Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
V
varnish-cache
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Commits
Open sidebar
varnishcache
varnish-cache
Commits
88f7f790
Commit
88f7f790
authored
Mar 15, 2024
by
Dridi Boukelmoune
Committed by
Simon Stridsberg
Mar 18, 2024
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
whats-new: Mention CVE-2023-43622
parent
9f6a7e3f
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
21 additions
and
3 deletions
+21
-3
changes-trunk.rst
doc/sphinx/whats-new/changes-trunk.rst
+21
-3
No files found.
doc/sphinx/whats-new/changes-trunk.rst
View file @
88f7f790
...
@@ -27,6 +27,16 @@ longer open (stream reset, client disconnected etc).
...
@@ -27,6 +27,16 @@ longer open (stream reset, client disconnected etc).
.. _VSV 13: https://varnish-cache.org/security/VSV00013.html
.. _VSV 13: https://varnish-cache.org/security/VSV00013.html
CVE-2023-43622
~~~~~~~~~~~~~~
Another denial of service attack vector received a CVE number in the aftermath
of the Rapid Reset debacle. `VSV 14`_ is called the HTTP/2 Broke Window attack
and can be summarized as the ability for clients to hold a server still by not
crediting the control flow window of HTTP/2 streams.
.. _VSV 14: https://varnish-cache.org/security/VSV00014.html
varnishd
varnishd
========
========
...
@@ -66,6 +76,11 @@ The following parameters address the HTTP/2 Rapid Reset attach:
...
@@ -66,6 +76,11 @@ The following parameters address the HTTP/2 Rapid Reset attach:
- ``h2_rapid_reset_limit`` (maximum number of rapid resets per period)
- ``h2_rapid_reset_limit`` (maximum number of rapid resets per period)
- ``h2_rapid_reset_period`` (the sliding period to track rapid resets)
- ``h2_rapid_reset_period`` (the sliding period to track rapid resets)
The new ``h2_window_timeout`` parameter defines how long an HTTP/2 stream can
stall its delivery waiting for a control flow window update. A stream without
any credits is considered broke, and if all streams are broke when the new
timeout triggers the entire connection is considered bankrupt.
A new bit flag ``vcl_req_reset`` for the ``feature`` parameter interrupts
A new bit flag ``vcl_req_reset`` for the ``feature`` parameter interrupts
client request tasks during VCL transitions when an HTTP/2 stream is no longer
client request tasks during VCL transitions when an HTTP/2 stream is no longer
open. The result is equivalent to a ``return (fail);`` statement and can save
open. The result is equivalent to a ``return (fail);`` statement and can save
...
@@ -247,9 +262,12 @@ A new ``MAIN.sc_rapid_reset`` counter counts the number of HTTP/2 connections
...
@@ -247,9 +262,12 @@ A new ``MAIN.sc_rapid_reset`` counter counts the number of HTTP/2 connections
closed because the number of rapid resets exceed the limit over the configured
closed because the number of rapid resets exceed the limit over the configured
period.
period.
Its ``MAIN.req_reset`` counterpart counts the number of time a client task was
Likewise, ``MAIN.sc_bankrupt`` counts the number of HTTP/2 connections closed
prematurely failed because the HTTP/2 stream it was processing was no longer
because all streams ran out of credits and ``h2_window_timeout`` triggered.
open and the feature flag ``vcl_req_reset`` was raised.
Their ``MAIN.req_reset`` counterpart counts the number of time a client task
was prematurely failed because the HTTP/2 stream it was processing was no
longer open and the feature flag ``vcl_req_reset`` was raised.
A new counter ``MAIN.n_superseded`` adds visibility on how many objects are
A new counter ``MAIN.n_superseded`` adds visibility on how many objects are
inserted as the replacement of another object in the cache. This can give
inserted as the replacement of another object in the cache. This can give
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment