Package: release.debian.org Severity: normal Tags: bookworm moreinfo User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected], Varnish Package Maintainers <[email protected]>
* CVE-2025-30346: HTTP/1 client-side desync vulnerability Tagged moreinfo, as question to the security team whether they want this in pu or as DSA.
diffstat for varnish-7.1.1 varnish-7.1.1 changelog | 7 + patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch | 53 ++++++++++ patches/series | 1 3 files changed, 61 insertions(+) diff -Nru varnish-7.1.1/debian/changelog varnish-7.1.1/debian/changelog --- varnish-7.1.1/debian/changelog 2023-01-09 23:09:31.000000000 +0200 +++ varnish-7.1.1/debian/changelog 2025-03-31 16:06:56.000000000 +0300 @@ -1,3 +1,10 @@ +varnish (7.1.1-1.1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2025-30346: HTTP/1 client-side desync vulnerability + + -- Adrian Bunk <[email protected]> Mon, 31 Mar 2025 16:06:56 +0300 + varnish (7.1.1-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch --- varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch 1970-01-01 02:00:00.000000000 +0200 +++ varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch 2025-03-31 16:06:35.000000000 +0300 @@ -0,0 +1,53 @@ +From 07c5b24e265b2b852c23ec492fe425b575fd43cb Mon Sep 17 00:00:00 2001 +From: Dag Haavi Finstad <[email protected]> +Date: Fri, 10 Jan 2025 13:07:54 +0100 +Subject: req_fsm: Close the connection on a malformed request + +--- + bin/varnishd/cache/cache_req_fsm.c | 2 ++ + bin/varnishtest/tests/b00037.vtc | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c +index 81217159f..a0b344960 100644 +--- a/bin/varnishd/cache/cache_req_fsm.c ++++ b/bin/varnishd/cache/cache_req_fsm.c +@@ -940,6 +940,7 @@ cnt_recv(struct worker *wrk, struct req *req) + if (http_CountHdr(req->http0, H_Host) > 1) { + VSLb(req->vsl, SLT_BogoHeader, "Multiple Host: headers"); + wrk->stats->client_req_400++; ++ req->doclose = SC_RX_BAD; + (void)req->transport->minimal_response(req, 400); + return (REQ_FSM_DONE); + } +@@ -947,6 +948,7 @@ cnt_recv(struct worker *wrk, struct req *req) + if (http_CountHdr(req->http0, H_Content_Length) > 1) { + VSLb(req->vsl, SLT_BogoHeader, "Multiple Content-Length: headers"); + wrk->stats->client_req_400++; ++ req->doclose = SC_RX_BAD; + (void)req->transport->minimal_response(req, 400); + return (REQ_FSM_DONE); + } +diff --git a/bin/varnishtest/tests/b00037.vtc b/bin/varnishtest/tests/b00037.vtc +index 63d8014dc..cb758cdbd 100644 +--- a/bin/varnishtest/tests/b00037.vtc ++++ b/bin/varnishtest/tests/b00037.vtc +@@ -11,6 +11,7 @@ client c1 { + + varnish v1 -vsl_catchup + varnish v1 -expect client_req_400 == 1 ++varnish v1 -expect sc_rx_bad == 1 + + client c1 { + txreq -method POST -hdr "Content-Length: 12" -bodylen 12 +@@ -20,6 +21,7 @@ client c1 { + + varnish v1 -vsl_catchup + varnish v1 -expect client_req_400 == 2 ++varnish v1 -expect sc_rx_bad == 2 + + varnish v1 -cliok "param.set feature +http2" + +-- +2.30.2 + diff -Nru varnish-7.1.1/debian/patches/series varnish-7.1.1/debian/patches/series --- varnish-7.1.1/debian/patches/series 2023-01-09 23:06:58.000000000 +0200 +++ varnish-7.1.1/debian/patches/series 2025-03-31 16:06:56.000000000 +0300 @@ -1,2 +1,3 @@ Add-all-well-known-headers-to-the-perfect-hash-looku.patch hpack-fix-pseudo-headers-handling.patch +0001-req_fsm-Close-the-connection-on-a-malformed-request.patch
