diff --git a/SOURCES/varnish-6.0.8.CVE-2022-23959.patch b/SOURCES/varnish-6.0.8.CVE-2022-23959.patch new file mode 100644 index 0000000..286aa7e --- /dev/null +++ b/SOURCES/varnish-6.0.8.CVE-2022-23959.patch @@ -0,0 +1,13 @@ +diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c +index 463b75b..f289db0 100644 +--- a/bin/varnishd/cache/cache_req_body.c ++++ b/bin/varnishd/cache/cache_req_body.c +@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req) + if (req->req_body_status == REQ_BODY_WITH_LEN || + req->req_body_status == REQ_BODY_WITHOUT_LEN) + (void)VRB_Iterate(req, httpq_req_body_discard, NULL); ++ if (req->req_body_status == REQ_BODY_FAIL) ++ req->doclose = SC_RX_BODY; + return(0); + } + diff --git a/SOURCES/varnish.scl.patch b/SOURCES/varnish.scl.patch index 7eff528..2ece91d 100644 --- a/SOURCES/varnish.scl.patch +++ b/SOURCES/varnish.scl.patch @@ -134,3 +134,16 @@ diff -uap varnish-5.1.3/redhat/varnish.service.scl varnish-5.1.3/redhat/varnish. [Install] WantedBy=multi-user.target - +diff --git a/configure.ac b/configure.ac +index d47beaf..97e47ba 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -325,7 +325,7 @@ AC_ARG_WITH([jemalloc], + case $target in + *-*-linux*) + if test "x$with_jemalloc" != xno; then +- AC_CHECK_LIB([jemalloc], [malloc_conf], ++ AC_CHECK_LIB([rh-varnish6jemalloc], [malloc_conf], + [JEMALLOC_LDADD="-ljemalloc"], + [AC_MSG_WARN([No system jemalloc found, using system malloc])]) + fi diff --git a/SPECS/varnish.spec b/SPECS/varnish.spec index 4ed0c70..83a4081 100644 --- a/SPECS/varnish.spec +++ b/SPECS/varnish.spec @@ -21,7 +21,7 @@ Summary: High-performance HTTP accelerator Name: %{?scl:%scl_prefix}varnish Version: 6.0.8 -Release: 2%{?dist} +Release: 2%{?dist}.1 License: BSD Group: System Environment/Daemons URL: http://www.varnish-cache.org/ @@ -32,6 +32,7 @@ Patch0: varnish.scl.patch Patch1: varnish-4.1.0.fix_find-provides.patch Patch2: varnish-6.0.2.fix_ld_library_path_in_doc_build.patch Patch3: varnish-6.0.8-use-python2.patch +Patch4: varnish-6.0.8.CVE-2022-23959.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -147,6 +148,8 @@ ln -s pkg-varnish-cache-%{commit1}/debian debian %patch1 -p0 %patch2 -p1 %patch3 -p1 +%patch4 -p1 + sed -i 's/varnishabi-/%{name}-varnishabi-/g' redhat/find-provides @@ -170,13 +173,12 @@ export RST2MAN=/bin/true export AM_LT_LDFLAGS="-release %{scl}" -autoreconf -i - for f in configure configure.ac; do sed -i 's|ljemalloc|l%{scl}jemalloc|g' $f sed -i '/^VARNISH_STATE_DIR=/s,varnish,%{name},' $f done +autoreconf -i %configure --disable-static \ %ifarch aarch64 --with-jemalloc=no \ @@ -492,10 +494,14 @@ fi %endif %changelog +* Mon May 16 2022 Luboš Uhliarik - 6.0.8-2.1 +- Resolves: #2081576 - CVE-2022-23959 rh-varnish6-varnish: varnish: HTTP/1 + request smuggling vulnerability + * Thu Jul 22 2021 Luboš Uhliarik - 6.0.8-2 - new version 6.0.8 -- Resolves: #1982865 - CVE-2021-36740 rh-varnish6: varnish: HTTP/2 request - smuggling attack via a large Content-Length header for a POST request +- Resolves: #1982864 - CVE-2021-36740 rh-varnish6-varnish: varnish: HTTP/2 + request smuggling attack via a large Content-Length header for a POST request * Thu Apr 02 2020 Lubos Uhliarik - 6.0.6-1 - update to Varnish 6.0.6