Description:
This update for varnish fixes the following issues:
- Update to release 7.7.1
* VSV-16: Resolve request smuggling attack
- Update to release 7.7.0
* The `linux` jail gained control of transparent huge pages
settings.
* An issue has been fixed which could cause a crash when varnishd
receives an invalid Content-Range header from a backend.
* Timestamping for HTTP/2 requests (when idle period begins) has
been switched to be more in line with HTTP/1.
* VSV-15: The client connection is now always closed when a
malformed request is received. [CVE-2025-30346, boo#1239892]
- Update to release 7.6.0
* The Varnish Delivery Processor (VDP) filter API has
been generalized to also accommodate future use for
backend request bodies.
* VDPs with no vdp_bytes_f function are now supported if
the vdp_init_f returns a value greater than zero to
signify that the filter is not to be added to the
chain. This is useful to support VDPs which only need
to work on headers.
* The epoll and kqueue waiters have been improved to
correctly report WAITER_REMCLOSE, which increases the
WAITER.*.remclose counter.
* varnishtest now supports the shutdown command
corresponding to the shutdown(2) standard C library
call.
* VSC counters for waiters have been added:
* conns to count waits on idle connections
* remclose to count idle connections closed by the peer
* timeout to count idle connections which timed out in the waiter
* action to count idle connections which resulted in a read
* The port of a listen_endpoint given with the -a
argument to varnishd can now also be a numerical port
range like "80-89".
* The warning "mlock() of VSM failed" message is now
emitted when locking of shared memory segments (via
mlock(2)) fails.
* A bug has been fixed where string comparisons in VCL
could fail with the nonsensical error message
"Comparison of different types: STRING '==' STRING".
* An issue has been addressed in the builtin.vcl where
backend responses would fail if they contained a
Content-Range header when no range was requested.
* Additional SessError VSL events are now generated for
various HTTP/2 protocol errors.
* A new Linux jail has been added which is now the
default on Linux. For now, it is almost identical to
the Unix jail with one addition:
* When the new Linux jail is used, the working directory
not mounted on tmpfs partition.
* A race condition with VCL temperature transitions has
been addressed.
* Internal management of probes has been reworked to
address race conditions.
* Backend tasks can now be instructed to queue if the
backend has reached its max_connections.
* The size of the buffer to hold panic messages is now
tunable through the new panic_buffer parameter.
* The Varnish Shared Memory (VSM) and Varnish Shared
Counters (VSC) consumer implementation in libvarnishapi
have been improved for stability and performance.
* An issue has been fixed where Varnish Shared Log (VSL)
queries (for example using ``varnishlog -q``) with
numerical values would fail in unexpected ways due to
truncation.
* The ``ObjWaitExtend()`` Object API function gained a
statep argument to optionally return the busy object
state consistent with the current extension. A NULL
value may be passed if the caller does not require it.
* For backends using the ``.via`` attribute to connect
through a proxy, the connect_timeout,
``first_byte_timeout`` and ``between_bytes_timeout``
attributes are now inherited from proxy unless
explicitly given.
* varnishd now creates a worker_tmpdir which can be used
by VMODs for temporary files. The VMOD developer
documentation has details.
* The environment variable VARNISH_DEFAULT_N now provides
the default "varnish name" / "workdir" as otherwise
specified by the ``-n`` argument to varnishd and
varnish* utilities except varnishtest.
* A glitch with TTL comparisons has been fixed which
could, for example, lead to unexpected behavior with
purge.soft().
- Update to release 7.5.0
* Resolved CVE-2023-44487, CVE-2024-30156 [boo#1221942]
* The default value of cli_limit has been increased from 48KB
to 64KB.
* A new ``pipe_task_deadline`` directive specifies the maximum
duration of a pipe transaction.
* All the timeout parameters that can be disabled accept the
"never" value.
* Added parameters to control the HTTP/2 Rapid Reset attach.
- update to 7.4.2 (boo#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note that *req_reset* events may lead to client tasks for which no
VCL is called ever. Presumably, this is thus the first time that
valid `vcl(7)` client transactions may not contain any ``VCL_call``
records.
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted.
The defaults are 100 and 60 seconds, corresponding to an allowance
of 100 "rapid" resets per minute.
* The ``h2.rapid_reset_budget()`` function can be used to query the
number of currently allowed "rapid" resets.
* Sessions closed due to rapid reset rate limiting are reported as
``SessClose RAPID_RESET`` in `vsl(7)` and accounted to
``main.sc_rapid_reset`` in `vsc` as visible through
``varnishstat(1)``.
* The ``cli_limit`` parameter default has been increased from 48KB to
64KB.
* ``VSUB_closefrom()`` now falls back to the base implementation not
only if ``close_range()`` was determined to be unusable at compile
time, but also at run time. That is to say, even if
``close_range()`` is compiled in, the fallback to the naive
implementation remains.