Skip to content

V
varnish-cache
Commit 88f7f790 authored by Dridi Boukelmoune's avatar Dridi Boukelmoune Committed by Simon Stridsberg
Browse files
Options

whats-new: Mention CVE-2023-43622

parent 9f6a7e3f
Show whitespace changes
Inline Side-by-side
Showing with 21 additions and 3 deletions
doc/sphinx/whats-new/changes-trunk.rst
View file @ 88f7f790
...@@ -27,6 +27,16 @@ longer open (stream reset, client disconnected etc). ...@@ -27,6 +27,16 @@ longer open (stream reset, client disconnected etc).
.. _VSV 13: https://varnish-cache.org/security/VSV00013.html .. _VSV 13: https://varnish-cache.org/security/VSV00013.html
CVE-2023-43622
~~~~~~~~~~~~~~
Another denial of service attack vector received a CVE number in the aftermath
of the Rapid Reset debacle. `VSV 14`_ is called the HTTP/2 Broke Window attack
and can be summarized as the ability for clients to hold a server still by not
crediting the control flow window of HTTP/2 streams.
.. _VSV 14: https://varnish-cache.org/security/VSV00014.html
varnishd varnishd
======== ========
...@@ -66,6 +76,11 @@ The following parameters address the HTTP/2 Rapid Reset attach: ...@@ -66,6 +76,11 @@ The following parameters address the HTTP/2 Rapid Reset attach:
- ``h2_rapid_reset_limit`` (maximum number of rapid resets per period) - ``h2_rapid_reset_limit`` (maximum number of rapid resets per period)
- ``h2_rapid_reset_period`` (the sliding period to track rapid resets) - ``h2_rapid_reset_period`` (the sliding period to track rapid resets)
The new ``h2_window_timeout`` parameter defines how long an HTTP/2 stream can
stall its delivery waiting for a control flow window update. A stream without
any credits is considered broke, and if all streams are broke when the new
timeout triggers the entire connection is considered bankrupt.
A new bit flag ``vcl_req_reset`` for the ``feature`` parameter interrupts A new bit flag ``vcl_req_reset`` for the ``feature`` parameter interrupts
client request tasks during VCL transitions when an HTTP/2 stream is no longer client request tasks during VCL transitions when an HTTP/2 stream is no longer
open. The result is equivalent to a ``return (fail);`` statement and can save open. The result is equivalent to a ``return (fail);`` statement and can save
...@@ -247,9 +262,12 @@ A new ``MAIN.sc_rapid_reset`` counter counts the number of HTTP/2 connections ...@@ -247,9 +262,12 @@ A new ``MAIN.sc_rapid_reset`` counter counts the number of HTTP/2 connections
closed because the number of rapid resets exceed the limit over the configured closed because the number of rapid resets exceed the limit over the configured
period. period.
Its ``MAIN.req_reset`` counterpart counts the number of time a client task was Likewise, ``MAIN.sc_bankrupt`` counts the number of HTTP/2 connections closed
prematurely failed because the HTTP/2 stream it was processing was no longer because all streams ran out of credits and ``h2_window_timeout`` triggered.
open and the feature flag ``vcl_req_reset`` was raised.
Their ``MAIN.req_reset`` counterpart counts the number of time a client task
was prematurely failed because the HTTP/2 stream it was processing was no
longer open and the feature flag ``vcl_req_reset`` was raised.
A new counter ``MAIN.n_superseded`` adds visibility on how many objects are A new counter ``MAIN.n_superseded`` adds visibility on how many objects are
inserted as the replacement of another object in the cache. This can give inserted as the replacement of another object in the cache. This can give
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment