Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], Varnish Package Maintainers 
<[email protected]>

  * CVE-2025-30346: HTTP/1 client-side desync vulnerability

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.
diffstat for varnish-7.1.1 varnish-7.1.1

 changelog                                                              |    7 +
 patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch |   53 
++++++++++
 patches/series                                                         |    1 
 3 files changed, 61 insertions(+)

diff -Nru varnish-7.1.1/debian/changelog varnish-7.1.1/debian/changelog
--- varnish-7.1.1/debian/changelog      2023-01-09 23:09:31.000000000 +0200
+++ varnish-7.1.1/debian/changelog      2025-03-31 16:06:56.000000000 +0300
@@ -1,3 +1,10 @@
+varnish (7.1.1-1.1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-30346: HTTP/1 client-side desync vulnerability
+
+ -- Adrian Bunk <[email protected]>  Mon, 31 Mar 2025 16:06:56 +0300
+
 varnish (7.1.1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch
 
varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch
--- 
varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch
 1970-01-01 02:00:00.000000000 +0200
+++ 
varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch
 2025-03-31 16:06:35.000000000 +0300
@@ -0,0 +1,53 @@
+From 07c5b24e265b2b852c23ec492fe425b575fd43cb Mon Sep 17 00:00:00 2001
+From: Dag Haavi Finstad <[email protected]>
+Date: Fri, 10 Jan 2025 13:07:54 +0100
+Subject: req_fsm: Close the connection on a malformed request
+
+---
+ bin/varnishd/cache/cache_req_fsm.c | 2 ++
+ bin/varnishtest/tests/b00037.vtc   | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/bin/varnishd/cache/cache_req_fsm.c 
b/bin/varnishd/cache/cache_req_fsm.c
+index 81217159f..a0b344960 100644
+--- a/bin/varnishd/cache/cache_req_fsm.c
++++ b/bin/varnishd/cache/cache_req_fsm.c
+@@ -940,6 +940,7 @@ cnt_recv(struct worker *wrk, struct req *req)
+       if (http_CountHdr(req->http0, H_Host) > 1) {
+               VSLb(req->vsl, SLT_BogoHeader, "Multiple Host: headers");
+               wrk->stats->client_req_400++;
++              req->doclose = SC_RX_BAD;
+               (void)req->transport->minimal_response(req, 400);
+               return (REQ_FSM_DONE);
+       }
+@@ -947,6 +948,7 @@ cnt_recv(struct worker *wrk, struct req *req)
+       if (http_CountHdr(req->http0, H_Content_Length) > 1) {
+               VSLb(req->vsl, SLT_BogoHeader, "Multiple Content-Length: 
headers");
+               wrk->stats->client_req_400++;
++              req->doclose = SC_RX_BAD;
+               (void)req->transport->minimal_response(req, 400);
+               return (REQ_FSM_DONE);
+       }
+diff --git a/bin/varnishtest/tests/b00037.vtc 
b/bin/varnishtest/tests/b00037.vtc
+index 63d8014dc..cb758cdbd 100644
+--- a/bin/varnishtest/tests/b00037.vtc
++++ b/bin/varnishtest/tests/b00037.vtc
+@@ -11,6 +11,7 @@ client c1 {
+ 
+ varnish v1 -vsl_catchup
+ varnish v1 -expect client_req_400 == 1
++varnish v1 -expect sc_rx_bad == 1
+ 
+ client c1 {
+       txreq -method POST -hdr "Content-Length: 12" -bodylen 12
+@@ -20,6 +21,7 @@ client c1 {
+ 
+ varnish v1 -vsl_catchup
+ varnish v1 -expect client_req_400 == 2
++varnish v1 -expect sc_rx_bad == 2
+ 
+ varnish v1 -cliok "param.set feature +http2"
+ 
+-- 
+2.30.2
+
diff -Nru varnish-7.1.1/debian/patches/series 
varnish-7.1.1/debian/patches/series
--- varnish-7.1.1/debian/patches/series 2023-01-09 23:06:58.000000000 +0200
+++ varnish-7.1.1/debian/patches/series 2025-03-31 16:06:56.000000000 +0300
@@ -1,2 +1,3 @@
 Add-all-well-known-headers-to-the-perfect-hash-looku.patch
 hpack-fix-pseudo-headers-handling.patch
+0001-req_fsm-Close-the-connection-on-a-malformed-request.patch

Reply via email to