diff --git a/bin/varnishtest/vtc_varnish.c b/bin/varnishtest/vtc_varnish.c index f763fcce77b..ca596f19058 100644 --- a/bin/varnishtest/vtc_varnish.c +++ b/bin/varnishtest/vtc_varnish.c @@ -417,7 +417,7 @@ varnish_launch(struct varnish *v) VSB_cat(vsb, " -p syslog_cli_traffic=off"); VSB_cat(vsb, " -p thread_pool_min=10"); VSB_cat(vsb, " -p debug=+vtc_mode"); - VSB_cat(vsb, " -p vsl_mask=+Debug"); + VSB_cat(vsb, " -p vsl_mask=+Debug,+H2RxHdr,+H2RxBody"); VSB_cat(vsb, " -p h2_initial_window_size=1m"); VSB_cat(vsb, " -p h2_rx_window_low_water=64k"); if (!v->has_a_arg) { diff --git a/configure.ac b/configure.ac index 1dc434839d2..d86cd46522b 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ AC_PREREQ(2.69) AC_COPYRIGHT([Copyright (c) 2006 Verdens Gang AS Copyright (c) 2006-2023 Varnish Software]) AC_REVISION([$Id$]) -AC_INIT([Varnish], [7.3.0], [varnish-dev@varnish-cache.org]) +AC_INIT([Varnish], [7.3.1], [varnish-dev@varnish-cache.org]) AC_CONFIG_SRCDIR(include/miniobj.h) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/doc/changes.rst b/doc/changes.rst index 08e53512ea1..d33618592a3 100644 --- a/doc/changes.rst +++ b/doc/changes.rst @@ -31,6 +31,101 @@ http://varnish-cache.org/docs/trunk/whats-new/index.html and via individual releases. These documents are updated as part of the release process. +================================ +Varnish Cache 7.3.1 (2023-11-13) +================================ + +* Added mitigation options and visibility for HTTP/2 "rapid reset" + attacks (CVE-2023-44487_, 3996_, 3997_, 3998_, 3999_). + + Global rate limit controls have been added as parameters, which can + be overridden per HTTP/2 session from VCL using the new vmod ``h2``: + + * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function + define a threshold duration for an ``RST_STREAM`` to be classified + as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this + duration after a ``HEADERS`` frame, it is accounted against the + rate limit described below. + + The default is one second. + + * The ``h2_rapid_reset_limit`` parameter and + ``h2.rapid_reset_limit()`` function define how many "rapid" resets + may be received during the time span defined by the + ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()`` + function before the HTTP/2 connection is forcibly closed with a + ``GOAWAY`` and all ongoing VCL client tasks of the connection are + aborted. + + The defaults are 100 and 60 seconds, corresponding to an allowance + of 100 "rapid" resets per minute. + + * The ``h2.rapid_reset_budget()`` function can be used to query the + number of currently allowed "rapid" resets. + + * Sessions closed due to rapid reset rate limiting are reported as + ``SessClose RAPID_RESET`` in `vsl(7)` and accounted to + ``main.sc_rapid_reset`` in `vsc` as visible through + ``varnishstat(1)``. + +* A race condition has been fixed in the backend probe code which + could trigger a panic with dynamic backends (dyn100_). + +* A bug has been fixed in the ESI code which would prevent use of + internal status codes >1000 as their modulus 1000 value (3958_). + +* Fixed a performance issue in http/2 upload processing (3930_). + +* A regression introduced with Varnish Cache 7.3.0 was fixed: On + HTTP/2 connections, URLs starting with ``//`` no longer trigger a + protocol error (3911_). + +* A bug has been fixed where ``unset bereq.body`` had no effect when + used with a cached body (3914_). + +* Fixed a compatibility issue in the abstract socket support (3908_). + +* Improved HPACK header validation. + +* HTTP/2 header field validation is now more strict with respect to + allowed characters (3952_). + +* The ``vcl_req_reset`` feature (controllable through the ``feature`` + parameter, see `varnishd(1)`) has been added and enabled by default + to terminate client side VCL processing early when the client is + gone. + + *req_reset* events trigger a VCL failure and are reported to + `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset`` + in `vsc` as visible through ``varnishstat(1)``. + + In particular, this feature is used to reduce resource consumption + of HTTP/2 "rapid reset" attacks (see below). + + Note that *req_reset* events may lead to client tasks for which no + VCL is called ever. Presumably, this is thus the first time that + valid `vcl(7)` client transactions may not contain any ``VCL_call`` + records. + +* The ``cli_limit`` parameter default has been increased from 48KB to + 64KB. + + +.. _CVE-2023-44487: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 + +.. _3908: https://github.com/varnishcache/varnish-cache/issues/3908 +.. _3911: https://github.com/varnishcache/varnish-cache/issues/3911 +.. _3914: https://github.com/varnishcache/varnish-cache/issues/3914 +.. _3930: https://github.com/varnishcache/varnish-cache/issues/3930 +.. _3952: https://github.com/varnishcache/varnish-cache/issues/3952 +.. _3958: https://github.com/varnishcache/varnish-cache/issues/3958 +.. _3996: https://github.com/varnishcache/varnish-cache/pull/3996 +.. _3997: https://github.com/varnishcache/varnish-cache/pull/3997 +.. _3998: https://github.com/varnishcache/varnish-cache/pull/3998 +.. _3999: https://github.com/varnishcache/varnish-cache/pull/3999 + +.. _dyn100: https://github.com/nigoroll/libvmod-dynamic/issues/100 + ================================ Varnish Cache 7.3.0 (2023-03-15) ================================