since }, - { NULL }, -+ { H_Cookie }, -+ { H_Upgrade }, -+ { H_Last_Modified }, -+ { H_Accept_Charset }, -+ { H_Accept_Encoding }, -+ { H_Content_MD5 }, -+ { H_Content_Type }, -+ { H_Content_Range }, -+ { NULL }, { NULL }, -+ { H_Content_Language }, -+ { H_Transfer_Encoding }, -+ { H_Authorization }, -+ { H_Content_Length }, -+ { H_User_Agent }, -+ { H_Server }, -+ { H_Expires }, -+ { H_Location }, - { NULL }, -- { H_If_Modified_Since }, -+ { H_Set_Cookie }, -+ { H_Content_Encoding }, -+ { H_Max_Forwards }, - { H_Cache_Control }, - { NULL }, -+ { H_Connection }, -+ { H_Pragma }, - { NULL }, -+ { H_Accept_Ranges }, -+ { H_HTTP2_Settings }, -+ { H_Allow }, -+ { H_Content_Location }, - { NULL }, -+ { H_Proxy_Authenticate }, -+ { H_Vary }, - { NULL }, -- { H_Accept_Ranges } -+ { H_WWW_Authenticate }, -+ { H_Warning }, -+ { H_Via }, -+ { NULL }, { NULL }, { NULL }, { NULL }, -+ { NULL }, { NULL }, { NULL }, { NULL }, -+ { NULL }, { NULL }, { NULL }, { NULL }, -+ { NULL }, { NULL }, { NULL }, -+ { H_Proxy_Authorization } - }; - - static struct http_hdrflg * -@@ -145,12 +185,12 @@ http_hdr_flags(const char *b, const char *e) - assert(b <= e); - u = (unsigned)(e - b); - assert(b + u == e); -- if (u < 2 || u > 19) // MIN_WORD_LENGTH & MAX_WORD_LENGTH -- return(NULL); -- if (u > 3) -- u += http_asso_values[((const uint8_t*)b)[3]]; -- if (u > 38) // MAX_HASH_VALUE -- return(NULL); -+ if (u < GPERF_MIN_WORD_LENGTH || u > GPERF_MAX_WORD_LENGTH) -+ return (NULL); -+ u += http_asso_values[((const uint8_t *)b)[u - 1]] + -+ http_asso_values[((const uint8_t *)b)[0]]; -+ if (u > GPERF_MAX_HASH_VALUE) -+ return (NULL); - retval = &http_hdrflg[u]; - if (retval->hdr == NULL) - return(NULL); -@@ -168,11 +208,9 @@ http_init_hdr(char *hdr, int flg) - - hdr[0] = strlen(hdr + 1); - f = http_hdr_flags(hdr + 1, hdr + hdr[0]); -- if (flg) { -- AN(f); -- assert(f->hdr == hdr); -- f->flag = flg; -- } -+ AN(f); -+ assert(f->hdr == hdr); -+ f->flag = flg; - } - - void -diff --git a/bin/varnishtest/tests/f00010.vtc b/bin/varnishtest/tests/f00010.vtc -new file mode 100644 -index 0000000000..b381b5cf37 ---- /dev/null -+++ b/bin/varnishtest/tests/f00010.vtc -@@ -0,0 +1,19 @@ -+varnishtest "Do not allow critical headers to be marked hop-by-hop" -+ -+varnish v1 -vcl { -+ backend default none; -+} -start -+ -+client c1 { -+ txreq -hdr "Connection: Content-Length" -body "asdf" -+ rxresp -+ expect resp.status == 400 -+ expect_close -+} -run -+ -+client c2 { -+ txreq -hdr "Connection: Host" -+ rxresp -+ expect resp.status == 400 -+ expect_close -+} -run diff --git a/CVE-2022-45060.patch b/CVE-2022-45060.patch deleted file mode 100644 index 701c787872ba7feeb7dd7aa215af3191e1c84bea..0000000000000000000000000000000000000000 --- a/CVE-2022-45060.patch +++ /dev/null @@ -1,207 +0,0 @@ -From 515a93df894430767073ccd8265497b6b25b54b5 Mon Sep 17 00:00:00 2001 -From: Asad Sajjad Ahmed -Date: Fri, 30 Sep 2022 14:42:53 +0200 -Subject: [PATCH] hpack: fix pseudo-headers handling - -We should apply the same restrictions on the list of allowed characters inside -H/2 pseudo-headers as we do for H/1. This error is translated into the -headers we send to a backend over H/1. - -Failure to do so could permit various exploits against a backend not handling -malformed H/1 requests. - -Signed-off-by: Asad Sajjad Ahmed ---- - bin/varnishd/http2/cache_http2_hpack.c | 35 +++++++++++++++++++ - bin/varnishtest/tests/t02023.vtc | 48 ++++++++++++++++++++++++++ - bin/varnishtest/tests/t02024.vtc | 48 ++++++++++++++++++++++++++ - 3 files changed, 131 insertions(+) - create mode 100644 bin/varnishtest/tests/t02023.vtc - create mode 100644 bin/varnishtest/tests/t02024.vtc - -diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c -index 6e67b55c50..f58788b126 100644 ---- a/bin/varnishd/http2/cache_http2_hpack.c -+++ b/bin/varnishd/http2/cache_http2_hpack.c -@@ -96,13 +96,18 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - { - /* XXX: This might belong in cache/cache_http.c */ - const char *b0; -+ int disallow_empty; - unsigned n; -+ char *p; -+ int i; - - CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC); - AN(b); - assert(namelen >= 2); /* 2 chars from the ': ' that we added */ - assert(namelen <= len); - -+ disallow_empty = 0; -+ - if (len > UINT_MAX) { /* XXX: cache_param max header size */ - VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b); - return (H2SE_ENHANCE_YOUR_CALM); -@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b += namelen; - len -= namelen; - n = HTTP_HDR_METHOD; -+ disallow_empty = 1; -+ -+ /* First field cannot contain SP or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":path: ", namelen)) { - b += namelen; - len -= namelen; - n = HTTP_HDR_URL; -+ disallow_empty = 1; -+ -+ /* Second field cannot contain LWS or CTL */ -+ for (p = b, i = 0; i < len; p++, i++) { -+ if (vct_islws(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } - } else if (!strncmp(b, ":scheme: ", namelen)) { - /* XXX: What to do about this one? (typically - "http" or "https"). For now set it as a normal -@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - b++; - len-=1; - n = hp->nhd; -+ -+ for (p = b + namelen, i = 0; i < len-namelen; -+ p++, i++) { -+ if (vct_issp(*p) || vct_isctl(*p)) -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ -+ if (!i) -+ return (H2SE_PROTOCOL_ERROR); - } else if (!strncmp(b, ":authority: ", namelen)) { - b+=6; - len-=6; -@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len) - hp->hd[n].b = b; - hp->hd[n].e = b + len; - -+ if (disallow_empty && !Tlen(hp->hd[n])) { -+ VSLb(hp->vsl, SLT_BogoHeader, -+ "Empty pseudo-header %.*s", -+ (int)namelen, b0); -+ return (H2SE_PROTOCOL_ERROR); -+ } -+ - return (0); - } - -diff --git a/bin/varnishtest/tests/t02023.vtc b/bin/varnishtest/tests/t02023.vtc -new file mode 100644 -index 0000000000..cfd843da3e ---- /dev/null -+++ b/bin/varnishtest/tests/t02023.vtc -@@ -0,0 +1,48 @@ -+varnishtest "Empty pseudo-headers" -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -arg "-p feature=+http2" -vcl+backend { -+} -start -+ -+client c1 { -+ txreq -url "" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -req "" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -proto "" -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -url "" -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -scheme "" -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -req "" -+ rxrst -+ } -run -+} -run -diff --git a/bin/varnishtest/tests/t02024.vtc b/bin/varnishtest/tests/t02024.vtc -new file mode 100644 -index 0000000000..0d0a1abc5d ---- /dev/null -+++ b/bin/varnishtest/tests/t02024.vtc -@@ -0,0 +1,48 @@ -+varnishtest "Garbage pseudo-headers" -+ -+server s1 { -+ rxreq -+ txresp -+} -start -+ -+varnish v1 -arg "-p feature=+http2" -vcl+backend { -+} -start -+ -+client c1 { -+ txreq -url " " -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -req " " -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ txreq -proto " " -+ rxresp -+ expect resp.status == 400 -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -url " " -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -scheme " " -+ rxrst -+ } -run -+} -run -+ -+client c1 { -+ stream 1 { -+ txreq -req " " -+ rxrst -+ } -run -+} -run diff --git a/fix-varnish-devel-installation-failure.patch b/fix-varnish-devel-installation-failure.patch index a125e9921aac36888e8a1f1005cdb7dc0835573b..93f99e3a2d3bf004bd8c05d128a87e46c060f660 100644 --- a/fix-varnish-devel-installation-failure.patch +++ b/fix-varnish-devel-installation-failure.patch @@ -63,16 +63,6 @@ index 0eb77c5..6b3af4d 100755 # # Copyright (c) 2010-2016 Varnish Software # All rights reserved. -diff --git a/lib/libvcc/vsctool.py b/lib/libvcc/vsctool.py -index 9df1dc4..82c8f33 100755 ---- a/lib/libvcc/vsctool.py -+++ b/lib/libvcc/vsctool.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python3 -+#!/usr/bin/python3 - # -*- encoding: utf-8 -*- - # - # Copyright (c) 2017 Varnish Software AS diff --git a/wflags.py b/wflags.py index 9e9e4e9..90605a2 100644 --- a/wflags.py diff --git a/varnish-7.0.1.tgz b/varnish-7.4.2.tgz similarity index 33% rename from varnish-7.0.1.tgz rename to varnish-7.4.2.tgz index 5fb6398c92aaecea021d15542d74f3a0431cebf0..88bf949bf1816249d3cbc1a86700ae6ba19cb3d2 100644 Binary files a/varnish-7.0.1.tgz and b/varnish-7.4.2.tgz differ diff --git a/varnish.spec b/varnish.spec index 9feec7b830e020c916739df40a178da299d38d28..f0276139387cd9d5cbf6277b49371866c8c8a9a1 100644 --- a/varnish.spec +++ b/varnish.spec @@ -2,22 +2,16 @@ Name: varnish Summary: A web application accelerator -Version: 7.0.1 -Release: 9 -License: BSD +Version: 7.4.2 +Release: 1 +License: BSD-2-Clause URL: https://www.varnish-cache.org/ Source0: http://varnish-cache.org/_downloads/varnish-%{version}.tgz # https://github.com/varnishcache/pkg-varnish-cache Source1: https://github.com/varnishcache/pkg-varnish-cache/archive/0ad2f22629c4a368959c423a19e352c9c6c79682/pkg-varnish-cache-0ad2f22.tar.gz Patch0001: fix-varnish-devel-installation-failure.patch -#https://github.com/varnishcache/varnish-cache/commit/fceaefd4d59a3b5d5a4903a3f420e35eb430d0d4 -Patch0002: CVE-2022-23959.patch -Patch0003: CVE-2022-38150.patch -Patch0004: CVE-2022-45060.patch -Patch0005: fix-varnish.service-reload-failed.patch -Patch0006: CVE-2022-45059-pre.patch -Patch0007: CVE-2022-45059.patch +Patch0002: fix-varnish.service-reload-failed.patch BuildRequires: python3-sphinx python3-docutils pkgconfig make graphviz nghttp2 systemd-units BuildRequires: ncurses-devel pcre2-devel libedit-devel gcc @@ -104,7 +98,16 @@ install -D -m 0755 redhat/varnishreload %{buildroot}%{_sbindir}/varnishrel echo %{_libdir}/varnish > %{buildroot}%{_sysconfdir}/ld.so.conf.d/varnish-%{_arch}.conf +# No idea why these ends up with mode 600 in the debug package +%if 0%{debug_package} +chmod 644 lib/libvmod_*/*.c +chmod 644 lib/libvmod_*/*.h +%endif + %check +%ifarch aarch64 +sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc +%endif make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1 %pre @@ -137,7 +140,8 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc %config(noreplace) %{_sysconfdir}/varnish/default.vcl %config(noreplace) %{_sysconfdir}/logrotate.d/varnish %config %{_sysconfdir}/ld.so.conf.d/varnish-%{_arch}.conf - +%exclude /usr/lib/debug/* +%exclude /usr/src/debug/* %{_unitdir}/varnish.service %{_unitdir}/varnishncsa.service @@ -156,6 +160,9 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc %{_mandir}/man7/*.7* %changelog +* Sat Feb 17 2024 wangkai <13474090681@163.com> - 7.4.2-1 +- Update to 7.4.2 for fix CVE-2023-44487 + * Tue Dec 12 2023 wangkai <13474090681@163.com> - 7.0.1-9 - Fix CVE-2022-45059