SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for varnish-7.5.0-14.6.x86_64.rpm :

* Tue Mar 26 2024 Jan Engelhardt - Update to release 7.5.0
* Resolved CVE-2023-44487, CVE-2024-30156 [boo#1221942]
* The default value of cli_limit has been increased from 48KB to 64KB.
* A new ``pipe_task_deadline`` directive specifies the maximum duration of a pipe transaction.
* All the timeout parameters that can be disabled accept the \"never\" value.
* Added parameters to control the HTTP/2 Rapid Reset attach.
* Tue Feb 06 2024 Arjen de Korte - Use sysuser-tools to generate varnish user
* Fri Dec 01 2023 Dirk Müller - update to 7.4.2 (bsc#1216123, CVE-2023-44487):
* The ``vcl_req_reset`` feature (controllable through the ``feature`` parameter, see `varnishd(1)`) has been added and enabled by default to terminate client side VCL processing early when the client is gone.
* req_reset
* events trigger a VCL failure and are reported to `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` in `vsc` as visible through ``varnishstat(1)``. In particular, this feature is used to reduce resource consumption of HTTP/2 \"rapid reset\" attacks (see below). Note that
*req_reset
* events may lead to client tasks for which no VCL is called ever. Presumably, this is thus the first time that valid `vcl(7)` client transactions may not contain any ``VCL_call`` records.
* Added mitigation options and visibility for HTTP/2 \"rapid reset\" attacks Global rate limit controls have been added as parameters, which can be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function define a threshold duration for an ``RST_STREAM`` to be classified as \"rapid\": If an ``RST_STREAM`` frame is parsed sooner than this duration after a ``HEADERS`` frame, it is accounted against the rate limit described below.
* The ``h2_rapid_reset_limit`` parameter and ``h2.rapid_reset_limit()`` function define how many \"rapid\" resets may be received during the time span defined by the ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` function before the HTTP/2 connection is forcibly closed with a ``GOAWAY`` and all ongoing VCL client tasks of the connection are aborted. The defaults are 100 and 60 seconds, corresponding to an allowance of 100 \"rapid\" resets per minute.
* The ``h2.rapid_reset_budget()`` function can be used to query the number of currently allowed \"rapid\" resets.
* Sessions closed due to rapid reset rate limiting are reported as ``SessClose RAPID_RESET`` in `vsl(7)` and accounted to ``main.sc_rapid_reset`` in `vsc` as visible through ``varnishstat(1)``.
* The ``cli_limit`` parameter default has been increased from 48KB to 64KB.
* ``VSUB_closefrom()`` now falls back to the base implementation not only if ``close_range()`` was determined to be unusable at compile time, but also at run time. That is to say, even if ``close_range()`` is compiled in, the fallback to the naive implementation remains.
* Thu Sep 21 2023 Jan Engelhardt - Update to release 7.4.1
* Response status codes other than 200 and 204 are now considered errors for ESI fragments.
* Support for abstract AF_LOCAL sockets.
* HTTP/2 header field validation is now more strict with respect to allowed characters.
* VCL tracing now needs to be explicitly activated by setting the req.trace or bereq.trace VCL variables.
* Wed Nov 09 2022 Jan Engelhardt - Update to release 7.2.1
* Attempts to mark well-known headers like Content-Length and Host hop-by-hop through a Connection-header will now cause a 400 \"Bad request\" response. (VSV00010, CVE-2022-45059, boo#1205243)
* Apply the same character set rules to HTTP/2 pseudo-headers as is done on the corresponding HTTP/1 request-line field parsing. (VSV00011, CVE-2022-45060, boo#1205242)
* Sat Oct 29 2022 Dirk Müller - update to 7.2.0:
* Functions ``VRT_AddVDP()``, ``VRT_AddVFP()``, ``VRT_RemoveVDP()`` and ``VRT_RemoveVFP()`` are deprecated.
* Cookie headers generated by vmod_cookie no longer have a spurious trailing semicolon at the end of the string. This could break VCL relying on the previous incorrect behavior.
* The ``SessClose`` and ``BackendClose`` reason ``rx_body``, which previously output ``Failure receiving req.body``, has been rewritten to ``Failure receiving body``.
* Prototypical Varnish Extensions (VEXT). Similar to VMODs, a VEXT is loaded by the cache process. Unlike VMODs that have the combined lifetime of all the VCLs that reference them, a VEXT has the lifetime of the cache process itself. There are no built-in extensions so far.
* Duration parameters can optionally take a unit, with the same syntax as duration units in VCL.
* Calls to ``VRT_CacheReqBody()`` and ``std.cache_req_body`` from outside client vcl subs now fail properly instead of triggering an assertion failure.
* New \"B\" string for the package branch in ``VCS_String()``. For the 7.2.0 version, it would yield the 7.2 branch.
* The new ``vcc_feature`` bits parameter replaces previous ``vcc_
*`` boolean parameters. The latter still exist as deprecated aliases.
* The ``-k`` option from ``varnishlog`` is now supported by ``varnishncsa``.
* New functions ``std.now()`` and ``std.timed_call()`` in vmod_std.
* New ``MAIN.shm_bytes`` counter.
* A ``req.http.via`` header is set before entering ``vcl_recv``. Via headers are generated using the ``server.identity`` value. It defaults to the host name and can be turned into a pseudonym with the ``varnishd -i`` option. Via headers are appended in both directions, to work with other hops that may advertise themselves.
* A ``resp.http.via`` header is no longer overwritten by varnish, but rather appended to.
* The ``server.identity`` syntax is now limited to a \"token\" as defined in the HTTP grammar to be suitable for Via headers.
* In ``varnishtest`` a Varnish instance will use its VTC instance name as its instance name (``varnishd -i``) by default for predictable Via headers in test cases.
* VMOD and VEXT authors can use functions from ``vnum.h``.
* Do not filter pseudo-headers as regular headers.
* The termination rules for ``WRK_BgThread()`` were relaxed to allow VMODs to use it.
* ``(struct worker).handling`` has been moved to the newly introduced ``struct wrk_vpi`` and replaced by a pointer to it, as well as ``(struct vrt_ctx).handling`` has been replaced by that pointer. ``struct wrk_vpi`` is for state at the interface between VRT and VGC and, in particular, is not const as ``struct vrt_ctx`` aka ``VRT_CTX``.
* Panics now contain information about VCL source files and lines.
* The ``Begin`` log record has a 4th field for subtasks like ESI sub-requests.
* The ``-E`` option for log utilities now works as documented, with any type of sub-task based on the ``Begin[4]`` field. This covers ESI like before, and sub-tasks spawned by VMODs (provided that they log the new field).
* No more ``req.http.transfer-encoding`` for ESI sub-requests.
* The thread pool reserve is now limited to tasks that can be queued. A backend background fetch is no longer eligible for queueing. It would otherwise slow a grace hit down significantly when thread pools are saturated.
* The unused ``fetch_no_thread`` counter was renamed to ``bgfetch_no_thread`` because regular backend fetch tasks are always scheduled.
* The macros ``FEATURE()``, ``EXPERIMENT()``, ``DO_DEBUG()``, ``MGT_FEATURE()``, ``MGT_EXPERIMENT()``, ``MGT_DO_DEBUG()`` and ``MGT_VCC_FEATURE()`` now return a boolean value (``0`` or ``1``) instead of the (private) flag value.
* A regression in the transport code led MAIN.client_req to be incremented for requests coming back from the waiting list, it was fixed.- Delete varnish-5.1.2-add-fallthrough-comments.patch
* Wed Sep 21 2022 Bernhard Wiedemann - Make reload fail nicely on vcl syntax error- Set TasksMax=16384 because default thread_pool_max is 5000
* Mon Sep 19 2022 Bernhard Wiedemann - Fix varnish.service stop
* Sun Sep 18 2022 Bernhard Wiedemann - Fix logrotate- Add service reload
* Fri Aug 12 2022 Jan Engelhardt - Update to release 7.1.1 [boo#1202350] [CVE-2022-38150]
* Resolve a denial of service attack involving reason phrases.
* Mon May 16 2022 Jan Engelhardt - Update to release 7.1.0 [boo#1195188] [CVE-2022-23959]
* VCL: It is now possible to assign a BLOB value to a BODY variable, in addition to STRING as before.
* VMOD: New STRING strftime(TIME time, STRING format) function for UTC formatting.
* Wed Dec 01 2021 Johannes Segitz - Added hardening to systemd service(s) (bsc#1181400). Modified:
* varnish.service
* varnishlog.service
* Fri Aug 06 2021 Jan Engelhardt - Update to release 6.6.1
* Fix an HTTP/2.0 request smuggling vulnerability. [bnc#1188470]
* Sun Jul 04 2021 Dirk Müller - update to 6.6.0:
* The ban_cutoff parameter now refers to the overall length of the ban list, including completed bans, where before only non-completed (“active”) bans were counted towards ban_cutoff.
* Body bytes accounting has been fixed to always represent the number of body bytes moved on the wire, exclusive of protocol-specific overhead like HTTP/1 chunked encoding or HTTP/2 framing.
* The connection close reason has been fixed to properly report SC_RESP_CLOSE where previously only SC_REQ_CLOSE was reported.
* Unless the new validate_headers feature is disabled, all newly set headers are now validated to contain only characters allowed by RFC7230.
* The filter_re, keep_re and get_re functions from the bundled cookie vmod have been changed to take the VCL_REGEX type. This implies that their regular expression arguments now need to be literal, not e.g. string.
* The interface for private pointers in VMODs has been changed, the VRT backend interface has been changed, many filter (VDP/VFP) related signatures have been changed, and the stevedore API has been changed. (Details thereto, see online changelog.)
  
ICM