Release 7.3.1

bin/varnishtest/vtc_varnish.c

@@ -417,7 +417,7 @@ varnish_launch(struct varnish *v)
 	VSB_cat(vsb, " -p syslog_cli_traffic=off");
 	VSB_cat(vsb, " -p thread_pool_min=10");
 	VSB_cat(vsb, " -p debug=+vtc_mode");
-	VSB_cat(vsb, " -p vsl_mask=+Debug");
+	VSB_cat(vsb, " -p vsl_mask=+Debug,+H2RxHdr,+H2RxBody");
 	VSB_cat(vsb, " -p h2_initial_window_size=1m");
 	VSB_cat(vsb, " -p h2_rx_window_low_water=64k");
 	if (!v->has_a_arg) {

configure.ac

@@ -2,7 +2,7 @@ AC_PREREQ(2.69)
 AC_COPYRIGHT([Copyright (c) 2006 Verdens Gang AS
 Copyright (c) 2006-2023 Varnish Software])
 AC_REVISION([$Id$])
-AC_INIT([Varnish], [7.3.0], [[email protected]])
+AC_INIT([Varnish], [7.3.1], [[email protected]])
 AC_CONFIG_SRCDIR(include/miniobj.h)
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

doc/changes.rst

@@ -31,6 +31,101 @@ http://varnish-cache.org/docs/trunk/whats-new/index.html and via
 individual releases. These documents are updated as part of the
 release process.
 
+================================
+Varnish Cache 7.3.1 (2023-11-13)
+================================
+
+* Added mitigation options and visibility for HTTP/2 "rapid reset"
+  attacks (CVE-2023-44487_, 3996_, 3997_, 3998_, 3999_).
+
+  Global rate limit controls have been added as parameters, which can
+  be overridden per HTTP/2 session from VCL using the new vmod ``h2``:
+
+  * The ``h2_rapid_reset`` parameter and ``h2.rapid_reset()`` function
+    define a threshold duration for an ``RST_STREAM`` to be classified
+    as "rapid": If an ``RST_STREAM`` frame is parsed sooner than this
+    duration after a ``HEADERS`` frame, it is accounted against the
+    rate limit described below.
+
+    The default is one second.
+
+  * The ``h2_rapid_reset_limit`` parameter and
+    ``h2.rapid_reset_limit()`` function define how many "rapid" resets
+    may be received during the time span defined by the
+    ``h2_rapid_reset_period`` parameter / ``h2.rapid_reset_period()``
+    function before the HTTP/2 connection is forcibly closed with a
+    ``GOAWAY`` and all ongoing VCL client tasks of the connection are
+    aborted.
+
+    The defaults are 100 and 60 seconds, corresponding to an allowance
+    of 100 "rapid" resets per minute.
+
+  * The ``h2.rapid_reset_budget()`` function can be used to query the
+    number of currently allowed "rapid" resets.
+
+  * Sessions closed due to rapid reset rate limiting are reported as
+    ``SessClose RAPID_RESET`` in `vsl(7)` and accounted to
+    ``main.sc_rapid_reset`` in `vsc` as visible through
+    ``varnishstat(1)``.
+
+* A race condition has been fixed in the backend probe code which
+  could trigger a panic with dynamic backends (dyn100_).
+
+* A bug has been fixed in the ESI code which would prevent use of
+  internal status codes >1000 as their modulus 1000 value (3958_).
+
+* Fixed a performance issue in http/2 upload processing (3930_).
+
+* A regression introduced with Varnish Cache 7.3.0 was fixed: On
+  HTTP/2 connections, URLs starting with ``//`` no longer trigger a
+  protocol error (3911_).
+
+* A bug has been fixed where ``unset bereq.body`` had no effect when
+  used with a cached body (3914_).
+
+* Fixed a compatibility issue in the abstract socket support (3908_).
+
+* Improved HPACK header validation.
+
+* HTTP/2 header field validation is now more strict with respect to
+  allowed characters (3952_).
+
+* The ``vcl_req_reset`` feature (controllable through the ``feature``
+  parameter, see `varnishd(1)`) has been added and enabled by default
+  to terminate client side VCL processing early when the client is
+  gone.
+
+  *req_reset* events trigger a VCL failure and are reported to
+  `vsl(7)` as ``Timestamp: Reset`` and accounted to ``main.req_reset``
+  in `vsc` as visible through ``varnishstat(1)``.
+
+  In particular, this feature is used to reduce resource consumption
+  of HTTP/2 "rapid reset" attacks (see below).
+
+  Note that *req_reset* events may lead to client tasks for which no
+  VCL is called ever. Presumably, this is thus the first time that
+  valid `vcl(7)` client transactions may not contain any ``VCL_call``
+  records.
+
+* The ``cli_limit`` parameter default has been increased from 48KB to
+  64KB.
+
+
+.. _CVE-2023-44487: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
+
+.. _3908: https://github.com/varnishcache/varnish-cache/issues/3908
+.. _3911: https://github.com/varnishcache/varnish-cache/issues/3911
+.. _3914: https://github.com/varnishcache/varnish-cache/issues/3914
+.. _3930: https://github.com/varnishcache/varnish-cache/issues/3930
+.. _3952: https://github.com/varnishcache/varnish-cache/issues/3952
+.. _3958: https://github.com/varnishcache/varnish-cache/issues/3958
+.. _3996: https://github.com/varnishcache/varnish-cache/pull/3996
+.. _3997: https://github.com/varnishcache/varnish-cache/pull/3997
+.. _3998: https://github.com/varnishcache/varnish-cache/pull/3998
+.. _3999: https://github.com/varnishcache/varnish-cache/pull/3999
+
+.. _dyn100: https://github.com/nigoroll/libvmod-dynamic/issues/100
+
 ================================
 Varnish Cache 7.3.0 (2023-03-15)
 ================================