Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
66562c8c
Commit
66562c8c
authored
Oct 18, 2023
by
Nils Goroll
Committed by
Dridi Boukelmoune
Nov 13, 2023
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Changelog TLC
Conflicts: doc/changes.rst
parent
0e75bd8e
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
91 additions
and
0 deletions
+91
-0
changes.rst
doc/changes.rst
+91
-0
No files found.
doc/changes.rst
View file @
66562c8c
...
...
@@ -30,10 +30,101 @@ directory, also available in HTML format at
http://varnish-cache.org/docs/trunk/whats-new/index.html and via
individual releases. These documents are updated as part of the
release process.
================================
Varnish Cache 7.3.1 (2023-11-13)
================================
* Added mitigation options and visibility for HTTP/2 "rapid reset"
attacks (CVE-2023-44487_, 3996_, 3997_, 3998_, 3999_).
Global rate limit controls have been added as parameters, which can
be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
* The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
define a threshold duration for an ``RST_STREAM`` to be classified
as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
duration after a ``HEADERS`` frame, it is accounted against the
rate limit described below.
The default is one second.
* The ``h2_rapid_reset_limit`` parameter and
``h2.rapid_reset_limit()`` function define how many "rapid" resets
may be received during the time span defined by the
``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
function before the HTTP/2 connection is forcibly closed with a
``GOAWAY`` and all ongoing VCL client tasks of the connection are
aborted.
The defaults are 100 and 60 seconds, corresponding to an allowance
of 100 "rapid" resets per minute.
* The ``h2.rapid_reset_budget()`` function can be used to query the
number of currently allowed "rapid" resets.
* Sessions closed due to rapid reset rate limiting are reported as
``SessClose RAPID_RESET`` in `vsl(7)` and accounted to
``main.sc_rapid_reset`` in `vsc` as visible through
``varnishstat(1)``.
* A race condition has been fixed in the backend probe code which
could trigger a panic with dynamic backends (dyn100_).
* A bug has been fixed in the ESI code which would prevent use of
internal status codes >1000 as their modulus 1000 value (3958_).
* Fixed a performance issue in http/2 upload processing (3930_).
* A regression introduced with Varnish Cache 7.3.0 was fixed: On
HTTP/2 connections, URLs starting with ``//`` no longer trigger a
protocol error (3911_).
* A bug has been fixed where ``unset bereq.body`` had no effect when
used with a cached body (3914_).
* Fixed a compatibility issue in the abstract socket support (3908_).
* Improved HPACK header validation.
* HTTP/2 header field validation is now more strict with respect to
allowed characters (3952_).
* The ``vcl_req_reset`` feature (controllable through the ``feature``
parameter, see `varnishd(1)`) has been added and enabled by default
to terminate client side VCL processing early when the client is
gone.
*req_reset* events trigger a VCL failure and are reported to
`vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
in `vsc` as visible through ``varnishstat(1)``.
In particular, this feature is used to reduce resource consumption
of HTTP/2 "rapid reset" attacks (see below).
Note, in particular, that *req_reset* events may lead to client
tasks for which no VCL is called ever. Presumably, this is thus the
first time that valid `vcl(7)` client transactions may not contain
any ``VCL_call`` records.
* The ``cli_limit`` parameter default has been increased from 48KB to
64KB.
.. _CVE-2023-44487: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
.. _3908: https://github.com/varnishcache/varnish-cache/issues/3908
.. _3911: https://github.com/varnishcache/varnish-cache/issues/3911
.. _3914: https://github.com/varnishcache/varnish-cache/issues/3914
.. _3930: https://github.com/varnishcache/varnish-cache/issues/3930
.. _3952: https://github.com/varnishcache/varnish-cache/issues/3952
.. _3958: https://github.com/varnishcache/varnish-cache/issues/3958
.. _3996: https://github.com/varnishcache/varnish-cache/pull/3996
.. _3997: https://github.com/varnishcache/varnish-cache/pull/3997
.. _3998: https://github.com/varnishcache/varnish-cache/pull/3998
.. _3999: https://github.com/varnishcache/varnish-cache/pull/3999
.. _dyn100: https://github.com/nigoroll/libvmod-dynamic/issues/100
================================
Varnish Cache 7.3.0 (2023-03-15)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
