Release 7.5.0, 7.4.3, 7.3.2, 6.0.13

599dd41f · Simon Stridsberg · 6b76e098 · 599dd41f · 599dd41f · 599dd41f
Commit 599dd41f authored Mar 18, 2024 by Simon Stridsberg
13 changed files
--- a/R1/source/_templates/navigation.html
+++ b/R1/source/_templates/navigation.html
@@ -18,8 +18,8 @@
    <li class="toctree-l1"><a href="{{ pathto("docs/index") }}">Documentation</a></li>
    <li class="toctree-l2">
 	<a href="{{ pathto("docs/trunk/index") }}">trunk</a>
-        | <a href="{{ pathto("docs/7.4/index") }}">7.4 (current)</a>
-        | <a href="{{ pathto("docs/7.3/index") }}">7.3 (previous)</a>
+        | <a href="{{ pathto("docs/7.5/index") }}">7.5 (current)</a>
+        | <a href="{{ pathto("docs/7.4/index") }}">7.4 (previous)</a>
        | <a href="{{ pathto("docs/6.0/index") }}">6.0 (supported)</a>
        | <a href="{{ pathto("docs/index") }}">other versions</a>
    </li>

--- a/R1/source/docs/index.rst
+++ b/R1/source/docs/index.rst
@@ -8,18 +8,18 @@ Varnish Documentation
 .. list-table:: Documentation Links
    :widths: auto

+    * - `7.5 </docs/7.5/>`__
+      - `Installation </docs/7.5/installation/>`__
+      - `Tutorial </docs/7.5/tutorial/>`__
+      - `User-Guide </docs/7.5/users-guide/>`__
+      - `Reference </docs/7.5/reference/>`__
+      - Latest
+
    * - `7.4 </docs/7.4/>`__
      - `Installation </docs/7.4/installation/>`__
      - `Tutorial </docs/7.4/tutorial/>`__
      - `User-Guide </docs/7.4/users-guide/>`__
      - `Reference </docs/7.4/reference/>`__
-      - Latest
-
-    * - `7.3 </docs/7.3/>`__
-      - `Installation </docs/7.3/installation/>`__
-      - `Tutorial </docs/7.3/tutorial/>`__
-      - `User-Guide </docs/7.3/users-guide/>`__
-      - `Reference </docs/7.3/reference/>`__
      - Previous

    * - `6.0 </docs/6.0/>`__
@@ -36,6 +36,13 @@ Varnish Documentation
      - `Reference </docs/trunk/reference/>`__
      - Next

+    * - `7.3 </docs/7.3/>`__
+      - `Installation </docs/7.3/installation/>`__
+      - `Tutorial </docs/7.3/tutorial/>`__
+      - `User-Guide </docs/7.3/users-guide/>`__
+      - `Reference </docs/7.3/reference/>`__
+      - Deprecated
+
    * - `7.2 </docs/7.2/>`__
      - `Installation </docs/7.2/installation/>`__
      - `Tutorial </docs/7.2/tutorial/>`__

--- a/R1/source/index.rst
+++ b/R1/source/index.rst
@@ -6,6 +6,26 @@ Varnish HTTP Cache
 What is happening
 -----------------

+2024-03-18 - Varnish 7.5.0 is released
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Our bi-annual "fresh" release is here:  :ref:`rel7.5.0`
+
+The 7.3 series is no longer supported in any capacity.
+
+2024-03-18 - Varnish HTTP/2 Broke Window Attack
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+All Varnish Cache releases with HTTP/2 support suffer a vulnerability in
+the HTTP/2 protocol. Please see :ref:`VSV00014` for more information.
+
+2024-03-18 - Security releases: 6.0.13, 7.3.2 and 7.4.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Varnish versions :ref:`6.0.13 <rel6.0.13>`, :ref:`7.3.2 <rel7.3.2>` and
+:ref:`7.4.3 <rel7.4.3>` are now available. These releases are published to
+address the vulnerability described in :ref:`VSV00014 <VSV00014>`.
+
 2024-02-06 - `SLASH/`_ 1.0.0-rc1
 --------------------------------


--- a/R1/source/releases/index.rst
+++ b/R1/source/releases/index.rst
@@ -12,18 +12,18 @@ Varnish Cache is released every 6 months.
    - Date
    - EOL Date
    - Download
-  * - :ref:`7.4.2 <rel7.4.2>`
-    - 2023-11-13
+  * - :ref:`7.5.0 <rel7.5.0>`
+    - 2024-03-18
+    - 2025-03-15
+    - `varnish-7.5.0.tgz </downloads/varnish-7.5.0.tgz>`_
+  * - :ref:`7.4.3 <rel7.4.3>`
+    - 2024-03-18
    - 2024-09-15
-    - `varnish-7.4.2.tgz </downloads/varnish-7.4.2.tgz>`_
-  * - :ref:`7.3.1 <rel7.3.1>`
-    - 2023-11-13
-    - 2024-03-15
-    - `varnish-7.3.1.tgz </downloads/varnish-7.3.1.tgz>`_
-  * - :ref:`6.0.12 <rel6.0.12>`
+    - `varnish-7.4.3.tgz </downloads/varnish-7.4.3.tgz>`_
+  * - :ref:`6.0.13 <rel6.0.13>`
    - 2023-11-13
    - Supported
-    - `varnish-6.0.12.tgz </downloads/varnish-6.0.12.tgz>`_
+    - `varnish-6.0.13.tgz </downloads/varnish-6.0.13.tgz>`_

 All releases not mentioned above are End-Of-Life and unsupported.

@@ -48,9 +48,12 @@ All the releases
 .. toctree::
 	:maxdepth: 1

+	rel7.5.0
+	rel7.4.3
 	rel7.4.2
 	rel7.4.1
 	rel7.4.0
+	rel7.3.2
 	rel7.3.1
 	rel7.3.0
 	rel7.2.1
@@ -78,6 +81,7 @@ All the releases
 	rel6.2.0
 	rel6.1.1
 	rel6.1.0
+	rel6.0.13
 	rel6.0.12
 	rel6.0.11
 	rel6.0.10

--- a/R1/source/releases/rel6.0.13.rst
+++ b/R1/source/releases/rel6.0.13.rst
+.. _rel6.0.13:
+
+Varnish Cache 6.0.13
+====================
+
+* Source download `varnish-6.0.13.tgz </downloads/varnish-6.0.13.tgz>`_
+
+* SHA256=0dca6295f9c69d47a7208598c415385c590c66863ebd42bfeb08a367b788a9ba
+
+Varnish Cache 6.0.13 is a security fix of the Varnish Cache related
+to :ref:`VSV00013`. All users should, as soon as possible, upgrade to a secure
+version, either 7.5.0, 6.0.13, 7.4.3 or 7.3.2.
+
+More information:
+
+* List of most important `Changes in 6.0 <https://varnish-cache.org/docs/6.0/whats-new/changes-6.0.html>`_
+* Help on `Upgrading to Varnish 6.0 <https://varnish-cache.org/docs/6.0/whats-new/upgrading-6.0.html>`_
+* `Full changes.rst entry for 6.0.13 <https://github.com/varnishcache/varnish-cache/blob/6.0/doc/changes.rst#varnish-cache-6013-2024-03-18>`_
+
+For installation instructions including information about cloud images see
+`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
--- a/R1/source/releases/rel7.3.2.rst
+++ b/R1/source/releases/rel7.3.2.rst
+.. _rel7.3.2:
+
+Varnish Cache 7.3.2
+===================
+
+* Source download `varnish-7.3.2.tgz </downloads/varnish-7.3.2.tgz>`_
+
+* SHA256=94b28d75c9178c07b5772cde3a16cab75cff5b7e5b62aefda2f03f3322e6ec23
+
+Varnish Cache 7.3.2 is a security fix of the Varnish Cache related
+to :ref:`VSV00013`. All users should, as soon as possible, upgrade to a secure
+version, either 7.5.0, 6.0.13, 7.4.3 or 7.3.2.
+
+More information:
+
+* List of most important `Changes in 7.3 <https://varnish-cache.org/docs/7.3/whats-new/changes-7.3.html>`_
+* Help on `Upgrading to Varnish 7.3 <https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html>`_
+* `Full changes.rst entry for 7.3.2 <https://github.com/varnishcache/varnish-cache/blob/7.3/doc/changes.rst#varnish-cache-732-2024-03-18>`_
+
+For installation instructions including information about cloud images see
+`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
--- a/R1/source/releases/rel7.4.3.rst
+++ b/R1/source/releases/rel7.4.3.rst
+.. _rel7.4.3:
+
+Varnish Cache 7.4.3
+===================
+
+* Source download `varnish-7.4.3.tgz </downloads/varnish-7.4.3.tgz>`_
+
+* SHA256=eb9e43507f836eef2e32802d46dd3cf92eca3d547ba4b640fda59b407cdb1b88
+
+Varnish Cache 7.4.3 is a security fix of the Varnish Cache related
+to :ref:`VSV00013`. All users should, as soon as possible, upgrade to a secure
+version, either 7.5.0, 6.0.13, 7.4.3 or 7.3.2.
+
+More information:
+
+* List of most important `Changes in 7.4 <https://varnish-cache.org/docs/7.4/whats-new/changes-7.4.html>`_
+* Help on `Upgrading to Varnish 7.4 <https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html>`_
+* `Full changes.rst entry for 7.4.3 <https://github.com/varnishcache/varnish-cache/blob/7.4/doc/changes.rst#varnish-cache-743-2024-03-18>`_
+
+For installation instructions including information about cloud images see
+`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
--- a/R1/source/releases/rel7.5.0.rst
+++ b/R1/source/releases/rel7.5.0.rst
+.. _rel7.5.0:
+
+Varnish Cache 7.5.0
+===================
+
+* Source download `varnish-7.5.0.tgz </downloads/varnish-7.5.0.tgz>`_
+
+* SHA256=fca61b983139e1aac61c4546d12a1a3ab9807dbb1d8314571e3148c93ff72b5d
+
+Varnish Cache 7.5.0 is a regular bi-annual "fresh" release. It supersedes
+the :ref:`rel7.4.0` release.
+
+More information:
+
+* List of most important `Changes in 7.5 <https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html>`_
+* Help on `Upgrading to Varnish 7.5 <https://varnish-cache.org/docs/7.5/whats-new/upgrading-7.5.html>`_
+* `Full changes.rst entry for 7.5.0 <https://github.com/varnishcache/varnish-cache/blob/7.5/doc/changes.rst#varnish-cache-750-2024-03-18>`_
+
+For installation instructions including information about cloud images see
+`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
--- a/R1/source/releases/varnish-6.0.13.tgz
+++ b/R1/source/releases/varnish-6.0.13.tgz
--- a/R1/source/releases/varnish-7.3.2.tgz
+++ b/R1/source/releases/varnish-7.3.2.tgz
--- a/R1/source/releases/varnish-7.4.3.tgz
+++ b/R1/source/releases/varnish-7.4.3.tgz
--- a/R1/source/releases/varnish-7.5.0.tgz
+++ b/R1/source/releases/varnish-7.5.0.tgz
--- a/R1/source/security/VSV00014.rst
+++ b/R1/source/security/VSV00014.rst
+.. _VSV00014:
+
+VSV00014 Varnish HTTP/2 Broke Window Attack
+===========================================
+
+`CVE-2023-43622 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622>`_
+
+Date: 2024-03-18
+
+A denial of service attack can be performed on Varnish Cacher servers that
+have the HTTP/2 protocol turned on. An attacker can let the server's HTTP/2
+connection control flow window run out of credits indefinitely and prevent
+progress in the processing of streams, retaining the associated resources.
+
+Versions affected
+-----------------
+
+* All Varnish Cache releases with HTTP/2 support except:
+
+  * 7.5.x releases
+
+  * 7.4.x releases after 7.4.2.
+
+  * 7.3.x releases after 7.3.1.
+
+  * 6.0.x LTS releases after 6.0.12
+
+* Varnish Enterprise by Varnish Software 6.0.x up to and including 6.0.12r5.
+
+Versions not affected
+---------------------
+
+* Varnish Cache 7.3.2 (released 2024-03-18)
+
+* Varnish Cache 7.4.3 (released 2024-03-18)
+
+* Varnish Cache 6.0 LTS version 6.0.13 (released 2024-03-18)
+
+* Varnish Enterprise by Varnish Software version 6.0.12r6.
+
+Timeline
+--------
+
+* **2019-04-19** the vulnerability is theorized (see commit message of e1a1fdc7_)
+* **2023-08-24** the vulnerability is confirmed
+  * it happened while working on bringing back the parameters ``timeout_req``
+  and ``timeout_reqbody`` to Varnish Enterprise 6.0
+* **2023-09-20** the vulnerability is studied
+  * once the timeouts are reintroduced in Varnish Enterprise, work started to
+  find an appropriate mitigation
+* **2023-10-10** the HTTP/2 Rapid Reset Attack is disclosed
+  * work on the Rapid Reset Attack starts, see :ref:`VSV00013_`
+  * work on the Broke Window Attack mitigation is postponed
+* **2023-10-23** CVE-2023-43622 is published
+  * it describes a subset of the vulnerability for the Apache HTTP Server
+  * work on the Broke Window Attack mitigation resumes
+  * a first iteration is ready and submitted for a review
+  * the Varnish Cache maintainers are informed
+* **2023-11-16** a second iteration is submitted for review
+* **2023-11-29** the second iteration is approved
+  * Varnish Enterprise ships the mitigation in the 6.0.12r4 release
+* **2023-12-05** the mitigation is ported to Varnish Cache
+  * the master branch is targeted
+  * the mitigation is not ready to publish
+* **2024-01-15** the port to Varnish Cache resumes
+  * ported to supported branches 7.4, 7.4 and 6.0 LTS
+* **2024-01-17** a regression is discovered
+  * the second iteration of the mitigation is racy
+  * when a race occurs, it is partially effective
+  * offending HTTP/2 streams are reset, but the connection is not closed
+* **2024-01-23** the regression is fixed
+  * the ports to Varnish Cache are updated
+  * a bug fix is submitted to Varnish Enterprise
+* **2024-03-05** the port to Varnish Cache master branch is updated
+* **2024-03-18** public advisory and releases
+
+.. _e1a1fdc7: https://github.com/varnishcache/varnish-cache/commit/e1a1fdc7688de5f37e35fc528639019d5bd3efbf
+
+Mitigation
+----------
+
+If upgrading Varnish is not possible, it is possible to mitigate the problem
+by simply disabling HTTP/2 support::
+
+    varnishadm param.set feature -http2
+
+You must also remove ``h2`` from the list of protocols if your TLS terminator
+is advertising it with ALPN.
+
+After upgrading, two mitigations are enabled by default.
+
+A new ``h2_window_timeout`` triggers a reset of "broke" HTTP/2 streams that
+were waiting for control flow window credits from the client. If all streams
+are broke when the timeout triggers, the connection is considered bankrupt
+and closed immediately.
+
+The default value of 5 seconds for ``h2_window_timeout`` is very conservative
+because web browsers may use the control flow window to pause the delivery of
+certain resources past a certain point to prioritize others. For example the
+metadata of images may be fetched for layout purposes, while the rest of the
+images payload could be postponed until all latency-sensitive resources are
+ready.
+
+Monitoring the mitigations
+--------------------------
+
+In the event of a connection bankruptcy, the ``MAIN.sc_bankrupt`` counter is
+incremented and can be used to raise an alarm.
+
+With Varnish Enterprise, it would have been possible to infer an attack before
+it was patched with the ``varnishscoreboard`` utility. The accumulation of
+HTTP/2 streams stuck in the transmit step would be visible. However, this
+attack vector has to the best of our knowledge not been exploited.