From d316d99df84fb5cb103f0bfaf726538c038e2e4b Mon Sep 17 00:00:00 2001 From: Dridi Boukelmoune Date: Thu, 15 Jun 2023 19:45:53 +0200 Subject: [PATCH 1/5] vtc_varnish: Log h2 frames --- bin/varnishtest/vtc_varnish.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/varnishtest/vtc_varnish.c b/bin/varnishtest/vtc_varnish.c index f763fcce77b..ca596f19058 100644 --- a/bin/varnishtest/vtc_varnish.c +++ b/bin/varnishtest/vtc_varnish.c @@ -417,7 +417,7 @@ varnish_launch(struct varnish *v) VSB_cat(vsb, " -p syslog_cli_traffic=off"); VSB_cat(vsb, " -p thread_pool_min=10"); VSB_cat(vsb, " -p debug=+vtc_mode"); - VSB_cat(vsb, " -p vsl_mask=+Debug"); + VSB_cat(vsb, " -p vsl_mask=+Debug,+H2RxHdr,+H2RxBody"); VSB_cat(vsb, " -p h2_initial_window_size=1m"); VSB_cat(vsb, " -p h2_rx_window_low_water=64k"); if (!v->has_a_arg) { From d510a79b3c7bacbc6e61b3ea279de2ad91dc2c86 Mon Sep 17 00:00:00 2001 From: Dag Haavi Finstad Date: Tue, 7 Nov 2023 10:39:19 +0100 Subject: [PATCH 2/5] changes.rst: Add new heading --- doc/changes.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/changes.rst b/doc/changes.rst index 08e53512ea1..3f6397a8dd7 100644 --- a/doc/changes.rst +++ b/doc/changes.rst @@ -30,6 +30,10 @@ directory, also available in HTML format at http://varnish-cache.org/docs/trunk/whats-new/index.html and via individual releases. These documents are updated as part of the release process. +================================ +Varnish Cache 7.3.1 (2023-11-13) +================================ + ================================ Varnish Cache 7.3.0 (2023-03-15) From 8549176f0ddf48904ae8c920eca52586f111485a Mon Sep 17 00:00:00 2001 From: Nils Goroll Date: Wed, 18 Oct 2023 14:24:56 +0200 Subject: [PATCH 3/5] Changelog TLC Conflicts: doc/changes.rst --- doc/changes.rst | 91 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/doc/changes.rst b/doc/changes.rst index 3f6397a8dd7..bcf680fd821 100644 --- a/doc/changes.rst +++ b/doc/changes.rst @@ -30,10 +30,101 @@ directory, also available in HTML format at http://varnish-cache.org/docs/trunk/whats-new/index.html and via individual releases. These documents are updated as part of the release process. + ================================ Varnish Cache 7.3.1 (2023-11-13) ================================ +* Added mitigation options and visibility for HTTP/2 "rapid reset" + attacks (CVE-2023-44487_, 3996_, 3997_, 3998_, 3999_). + + Global rate limit controls have been added as parameters, which can + be overridden per HTTP/2 session from VCL using the new vmod ``h2``: + + * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function + define a threshold duration for an ``RST_STREAM`` to be classified + as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this + duration after a ``HEADERS`` frame, it is accounted against the + rate limit described below. + + The default is one second. + + * The ``h2_rapid_reset_limit`` parameter and + ``h2.rapid_reset_limit()`` function define how many "rapid" resets + may be received during the time span defined by the + ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` + function before the HTTP/2 connection is forcibly closed with a + ``GOAWAY`` and all ongoing VCL client tasks of the connection are + aborted. + + The defaults are 100 and 60 seconds, corresponding to an allowance + of 100 "rapid" resets per minute. + + * The ``h2.rapid_reset_budget()`` function can be used to query the + number of currently allowed "rapid" resets. + + * Sessions closed due to rapid reset rate limiting are reported as + ``SessClose RAPID_RESET`` in `vsl(7)` and accounted to + ``main.sc_rapid_reset`` in `vsc` as visible through + ``varnishstat(1)``. + +* A race condition has been fixed in the backend probe code which + could trigger a panic with dynamic backends (dyn100_). + +* A bug has been fixed in the ESI code which would prevent use of + internal status codes >1000 as their modulus 1000 value (3958_). + +* Fixed a performance issue in http/2 upload processing (3930_). + +* A regression introduced with Varnish Cache 7.3.0 was fixed: On + HTTP/2 connections, URLs starting with ``//`` no longer trigger a + protocol error (3911_). + +* A bug has been fixed where ``unset bereq.body`` had no effect when + used with a cached body (3914_). + +* Fixed a compatibility issue in the abstract socket support (3908_). + +* Improved HPACK header validation. + +* HTTP/2 header field validation is now more strict with respect to + allowed characters (3952_). + +* The ``vcl_req_reset`` feature (controllable through the ``feature`` + parameter, see `varnishd(1)`) has been added and enabled by default + to terminate client side VCL processing early when the client is + gone. + + *req_reset* events trigger a VCL failure and are reported to + `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` + in `vsc` as visible through ``varnishstat(1)``. + + In particular, this feature is used to reduce resource consumption + of HTTP/2 "rapid reset" attacks (see below). + + Note, in particular, that *req_reset* events may lead to client + tasks for which no VCL is called ever. Presumably, this is thus the + first time that valid `vcl(7)` client transactions may not contain + any ``VCL_call`` records. + +* The ``cli_limit`` parameter default has been increased from 48KB to + 64KB. + + +.. _CVE-2023-44487: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 + +.. _3908: https://github.com/varnishcache/varnish-cache/issues/3908 +.. _3911: https://github.com/varnishcache/varnish-cache/issues/3911 +.. _3914: https://github.com/varnishcache/varnish-cache/issues/3914 +.. _3930: https://github.com/varnishcache/varnish-cache/issues/3930 +.. _3952: https://github.com/varnishcache/varnish-cache/issues/3952 +.. _3958: https://github.com/varnishcache/varnish-cache/issues/3958 +.. _3996: https://github.com/varnishcache/varnish-cache/pull/3996 +.. _3997: https://github.com/varnishcache/varnish-cache/pull/3997 +.. _3998: https://github.com/varnishcache/varnish-cache/pull/3998 +.. _3999: https://github.com/varnishcache/varnish-cache/pull/3999 + +.. _dyn100: https://github.com/nigoroll/libvmod-dynamic/issues/100 ================================ Varnish Cache 7.3.0 (2023-03-15) From cb3fb4a56b9da6994264b5c37f02a36ec3886c91 Mon Sep 17 00:00:00 2001 From: Dag Haavi Finstad Date: Mon, 6 Nov 2023 14:13:50 +0100 Subject: [PATCH 4/5] changes.rst: minor language tweak Conflicts: doc/changes.rst --- doc/changes.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/changes.rst b/doc/changes.rst index bcf680fd821..d33618592a3 100644 --- a/doc/changes.rst +++ b/doc/changes.rst @@ -102,10 +102,10 @@ Varnish Cache 7.3.1 (2023-11-13) In particular, this feature is used to reduce resource consumption of HTTP/2 "rapid reset" attacks (see below). - Note, in particular, that *req_reset* events may lead to client - tasks for which no VCL is called ever. Presumably, this is thus the - first time that valid `vcl(7)` client transactions may not contain - any ``VCL_call`` records. + Note that *req_reset* events may lead to client tasks for which no + VCL is called ever. Presumably, this is thus the first time that + valid `vcl(7)` client transactions may not contain any ``VCL_call`` + records. * The ``cli_limit`` parameter default has been increased from 48KB to 64KB. From 9af99fa523d36f133b65c462ca12b454db3157b9 Mon Sep 17 00:00:00 2001 From: Dag Haavi Finstad Date: Tue, 7 Nov 2023 13:38:00 +0100 Subject: [PATCH 5/5] Prepare for 7.3.1 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 1dc434839d2..d86cd46522b 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ AC_PREREQ(2.69) AC_COPYRIGHT([Copyright (c) 2006 Verdens Gang AS Copyright (c) 2006-2023 Varnish Software]) AC_REVISION([$Id$]) -AC_INIT([Varnish], [7.3.0], [varnish-dev@varnish-cache.org]) +AC_INIT([Varnish], [7.3.1], [varnish-dev@varnish-cache.org]) AC_CONFIG_SRCDIR(include/miniobj.h) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4])