Missing bits surrounding VSV14

3dbc284a · Dridi Boukelmoune · 599dd41f · 3dbc284a · 3dbc284a · 3dbc284a
Commit 3dbc284a authored Mar 18, 2024 by Dridi Boukelmoune
Show whitespace changes
Inline Side-by-side

Showing with 25 additions and 4 deletions

index.rst R1/source/index.rst +1 -1

VSV00014.rst R1/source/security/VSV00014.rst +21 -3

index.rst R1/source/security/index.rst +3 -0

No files found.
--- a/R1/source/index.rst
+++ b/R1/source/index.rst
@@ -14,7 +14,7 @@ Our bi-annual "fresh" release is here:  :ref:`rel7.5.0`
 The 7.3 series is no longer supported in any capacity.
 2024-03-18 - Varnish HTTP/2 Broke Window Attack
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 All Varnish Cache releases with HTTP/2 support suffer a vulnerability in
 the HTTP/2 protocol. Please see :ref:`VSV00014` for more information.

--- a/R1/source/security/VSV00014.rst
+++ b/R1/source/security/VSV00014.rst
@@ -43,34 +43,52 @@ Timeline
 * **2019-04-19** the vulnerability is theorized (see commit message of e1a1fdc7_)
 * **2023-08-24** the vulnerability is confirmed
  * it happened while working on bringing back the parameters ``timeout_req``
    and ``timeout_reqbody`` to Varnish Enterprise 6.0
 * **2023-09-20** the vulnerability is studied
  * once the timeouts are reintroduced in Varnish Enterprise, work started to
    find an appropriate mitigation
 * **2023-10-10** the HTTP/2 Rapid Reset Attack is disclosed
-  * work on the Rapid Reset Attack starts, see :ref:`VSV00013_`
+  * work on the Rapid Reset Attack starts, see :ref:`VSV00013`
  * work on the Broke Window Attack mitigation is postponed
 * **2023-10-23** CVE-2023-43622 is published
  * it describes a subset of the vulnerability for the Apache HTTP Server
  * work on the Broke Window Attack mitigation resumes
  * a first iteration is ready and submitted for a review
  * the Varnish Cache maintainers are informed
 * **2023-11-16** a second iteration is submitted for review
 * **2023-11-29** the second iteration is approved
  * Varnish Enterprise ships the mitigation in the 6.0.12r4 release
 * **2023-12-05** the mitigation is ported to Varnish Cache
  * the master branch is targeted
  * the mitigation is not ready to publish
 * **2024-01-15** the port to Varnish Cache resumes
  * ported to supported branches 7.4, 7.4 and 6.0 LTS
 * **2024-01-17** a regression is discovered
  * the second iteration of the mitigation is racy
  * when a race occurs, it is partially effective
  * offending HTTP/2 streams are reset, but the connection is not closed
 * **2024-01-23** the regression is fixed
  * the ports to Varnish Cache are updated
  * a bug fix is submitted to Varnish Enterprise
 * **2024-03-05** the port to Varnish Cache master branch is updated
 * **2024-03-18** public advisory and releases

--- a/R1/source/security/index.rst
+++ b/R1/source/security/index.rst
@@ -11,6 +11,7 @@ List of all Varnish CVEs
 =============== =============== ====================================
 Versions        CVE             What
 =============== =============== ====================================
+5.x, 6.x, 7.x   CVE-2023-43622_ :ref:`vsv00014`
 5.x, 6.x, 7.x   CVE-2023-44487_ :ref:`vsv00013`
 vmod_digest     CVE-2023-41104_ :ref:`vsv00012`
 6.x, 7.x        CVE-2022-45060_ :ref:`vsv00011`
@@ -30,6 +31,7 @@ vmod_digest     CVE-2023-41104_ :ref:`vsv00012`
 < 2.1.0         CVE-2009-2936_  Trophy hunting
 =============== =============== ====================================
+.. _CVE-2023-43622:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622
 .. _CVE-2023-44487:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487
 .. _CVE-2023-41104:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41104
 .. _CVE-2022-45060:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45060
@@ -52,6 +54,7 @@ vmod_digest     CVE-2023-41104_ :ref:`vsv00012`
 	:hidden:
 	:maxdepth: 1
+	VSV00014.rst
 	VSV00013.rst
 	VSV00012.rst
 	VSV00011.rst