Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
H
homepage
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
homepage
Commits
599dd41f
Commit
599dd41f
authored
Mar 18, 2024
by
Simon Stridsberg
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Release 7.5.0, 7.4.3, 7.3.2, 6.0.13
parent
6b76e098
Changes
13
Show whitespace changes
Inline
Side-by-side
Showing
13 changed files
with
245 additions
and
18 deletions
+245
-18
navigation.html
R1/source/_templates/navigation.html
+2
-2
index.rst
R1/source/docs/index.rst
+14
-7
index.rst
R1/source/index.rst
+20
-0
index.rst
R1/source/releases/index.rst
+13
-9
rel6.0.13.rst
R1/source/releases/rel6.0.13.rst
+21
-0
rel7.3.2.rst
R1/source/releases/rel7.3.2.rst
+21
-0
rel7.4.3.rst
R1/source/releases/rel7.4.3.rst
+21
-0
rel7.5.0.rst
R1/source/releases/rel7.5.0.rst
+20
-0
varnish-6.0.13.tgz
R1/source/releases/varnish-6.0.13.tgz
+0
-0
varnish-7.3.2.tgz
R1/source/releases/varnish-7.3.2.tgz
+0
-0
varnish-7.4.3.tgz
R1/source/releases/varnish-7.4.3.tgz
+0
-0
varnish-7.5.0.tgz
R1/source/releases/varnish-7.5.0.tgz
+0
-0
VSV00014.rst
R1/source/security/VSV00014.rst
+113
-0
No files found.
R1/source/_templates/navigation.html
View file @
599dd41f
...
...
@@ -18,8 +18,8 @@
<li
class=
"toctree-l1"
><a
href=
"{{ pathto("
docs
/
index
")
}}"
>
Documentation
</a></li>
<li
class=
"toctree-l2"
>
<a
href=
"{{ pathto("
docs
/
trunk
/
index
")
}}"
>
trunk
</a>
|
<a
href=
"{{ pathto("
docs
/
7
.
4
/
index
")
}}"
>
7.4
(current)
</a>
|
<a
href=
"{{ pathto("
docs
/
7
.
3
/
index
")
}}"
>
7.3
(previous)
</a>
|
<a
href=
"{{ pathto("
docs
/
7
.
5
/
index
")
}}"
>
7.5
(current)
</a>
|
<a
href=
"{{ pathto("
docs
/
7
.
4
/
index
")
}}"
>
7.4
(previous)
</a>
|
<a
href=
"{{ pathto("
docs
/
6
.
0
/
index
")
}}"
>
6.0 (supported)
</a>
|
<a
href=
"{{ pathto("
docs
/
index
")
}}"
>
other versions
</a>
</li>
...
...
R1/source/docs/index.rst
View file @
599dd41f
...
...
@@ -8,18 +8,18 @@ Varnish Documentation
.. list-table:: Documentation Links
:widths: auto
* - `7.5 </docs/7.5/>`__
- `Installation </docs/7.5/installation/>`__
- `Tutorial </docs/7.5/tutorial/>`__
- `User-Guide </docs/7.5/users-guide/>`__
- `Reference </docs/7.5/reference/>`__
- Latest
* - `7.4 </docs/7.4/>`__
- `Installation </docs/7.4/installation/>`__
- `Tutorial </docs/7.4/tutorial/>`__
- `User-Guide </docs/7.4/users-guide/>`__
- `Reference </docs/7.4/reference/>`__
- Latest
* - `7.3 </docs/7.3/>`__
- `Installation </docs/7.3/installation/>`__
- `Tutorial </docs/7.3/tutorial/>`__
- `User-Guide </docs/7.3/users-guide/>`__
- `Reference </docs/7.3/reference/>`__
- Previous
* - `6.0 </docs/6.0/>`__
...
...
@@ -36,6 +36,13 @@ Varnish Documentation
- `Reference </docs/trunk/reference/>`__
- Next
* - `7.3 </docs/7.3/>`__
- `Installation </docs/7.3/installation/>`__
- `Tutorial </docs/7.3/tutorial/>`__
- `User-Guide </docs/7.3/users-guide/>`__
- `Reference </docs/7.3/reference/>`__
- Deprecated
* - `7.2 </docs/7.2/>`__
- `Installation </docs/7.2/installation/>`__
- `Tutorial </docs/7.2/tutorial/>`__
...
...
R1/source/index.rst
View file @
599dd41f
...
...
@@ -6,6 +6,26 @@ Varnish HTTP Cache
What is happening
-----------------
2024-03-18 - Varnish 7.5.0 is released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Our bi-annual "fresh" release is here: :ref:`rel7.5.0`
The 7.3 series is no longer supported in any capacity.
2024-03-18 - Varnish HTTP/2 Broke Window Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
All Varnish Cache releases with HTTP/2 support suffer a vulnerability in
the HTTP/2 protocol. Please see :ref:`VSV00014` for more information.
2024-03-18 - Security releases: 6.0.13, 7.3.2 and 7.4.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Varnish versions :ref:`6.0.13 <rel6.0.13>`, :ref:`7.3.2 <rel7.3.2>` and
:ref:`7.4.3 <rel7.4.3>` are now available. These releases are published to
address the vulnerability described in :ref:`VSV00014 <VSV00014>`.
2024-02-06 - `SLASH/`_ 1.0.0-rc1
--------------------------------
...
...
R1/source/releases/index.rst
View file @
599dd41f
...
...
@@ -12,18 +12,18 @@ Varnish Cache is released every 6 months.
- Date
- EOL Date
- Download
* - :ref:`7.4.2 <rel7.4.2>`
- 2023-11-13
* - :ref:`7.5.0 <rel7.5.0>`
- 2024-03-18
- 2025-03-15
- `varnish-7.5.0.tgz </downloads/varnish-7.5.0.tgz>`_
* - :ref:`7.4.3 <rel7.4.3>`
- 2024-03-18
- 2024-09-15
- `varnish-7.4.2.tgz </downloads/varnish-7.4.2.tgz>`_
* - :ref:`7.3.1 <rel7.3.1>`
- 2023-11-13
- 2024-03-15
- `varnish-7.3.1.tgz </downloads/varnish-7.3.1.tgz>`_
* - :ref:`6.0.12 <rel6.0.12>`
- `varnish-7.4.3.tgz </downloads/varnish-7.4.3.tgz>`_
* - :ref:`6.0.13 <rel6.0.13>`
- 2023-11-13
- Supported
- `varnish-6.0.1
2.tgz </downloads/varnish-6.0.12
.tgz>`_
- `varnish-6.0.1
3.tgz </downloads/varnish-6.0.13
.tgz>`_
All releases not mentioned above are End-Of-Life and unsupported.
...
...
@@ -48,9 +48,12 @@ All the releases
.. toctree::
:maxdepth: 1
rel7.5.0
rel7.4.3
rel7.4.2
rel7.4.1
rel7.4.0
rel7.3.2
rel7.3.1
rel7.3.0
rel7.2.1
...
...
@@ -78,6 +81,7 @@ All the releases
rel6.2.0
rel6.1.1
rel6.1.0
rel6.0.13
rel6.0.12
rel6.0.11
rel6.0.10
...
...
R1/source/releases/rel6.0.13.rst
0 → 100644
View file @
599dd41f
.. _rel6.0.13:
Varnish Cache 6.0.13
====================
* Source download `varnish-6.0.13.tgz </downloads/varnish-6.0.13.tgz>`_
* SHA256=0dca6295f9c69d47a7208598c415385c590c66863ebd42bfeb08a367b788a9ba
Varnish Cache 6.0.13 is a security fix of the Varnish Cache related
to :ref:`VSV00013`. All users should, as soon as possible, upgrade to a secure
version, either 7.5.0, 6.0.13, 7.4.3 or 7.3.2.
More information:
* List of most important `Changes in 6.0 <https://varnish-cache.org/docs/6.0/whats-new/changes-6.0.html>`_
* Help on `Upgrading to Varnish 6.0 <https://varnish-cache.org/docs/6.0/whats-new/upgrading-6.0.html>`_
* `Full changes.rst entry for 6.0.13 <https://github.com/varnishcache/varnish-cache/blob/6.0/doc/changes.rst#varnish-cache-6013-2024-03-18>`_
For installation instructions including information about cloud images see
`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
R1/source/releases/rel7.3.2.rst
0 → 100644
View file @
599dd41f
.. _rel7.3.2:
Varnish Cache 7.3.2
===================
* Source download `varnish-7.3.2.tgz </downloads/varnish-7.3.2.tgz>`_
* SHA256=94b28d75c9178c07b5772cde3a16cab75cff5b7e5b62aefda2f03f3322e6ec23
Varnish Cache 7.3.2 is a security fix of the Varnish Cache related
to :ref:`VSV00013`. All users should, as soon as possible, upgrade to a secure
version, either 7.5.0, 6.0.13, 7.4.3 or 7.3.2.
More information:
* List of most important `Changes in 7.3 <https://varnish-cache.org/docs/7.3/whats-new/changes-7.3.html>`_
* Help on `Upgrading to Varnish 7.3 <https://varnish-cache.org/docs/7.3/whats-new/upgrading-7.3.html>`_
* `Full changes.rst entry for 7.3.2 <https://github.com/varnishcache/varnish-cache/blob/7.3/doc/changes.rst#varnish-cache-732-2024-03-18>`_
For installation instructions including information about cloud images see
`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
R1/source/releases/rel7.4.3.rst
0 → 100644
View file @
599dd41f
.. _rel7.4.3:
Varnish Cache 7.4.3
===================
* Source download `varnish-7.4.3.tgz </downloads/varnish-7.4.3.tgz>`_
* SHA256=eb9e43507f836eef2e32802d46dd3cf92eca3d547ba4b640fda59b407cdb1b88
Varnish Cache 7.4.3 is a security fix of the Varnish Cache related
to :ref:`VSV00013`. All users should, as soon as possible, upgrade to a secure
version, either 7.5.0, 6.0.13, 7.4.3 or 7.3.2.
More information:
* List of most important `Changes in 7.4 <https://varnish-cache.org/docs/7.4/whats-new/changes-7.4.html>`_
* Help on `Upgrading to Varnish 7.4 <https://varnish-cache.org/docs/7.4/whats-new/upgrading-7.4.html>`_
* `Full changes.rst entry for 7.4.3 <https://github.com/varnishcache/varnish-cache/blob/7.4/doc/changes.rst#varnish-cache-743-2024-03-18>`_
For installation instructions including information about cloud images see
`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
R1/source/releases/rel7.5.0.rst
0 → 100644
View file @
599dd41f
.. _rel7.5.0:
Varnish Cache 7.5.0
===================
* Source download `varnish-7.5.0.tgz </downloads/varnish-7.5.0.tgz>`_
* SHA256=fca61b983139e1aac61c4546d12a1a3ab9807dbb1d8314571e3148c93ff72b5d
Varnish Cache 7.5.0 is a regular bi-annual "fresh" release. It supersedes
the :ref:`rel7.4.0` release.
More information:
* List of most important `Changes in 7.5 <https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html>`_
* Help on `Upgrading to Varnish 7.5 <https://varnish-cache.org/docs/7.5/whats-new/upgrading-7.5.html>`_
* `Full changes.rst entry for 7.5.0 <https://github.com/varnishcache/varnish-cache/blob/7.5/doc/changes.rst#varnish-cache-750-2024-03-18>`_
For installation instructions including information about cloud images see
`the Varnish Installation Manual </docs/trunk/installation/index.html>`_
R1/source/releases/varnish-6.0.13.tgz
0 → 100644
View file @
599dd41f
File added
R1/source/releases/varnish-7.3.2.tgz
0 → 100644
View file @
599dd41f
File added
R1/source/releases/varnish-7.4.3.tgz
0 → 100644
View file @
599dd41f
File added
R1/source/releases/varnish-7.5.0.tgz
0 → 100644
View file @
599dd41f
File added
R1/source/security/VSV00014.rst
0 → 100644
View file @
599dd41f
.. _VSV00014:
VSV00014 Varnish HTTP/2 Broke Window Attack
===========================================
`CVE-2023-43622 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43622>`_
Date: 2024-03-18
A denial of service attack can be performed on Varnish Cacher servers that
have the HTTP/2 protocol turned on. An attacker can let the server's HTTP/2
connection control flow window run out of credits indefinitely and prevent
progress in the processing of streams, retaining the associated resources.
Versions affected
-----------------
* All Varnish Cache releases with HTTP/2 support except:
* 7.5.x releases
* 7.4.x releases after 7.4.2.
* 7.3.x releases after 7.3.1.
* 6.0.x LTS releases after 6.0.12
* Varnish Enterprise by Varnish Software 6.0.x up to and including 6.0.12r5.
Versions not affected
---------------------
* Varnish Cache 7.3.2 (released 2024-03-18)
* Varnish Cache 7.4.3 (released 2024-03-18)
* Varnish Cache 6.0 LTS version 6.0.13 (released 2024-03-18)
* Varnish Enterprise by Varnish Software version 6.0.12r6.
Timeline
--------
* **2019-04-19** the vulnerability is theorized (see commit message of e1a1fdc7_)
* **2023-08-24** the vulnerability is confirmed
* it happened while working on bringing back the parameters ``timeout_req``
and ``timeout_reqbody`` to Varnish Enterprise 6.0
* **2023-09-20** the vulnerability is studied
* once the timeouts are reintroduced in Varnish Enterprise, work started to
find an appropriate mitigation
* **2023-10-10** the HTTP/2 Rapid Reset Attack is disclosed
* work on the Rapid Reset Attack starts, see :ref:`VSV00013_`
* work on the Broke Window Attack mitigation is postponed
* **2023-10-23** CVE-2023-43622 is published
* it describes a subset of the vulnerability for the Apache HTTP Server
* work on the Broke Window Attack mitigation resumes
* a first iteration is ready and submitted for a review
* the Varnish Cache maintainers are informed
* **2023-11-16** a second iteration is submitted for review
* **2023-11-29** the second iteration is approved
* Varnish Enterprise ships the mitigation in the 6.0.12r4 release
* **2023-12-05** the mitigation is ported to Varnish Cache
* the master branch is targeted
* the mitigation is not ready to publish
* **2024-01-15** the port to Varnish Cache resumes
* ported to supported branches 7.4, 7.4 and 6.0 LTS
* **2024-01-17** a regression is discovered
* the second iteration of the mitigation is racy
* when a race occurs, it is partially effective
* offending HTTP/2 streams are reset, but the connection is not closed
* **2024-01-23** the regression is fixed
* the ports to Varnish Cache are updated
* a bug fix is submitted to Varnish Enterprise
* **2024-03-05** the port to Varnish Cache master branch is updated
* **2024-03-18** public advisory and releases
.. _e1a1fdc7: https://github.com/varnishcache/varnish-cache/commit/e1a1fdc7688de5f37e35fc528639019d5bd3efbf
Mitigation
----------
If upgrading Varnish is not possible, it is possible to mitigate the problem
by simply disabling HTTP/2 support::
varnishadm param.set feature -http2
You must also remove ``h2`` from the list of protocols if your TLS terminator
is advertising it with ALPN.
After upgrading, two mitigations are enabled by default.
A new ``h2_window_timeout`` triggers a reset of "broke" HTTP/2 streams that
were waiting for control flow window credits from the client. If all streams
are broke when the timeout triggers, the connection is considered bankrupt
and closed immediately.
The default value of 5 seconds for ``h2_window_timeout`` is very conservative
because web browsers may use the control flow window to pause the delivery of
certain resources past a certain point to prioritize others. For example the
metadata of images may be fetched for layout purposes, while the rest of the
images payload could be postponed until all latency-sensitive resources are
ready.
Monitoring the mitigations
--------------------------
In the event of a connection bankruptcy, the ``MAIN.sc_bankrupt`` counter is
incremented and can be used to raise an alarm.
With Varnish Enterprise, it would have been possible to infer an attack before
it was patched with the ``varnishscoreboard`` utility. The accumulation of
HTTP/2 streams stuck in the transmit step would be visible. However, this
attack vector has to the best of our knowledge not been exploited.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment