public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/varnish] f43: Update to latest 7.7.x release available, a security release
@ 2026-06-17 7:14 Ingvar Hagelund
0 siblings, 0 replies; only message in thread
From: Ingvar Hagelund @ 2026-06-17 7:14 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/varnish
Branch : f43
Commit : 41cd9135027790378fdb48037b0e01a145370619
Author : Ingvar Hagelund <ingvar@redpill-linpro.com>
Date : 2026-06-17T09:14:20+02:00
Stats : +840/-5 in 9 file(s)
URL : https://src.fedoraproject.org/rpms/varnish/c/41cd9135027790378fdb48037b0e01a145370619?branch=f43
Log:
Update to latest 7.7.x release available, a security release
Includes fixes for VSV00017 aka CVE-2025-8671
Added patches for for VSV00018 aka CVE-2026-34475
Added patches for for VSV00019
---
diff --git a/.gitignore b/.gitignore
index ad5bd3c..c67564c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -69,3 +69,4 @@ varnish-2.1.3.tar.gz
/varnish-7.7.0.tgz
/varnish-7.7.1.tgz
/jemalloc-5.3.0.tar.bz2
+/varnish-7.7.3.tgz
diff --git a/sources b/sources
index 82113a1..2aa998b 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (varnish-7.7.1.tgz) = 4a15ff23dc07cb19959031be5070e7da46a2be2d1a1d2e3950966ca593849d3f8be4f41bd35dae75876bbc121bf268345b47aa35764645362aa42b822b634ad9
+SHA512 (varnish-7.7.3.tgz) = 2de3f19d24e42ec092076226b629dc36d4d3c9961454502e7f9a8ff1d440cf54104198e2b5302361f093fa221f04f836bb8dda441921d1721b1d05c90c0f1661
SHA512 (pkg-varnish-cache-7d90347.tar.gz) = c5bf026bb50b416001d0e22e56c2774c143dab1f4658f03f1a4e6578369b71cfda5854b7d6b580c43c2ab8e68bfb9033b56734adfd29ac0fddc61fd6b1b4b0c0
SHA512 (jemalloc-5.3.0.tar.bz2) = 22907bb052096e2caffb6e4e23548aecc5cc9283dce476896a2b1127eee64170e3562fa2e7db9571298814a7a2c7df6e8d1fbe152bd3f3b0c1abec22a2de34b1
diff --git a/varnish-8.0_vsv18_1a907310.patch b/varnish-8.0_vsv18_1a907310.patch
new file mode 100644
index 0000000..569183c
--- /dev/null
+++ b/varnish-8.0_vsv18_1a907310.patch
@@ -0,0 +1,60 @@
+Based on upstream commit 1a9073102fb737a44a9cd46588f3c0e23590f8eb
+
+
+commit 1a9073102fb737a44a9cd46588f3c0e23590f8eb
+Author: Nils Goroll <nils.goroll@uplex.de>
+Date: Thu Mar 5 14:28:02 2026 +0100
+
+ Handle absolute form with empty path
+
+ This patch now adds dissection of
+
+ http://example.com?/foo
+
+ into Host: example.com, url: /?/foo
+
+ Conflicts
+ both modified: bin/varnishd/http1/cache_http1_proto.c
+ both modified: bin/varnishtest/tests/r01255.vtc
+
+diff -u a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c
+--- a/bin/varnishd/http1/cache_http1_proto.c 2026-06-16 22:03:12.617853250 +0200
++++ b/bin/varnishd/http1/cache_http1_proto.c 2026-06-16 22:05:04.321967181 +0200
+@@ -355,6 +355,7 @@
+ uint16_t retval;
+ const char *p;
+ const char *b = NULL, *e;
++ char c = '\0';
+
+ CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
+ CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
+@@ -374,9 +375,11 @@
+ http_scheme_at(hp->hd[HTTP_HDR_URL].b, https))
+ b = hp->hd[HTTP_HDR_URL].b + 8;
+ if (b) {
+- e = strchr(b, '/');
++ e = strpbrk(b, "/?");
+ if (e == NULL)
+ e = hp->hd[HTTP_HDR_URL].e;
++ else
++ c = *e;
+ if (e == b) {
+ // rfc9110 4.2.1 4.2.2 reject empty host
+ return (400);
+@@ -385,10 +388,15 @@
+ http_PrintfHeader(hp, "Host: %.*s", (int)(e - b), b);
+ hp->hd[HTTP_HDR_URL].b = e;
+ if (Tlen(hp->hd[HTTP_HDR_URL]) == 0) {
++ // empty path
+ if (http_method_eq(http_GetMethod(hp), OPTIONS))
+ hp->hd[HTTP_HDR_URL] = Tstr("*");
+ else
+ hp->hd[HTTP_HDR_URL] = Tstr("/");
++ } else if (c == '?') {
++ hp->hd[HTTP_HDR_URL].b--;
++ char *t = TRUST_ME(hp->hd[HTTP_HDR_URL].b);
++ *t = '/';
+ }
+ }
+
+
diff --git a/varnish-8.0_vsv18_5c016b07.patch b/varnish-8.0_vsv18_5c016b07.patch
new file mode 100644
index 0000000..c89b30d
--- /dev/null
+++ b/varnish-8.0_vsv18_5c016b07.patch
@@ -0,0 +1,42 @@
+Based on upstream commit 5c016b070e1994fd8a430b45dac7dc3ee63f04d7
+
+commit 5c016b070e1994fd8a430b45dac7dc3ee63f04d7
+Author: Nils Goroll <nils.goroll@uplex.de>
+Date: Wed Mar 4 09:46:28 2026 +0100
+
+ Fix http/1.1 "absolute form" empty host handling
+
+ RFC9110 4.2.1:
+
+ A sender MUST NOT generate an "http" URI with an empty host identifier.
+ A recipient that processes such a URI reference MUST reject it as
+ invalid.
+
+ 4.2.2:
+
+ A sender MUST NOT generate an "https" URI with an empty host identifier.
+ A recipient that processes such a URI reference MUST reject it as
+ invalid.
+
+ Pointed out by Walid
+
+ Related to VSV18
+
+ Conflicts:
+ both modified: doc/changes.rst
+
+diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c
+index c710c6da5..35ad9260c 100644
+--- a/bin/varnishd/http1/cache_http1_proto.c
++++ b/bin/varnishd/http1/cache_http1_proto.c
+@@ -377,6 +377,10 @@ HTTP1_DissectRequest(struct http_conn *htc, struct http *hp)
+ e = strchr(b, '/');
+ if (e == NULL)
+ e = hp->hd[HTTP_HDR_URL].e;
++ if (e == b) {
++ // rfc9110 4.2.1 4.2.2 reject empty host
++ return (400);
++ }
+ http_Unset(hp, H_Host);
+ http_PrintfHeader(hp, "Host: %.*s", (int)(e - b), b);
+ hp->hd[HTTP_HDR_URL].b = e;
diff --git a/varnish-8.0_vsv18_73dcb85e.patch b/varnish-8.0_vsv18_73dcb85e.patch
new file mode 100644
index 0000000..dc9ebcd
--- /dev/null
+++ b/varnish-8.0_vsv18_73dcb85e.patch
@@ -0,0 +1,258 @@
+Based on upstream commit 73dcb85eb8ad9fa9b462c5477d8c4b5061f615de
+
+commit 73dcb85eb8ad9fa9b462c5477d8c4b5061f615de
+Author: Nils Goroll <nils.goroll@uplex.de>
+Date: Tue Feb 3 09:15:02 2026 +0100
+
+ Fix http/1.1 "absolute form" dissection edge case
+
+ RFC9110 4.2.3:
+
+ When not being used as the target of an OPTIONS request, an empty path
+ component is equivalent to an absolute path of "/", so the normal form
+ is to provide a path of "/" instead.
+
+ 7.7:
+
+ For example, a proxy forwarding a request to an origin server via
+ HTTP/1.1 will replace an empty path with "/" (Section 3.2.1 of
+ [HTTP/1.1]) or "*" (Section 3.2.4 of [HTTP/1.1]), depending on the
+ request method.
+
+ (Pointed out by Dridi)
+
+ Fixes VSV18
+
+ Conflicts:
+ both modified: doc/changes.rst
+
+ Edits:
+ cache_http1_proto.c: WKM does not exist yet in 8.0
+
+
+commit 5c016b070e1994fd8a430b45dac7dc3ee63f04d7
+Author: Nils Goroll <nils.goroll@uplex.de>
+Date: Wed Mar 4 09:46:28 2026 +0100
+
+ Fix http/1.1 "absolute form" empty host handling
+
+ RFC9110 4.2.1:
+
+ A sender MUST NOT generate an "http" URI with an empty host identifier.
+ A recipient that processes such a URI reference MUST reject it as
+ invalid.
+
+ 4.2.2:
+
+ A sender MUST NOT generate an "https" URI with an empty host identifier.
+ A recipient that processes such a URI reference MUST reject it as
+ invalid.
+
+ Pointed out by Walid
+
+ Related to VSV18
+
+ Conflicts:
+ both modified: doc/changes.rst
+
+
+diff --git a/bin/varnishd/http1/cache_http1_proto.c b/bin/varnishd/http1/cache_http1_proto.c
+index 1441b1d91..c710c6da5 100644
+--- a/bin/varnishd/http1/cache_http1_proto.c
++++ b/bin/varnishd/http1/cache_http1_proto.c
+@@ -375,10 +375,16 @@ HTTP1_DissectRequest(struct http_conn *htc, struct http *hp)
+ b = hp->hd[HTTP_HDR_URL].b + 8;
+ if (b) {
+ e = strchr(b, '/');
+- if (e) {
+- http_Unset(hp, H_Host);
+- http_PrintfHeader(hp, "Host: %.*s", (int)(e - b), b);
+- hp->hd[HTTP_HDR_URL].b = e;
++ if (e == NULL)
++ e = hp->hd[HTTP_HDR_URL].e;
++ http_Unset(hp, H_Host);
++ http_PrintfHeader(hp, "Host: %.*s", (int)(e - b), b);
++ hp->hd[HTTP_HDR_URL].b = e;
++ if (Tlen(hp->hd[HTTP_HDR_URL]) == 0) {
++ if (http_method_eq(http_GetMethod(hp), OPTIONS))
++ hp->hd[HTTP_HDR_URL] = Tstr("*");
++ else
++ hp->hd[HTTP_HDR_URL] = Tstr("/");
+ }
+ }
+
+diff -u a/bin/varnishtest/tests/r01255.vtc b/bin/varnishtest/tests/r01255.vtc
+--- a/bin/varnishtest/tests/r01255.vtc 2025-07-28 13:50:43.000000000 +0200
++++ b/bin/varnishtest/tests/r01255.vtc 2026-06-16 11:00:29.689109716 +0200
+@@ -1,19 +1,167 @@
+-varnishtest "Test RFC2616 5.2 compliance"
++varnishtest "Test RFC9112 3.2 compliance"
+
+-server s1 {
++server s1 -repeat 8 {
+ rxreq
+ txresp -hdr "Foo: 1"
+ } -start
+
+-varnish v1 -vcl+backend {
++varnish v1 -arg "-p vsl_mask=+ReqTarget" -vcl+backend {
++ sub vcl_req_method {
++ if (req.method == "CONNECT") {
++ return (pass);
++ }
++ }
+
+ sub vcl_deliver {
+ set resp.http.rxhost = req.http.host;
++ set resp.http.url = req.url;
+ }
+ } -start
+
++logexpect l1001 -v v1 -g vxid -q "vxid == 1001" {
++ fail add * ReqURL
++ fail add * End
++ expect 3 * ReqTarget {^\Qhttp://www.example.com/bar\E$}
++ expect 0 = ReqUnset {^\Qhost: another\E$}
++ expect 0 = ReqHeader {^\QHost: www.example.com\E$}
++ fail clear
++} -start
++
++logexpect l1003 -v v1 -g vxid -q "vxid == 1003" {
++ fail add * ReqURL
++ fail add * End
++ expect 3 * ReqTarget {^\Qhttp://www.example.com/\E$}
++ expect 0 = ReqUnset {^\Qhost: another\E$}
++ expect 0 = ReqHeader {^\QHost: www.example.com\E$}
++ fail clear
++} -start
++
++logexpect l1005 -v v1 -g vxid -q "vxid == 1005" {
++ fail add * ReqURL
++ fail add * End
++ expect 3 * ReqTarget {^\Qhttp://www.example.com\E$}
++ expect 0 = ReqUnset {^\Qhost: another\E$}
++ expect 0 = ReqHeader {^\QHost: www.example.com\E$}
++ fail clear
++} -start
++
++logexpect l1006 -v v1 -g vxid -q "vxid == 1006" {
++ fail add * ReqURL
++ fail add * End
++ expect 3 * ReqTarget {^\Qhttp://www.example.com\E$}
++ expect 0 = ReqUnset {^\Qhost: another\E$}
++ expect 0 = ReqHeader {^\QHost: www.example.com\E$}
++ fail clear
++ fail add * End
++ expect 3 = ReqMethod {^OPTIONS$}
++ expect 0 = ReqURL {^\Q*\E$}
++ fail clear
++} -start
++
++logexpect l1008 -v v1 -g vxid -q "vxid == 1008" {
++ fail add * End
++ expect 3 * ReqTarget {^\Qexample.com:80\E$}
++ expect 2 = ReqMethod {^CONNECT$}
++ expect 0 = ReqURL {^\Qexample.com:80\E$}
++ fail clear
++} -start
++
++logexpect l1010 -v v1 -g vxid -q "vxid == 1010" {
++ fail add * End
++ expect 3 * ReqTarget {^\Q*\E$}
++ expect 2 = ReqMethod {^OPTIONS$}
++ expect 0 = ReqURL {^\Q*\E$}
++ fail clear
++} -start
++
+ client c1 {
+- txreq -url http://www.example.com/bar
++ # 1001
++ txreq -url http://www.example.com/bar -hdr "host: another"
++ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
++ expect resp.http.rxhost == www.example.com
++ expect resp.http.url == /bar
++
++ # 1003
++ txreq -url http://www.example.com/ -hdr "host: another"
++ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
++ expect resp.http.rxhost == www.example.com
++ expect resp.http.url == /
++
++ # 1005
++ txreq -url http://www.example.com -hdr "host: another"
++ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
++ expect resp.http.rxhost == www.example.com
++ expect resp.http.url == /
++
++ # 1006
++ txreq -method OPTIONS -url http://www.example.com -hdr "host: another"
++ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
++ expect resp.http.rxhost == www.example.com
++ expect resp.http.url == *
++
++ # 1008
++ # we do not actually handle CONNECT here
++ txreq -req CONNECT -url example.com:80 -hdr "host: another"
++ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
++ expect resp.http.rxhost == "another"
++ expect resp.http.url == "example.com:80"
++
++ # 1010
++ txreq -req OPTIONS -url "*" -hdr "host: another"
++ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
++ expect resp.http.rxhost == "another"
++ expect resp.http.url == "*"
++
++ # https, otherwise like 1005
++ txreq -url https://www.example.com -hdr "host: another"
++ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
++ expect resp.http.rxhost == www.example.com
++ expect resp.http.url == /
++
++ #
++ txreq -url https://www.example.com?/foo -hdr "host: another"
+ rxresp
++ expect resp.status == 200
++ expect resp.http.Foo == 1
+ expect resp.http.rxhost == www.example.com
++ expect resp.http.url == /?/foo
++
++ txreq -url http:///bar -hdr "host: another"
++ rxresp
++ expect resp.status == 400
++} -run
++
++client c2 {
++ txreq -url http:// -hdr "host: another"
++ rxresp
++ expect resp.status == 400
+ } -run
++
++client c3 {
++ txreq -method OPTIONS -url http:// -hdr "host: another"
++ rxresp
++ expect resp.status == 400
++} -run
++
++varnish v1 -expect MAIN.http1_absolute_form == 9
++
++logexpect l1001 -wait
++logexpect l1003 -wait
++logexpect l1005 -wait
++logexpect l1006 -wait
++logexpect l1008 -wait
++logexpect l1010 -wait
diff --git a/varnish-8.0_vsv18_e8eccd46.patch b/varnish-8.0_vsv18_e8eccd46.patch
new file mode 100644
index 0000000..0491edc
--- /dev/null
+++ b/varnish-8.0_vsv18_e8eccd46.patch
@@ -0,0 +1,55 @@
+Based on upsteam commit e8eccd46514e4b4f7ee5d970ee08a4e5a59586b8
+
+commit e8eccd46514e4b4f7ee5d970ee08a4e5a59586b8
+Author: Nils Goroll <nils.goroll@uplex.de>
+Date: Wed Mar 4 10:48:27 2026 +0100
+
+ Enable https_scheme feature by default
+
+ RFC9110 explicitly names https as "HTTP-related" and RFC9112 states that we MUST
+ convert the host, so not parsing https:// is considered a violation of the
+ standard, which, in turn, should be a deliberate decision.
+
+ Related to VSV18
+
+ Conflicts:
+ both modified: doc/changes.rst
+
+diff --git a/include/tbl/params.h b/include/tbl/params.h
+index c94f771d5..bdb34e085 100644
+--- a/include/tbl/params.h
++++ b/include/tbl/params.h
+@@ -1987,6 +1987,7 @@ PARAM_BITS(
+ /* fld */ feature_bits,
+ /* def */
+ "none,"
++ "+https_scheme,"
+ "+validate_headers,"
+ "+vcl_req_reset",
+ /* descr */
+--- a/bin/varnishtest/tests/r01847.vtc 2026-06-16 17:15:34.491797476 +0200
++++ b/bin/varnishtest/tests/r01847.vtc 2026-06-16 17:20:29.853055662 +0200
+@@ -23,14 +23,9 @@
+ rxresp
+ expect resp.http.rxhost == www.example.com
+ expect resp.http.rxurl == /bar
+-
+- txreq -url https://www.example.com/bar
+- rxresp
+- expect resp.http.rxhost == "${localhost}"
+- expect resp.http.rxurl == https://www.example.com/bar
+ } -run
+
+-varnish v1 -cliok "param.set feature +https_scheme"
++varnish v1 -cliok "param.set feature -https_scheme"
+
+ client c1 {
+ txreq -url http://www.example.com/bar
+@@ -40,6 +35,5 @@
+
+ txreq -url https://www.example.com/bar
+ rxresp
+- expect resp.http.rxhost == www.example.com
+- expect resp.http.rxurl == /bar
++ expect resp.status == 400
+ } -run
diff --git a/varnish-8.0_vsv18_f89df57a.patch b/varnish-8.0_vsv18_f89df57a.patch
new file mode 100644
index 0000000..2d5bee4
--- /dev/null
+++ b/varnish-8.0_vsv18_f89df57a.patch
@@ -0,0 +1,274 @@
+Based on commit f89df57ab8e30ca5c8d04ba27870d473f17bedd4
+
+commit f89df57ab8e30ca5c8d04ba27870d473f17bedd4
+Author: Nils Goroll <nils.goroll@uplex.de>
+Date: Tue Feb 3 10:33:14 2026 +0100
+
+ Add more defensive req.url checks to builtin.vcl
+
+ As a defensive measure, we add vcl_req_url, which requires req.url to start with
+ "/" except for
+
+ * the CONNECT method, where req.url contains hostname:port (for
+ http/1.1) and
+
+ * the OPTIONS method, where req.url can be "*"
+
+ Note that, by default, we do not accept CONNECT requests.
+
+ As with all built-in "hooks", vcl_req_url can be overridden selectively from the
+ custom vcl.
+
+ As a particular case, this, by default, prevents processing of https:// request
+ targets, unless the https_scheme feature flag is set.
+
+ Conflict:
+ both modified: doc/changes.rst
+
+diff -u a/bin/varnishd/builtin.vcl b/bin/varnishd/builtin.vcl
+--- a/bin/varnishd/builtin.vcl 2026-06-16 23:27:52.311584972 +0200
++++ b/bin/varnishd/builtin.vcl 2026-06-16 23:27:56.544046238 +0200
+@@ -41,6 +41,7 @@
+ }
+
+ sub vcl_builtin_recv {
++ call vcl_req_url;
+ call vcl_req_host;
+ call vcl_req_method;
+ call vcl_req_authorization;
+@@ -58,6 +59,16 @@
+ return (synth(400));
+ }
+ }
++
++sub vcl_req_url {
++ if (req.url == "*" && req.method == "OPTIONS") {
++ return;
++ }
++ # NB: we do not allow connect by default (see vcl_req_method)
++ if (req.url !~ "^/" && req.method != "CONNECT") {
++ return (synth(400));
++ }
++}
+
+ sub vcl_req_method {
+ if (req.method == "PRI") {
+diff --git a/bin/varnishtest/tests/b00026.vtc b/bin/varnishtest/tests/b00026.vtc
+index e12676985..1b0df4c04 100644
+--- a/bin/varnishtest/tests/b00026.vtc
++++ b/bin/varnishtest/tests/b00026.vtc
+@@ -2,13 +2,13 @@ varnishtest "Check the precedence for timeouts"
+
+ server s1 {
+ rxreq
+- expect req.url == "from_backend"
++ expect req.url == "/from_backend"
+ delay 1
+ txresp
+ } -start
+ server s2 {
+ rxreq
+- expect req.url == "from_vcl"
++ expect req.url == "/from_vcl"
+ delay 1.5
+ txresp
+ } -start
+@@ -26,13 +26,13 @@ varnish v1 -vcl {
+ }
+
+ sub vcl_recv {
+- if (req.url == "from_backend") {
++ if (req.url == "/from_backend") {
+ return(pass);
+ }
+ }
+ sub vcl_backend_fetch {
+ set bereq.first_byte_timeout = 2s;
+- if (bereq.url == "from_backend") {
++ if (bereq.url == "/from_backend") {
+ set bereq.backend = b1;
+ } else {
+ set bereq.backend = b2;
+@@ -42,10 +42,10 @@ varnish v1 -vcl {
+ varnish v1 -cliok "param.set first_byte_timeout 0.5"
+
+ client c1 {
+- txreq -url "from_backend"
++ txreq -url "/from_backend"
+ rxresp
+ expect resp.status == 200
+- txreq -url "from_vcl"
++ txreq -url "/from_vcl"
+ rxresp
+ expect resp.status == 200
+ } -run
+diff --git a/bin/varnishtest/tests/c00005.vtc b/bin/varnishtest/tests/c00005.vtc
+index 0a6e90517..74f6ed585 100644
+--- a/bin/varnishtest/tests/c00005.vtc
++++ b/bin/varnishtest/tests/c00005.vtc
+@@ -5,7 +5,7 @@ server s1 {
+ expect req.url == "/"
+ txresp -body "1111\n"
+ rxreq
+- expect req.url == "foo"
++ expect req.url == "/foo"
+ txresp -body "2222\n"
+ } -start
+
+@@ -40,7 +40,7 @@ varnish v1 -vcl+backend {
+ } -start
+
+ client c1 {
+- txreq -url "foo"
++ txreq -url "/foo"
+ rxresp
+ expect resp.status == 200
+ expect resp.http.acl == acl1
+diff --git a/bin/varnishtest/tests/e00009.vtc b/bin/varnishtest/tests/e00009.vtc
+index e15e56ae7..b40e89c9d 100644
+--- a/bin/varnishtest/tests/e00009.vtc
++++ b/bin/varnishtest/tests/e00009.vtc
+@@ -40,7 +40,7 @@ varnish v1 -expect MAIN.s_resp_bodybytes == 57
+ varnish v1 -cli "param.set feature +esi_disable_xml_check"
+
+ client c1 {
+- txreq -url bar
++ txreq -url /bar
+ rxresp
+ expect resp.status == 200
+ expect resp.bodylen == 22
+diff --git a/bin/varnishtest/tests/e00019.vtc b/bin/varnishtest/tests/e00019.vtc
+index 1fb159ec0..e73286aa1 100644
+--- a/bin/varnishtest/tests/e00019.vtc
++++ b/bin/varnishtest/tests/e00019.vtc
+@@ -34,19 +34,19 @@ server s1 {
+ # Varnish 4
+ server s2 {
+ rxreq
+- expect req.url == "bar/foo"
++ expect req.url == "/foo"
+ txresp -body {<INCL>}
+ } -start
+
+ varnish v1 -vcl+backend {
+ sub vcl_backend_fetch {
+- if (bereq.url != "bar") {
++ if (bereq.url != "/bar") {
+ set bereq.backend = s2;
+ }
+ }
+
+ sub vcl_backend_response {
+- if (bereq.url == "bar") {
++ if (bereq.url == "/bar") {
+ set beresp.do_esi = true;
+ }
+ }
+@@ -67,7 +67,7 @@ logexpect l1 -v v1 -g vxid -q "vxid == 1002" {
+ } -start
+
+ client c1 {
+- txreq -url bar
++ txreq -url /bar
+ rxresp
+ expect resp.status == 200
+ expect resp.bodylen == 65856
+diff --git a/bin/varnishtest/tests/r02339.vtc b/bin/varnishtest/tests/r02339.vtc
+index 9ff18632d..e934bf45b 100644
+--- a/bin/varnishtest/tests/r02339.vtc
++++ b/bin/varnishtest/tests/r02339.vtc
+@@ -11,10 +11,10 @@ varnish v1 -vcl+backend {
+ import purge;
+
+ sub vcl_miss {
+- if (req.url == "miss") { purge.hard(); }
++ if (req.url == "/miss") { purge.hard(); }
+ }
+ sub vcl_hit {
+- if (req.url == "hit") { purge.hard(); }
++ if (req.url == "/hit") { purge.hard(); }
+ }
+ } -start
+
+@@ -39,15 +39,15 @@ logexpect l1 -v v1 {
+ } -start
+
+ client c1 {
+- txreq -url hit
++ txreq -url /hit
+ rxresp
+ expect resp.status == 200
+
+- txreq -url hit
++ txreq -url /hit
+ rxresp
+ expect resp.status == 200
+
+- txreq -url miss
++ txreq -url /miss
+ rxresp
+ expect resp.status == 200
+ } -run
+@@ -59,7 +59,7 @@ varnish v1 -errvcl "Not available in subroutine 'vcl_purge'" {
+ import purge;
+
+ sub vcl_purge {
+- if (req.url == "purge") { purge.hard(); }
++ if (req.url == "/purge") { purge.hard(); }
+ }
+ }
+
+@@ -67,7 +67,7 @@ varnish v1 -errvcl "Not available in subroutine 'vcl_pass'" {
+ import purge;
+
+ sub vcl_pass {
+- if (req.url == "pass") { purge.hard(); }
++ if (req.url == "/pass") { purge.hard(); }
+ }
+ }
+
+@@ -75,7 +75,7 @@ varnish v1 -errvcl "Not available in subroutine 'vcl_deliver'" {
+ import purge;
+
+ sub vcl_deliver {
+- if (req.url == "deliver") { purge.hard(); }
++ if (req.url == "/deliver") { purge.hard(); }
+ }
+ }
+
+@@ -83,7 +83,7 @@ varnish v1 -errvcl "Not available in subroutine 'vcl_synth'" {
+ import purge;
+
+ sub vcl_synth {
+- if (req.url == "synth") { purge.hard(); }
++ if (req.url == "/synth") { purge.hard(); }
+ }
+ }
+
+@@ -91,7 +91,7 @@ varnish v1 -errvcl "Not available in subroutine 'vcl_backend_fetch'" {
+ import purge;
+
+ sub vcl_backend_fetch {
+- if (bereq.url == "fetch") { purge.hard(); }
++ if (bereq.url == "/fetch") { purge.hard(); }
+ }
+ }
+
+@@ -99,7 +99,7 @@ varnish v1 -errvcl "Not available in subroutine 'vcl_backend_error'" {
+ import purge;
+
+ sub vcl_backend_error {
+- if (bereq.url == "error") { purge.hard(); }
++ if (bereq.url == "/error") { purge.hard(); }
+ }
+ }
+
+@@ -107,6 +107,6 @@ varnish v1 -errvcl "Not available in subroutine 'vcl_backend_response'" {
+ import purge;
+
+ sub vcl_backend_response {
+- if (bereq.url == "response") { purge.hard(); }
++ if (bereq.url == "/response") { purge.hard(); }
+ }
+ }
+
diff --git a/varnish-8.0_vsv19_db19a0c6-9985187a.patch b/varnish-8.0_vsv19_db19a0c6-9985187a.patch
new file mode 100644
index 0000000..c4dab84
--- /dev/null
+++ b/varnish-8.0_vsv19_db19a0c6-9985187a.patch
@@ -0,0 +1,120 @@
+Based on upstream patches
+ db19a0c6c6260f18efe441698a55156b41a6dc7f
+ 8acf0968c5e19b580b27bdec3367067250ba0c16
+ 9985187ac2c21f9a0675a3d23dcc8ddf4c2bf36a
+
+commit db19a0c6c6260f18efe441698a55156b41a6dc7f
+Author: Dridi Boukelmoune <dridi.boukelmoune@gmail.com>
+Date: Thu Sep 18 17:25:02 2025 +0200
+
+ vdef: Retire Tstrcmp() macro
+
+commit 8acf0968c5e19b580b27bdec3367067250ba0c16
+Author: Dridi Boukelmoune <dridi.boukelmoune@gmail.com>
+Date: Thu Sep 18 17:23:17 2025 +0200
+
+ http2_hpack: Check pseudo-header names with Tstreq()
+
+commit 9985187ac2c21f9a0675a3d23dcc8ddf4c2bf36a
+Author: Dridi Boukelmoune <dridi.boukelmoune@gmail.com>
+Date: Wed Jan 22 15:05:08 2025 +0100
+
+ vdef: Test equality between txt and string
+
+diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
+index a90e6fde2..cb40b738f 100644
+--- a/bin/varnishd/http2/cache_http2_hpack.c
++++ b/bin/varnishd/http2/cache_http2_hpack.c
+@@ -171,7 +171,7 @@ h2h_addhdr(struct http *hp, struct h2h_decode *d)
+
+ /* Match H/2 pseudo headers */
+ /* XXX: Should probably have some include tbl for pseudo-headers */
+- if (!Tstrcmp(nm, ":method")) {
++ if (Tstreq(nm, ":method")) {
+ hdr.b = val.b;
+ n = HTTP_HDR_METHOD;
+ disallow_empty = 1;
+@@ -181,13 +181,13 @@ h2h_addhdr(struct http *hp, struct h2h_decode *d)
+ if (!vct_istchar(*p))
+ return (H2SE_PROTOCOL_ERROR);
+ }
+- } else if (!Tstrcmp(nm, ":path")) {
++ } else if (Tstreq(nm, ":path")) {
+ hdr.b = val.b;
+ n = HTTP_HDR_URL;
+ disallow_empty = 1;
+
+ // rfc9113,l,2693,2705
+- if (Tlen(val) > 0 && val.b[0] != '/' && Tstrcmp(val, "*")) {
++ if (Tlen(val) > 0 && val.b[0] != '/' && !Tstreq(val, "*")) {
+ VSLb(hp->vsl, SLT_BogoHeader,
+ "Illegal :path pseudo-header %.*s",
+ (int)Tlen(val), val.b);
+@@ -199,7 +199,7 @@ h2h_addhdr(struct http *hp, struct h2h_decode *d)
+ if (vct_islws(*p) || vct_isctl(*p))
+ return (H2SE_PROTOCOL_ERROR);
+ }
+- } else if (!Tstrcmp(nm, ":scheme")) {
++ } else if (Tstreq(nm, ":scheme")) {
+ /* XXX: What to do about this one? (typically
+ "http" or "https"). For now set it as a normal
+ header, stripping the first ':'. */
+@@ -213,7 +213,7 @@ h2h_addhdr(struct http *hp, struct h2h_decode *d)
+ if (!vct_istchar(*p))
+ return (H2SE_PROTOCOL_ERROR);
+ }
+- } else if (!Tstrcmp(nm, ":authority")) {
++ } else if (Tstreq(nm, ":authority")) {
+ /* NB: we inject "host" in place of "rity" for
+ * the ":authority" pseudo-header.
+ */
+diff --git a/bin/varnishtest/tests/f00019.vtc b/bin/varnishtest/tests/f00019.vtc
+new file mode 100644
+index 000000000..e85fb449c
+--- /dev/null
++++ b/bin/varnishtest/tests/f00019.vtc
+@@ -0,0 +1,31 @@
++vtest "Verify pseudo-header parsing"
++
++varnish v1 -cliok "param.set feature +http2"
++varnish v1 -vcl {
++ backend default none;
++ sub vcl_recv {
++ return (synth(200));
++ }
++} -start
++
++client c1 {
++ stream 1 {
++ txreq -noadd \
++ -hdr ":authority" "foo.com" \
++ -hdr ":path" "/foobar" \
++ -hdr ":scheme" "http" \
++ -hdr ":method" "GET"
++ rxresp
++ expect resp.status == 200
++ } -run
++
++ stream 3 {
++ txreq -noadd \
++ -hdr ":a" "foo.com" \
++ -hdr ":p" "/foobar" \
++ -hdr ":s" "http" \
++ -hdr ":m" "GET"
++ rxrst
++ expect rst.err == PROTOCOL_ERROR
++ } -run
++} -run
+diff -u a/include/vdef.h b/include/vdef.h
+--- a/include/vdef.h 2026-06-16 21:12:28.080660988 +0200
++++ b/include/vdef.h 2026-06-16 21:13:10.391582611 +0200
+@@ -276,7 +276,7 @@
+ #define Tcheck(t) do { (void)pdiff((t).b, (t).e); } while (0)
+ #define Tlen(t) (pdiff((t).b, (t).e))
+ #define Tstr(s) (/*lint -e(446)*/ (txt){(s), (s) + strlen(s)})
+-#define Tstrcmp(t, s) (strncmp((t).b, (s), Tlen(t)))
++#define Tstreq(t, s) (Tlen(t) == strlen(s) && !strncmp((t).b, (s), Tlen(t)))
+ #define Tforeach(c, t) for ((c) = (t).b; (c) < (t).e; (c)++)
+
+ /* #3020 dummy definitions until PR is merged*/
+
diff --git a/varnish.spec b/varnish.spec
index 3634d57..0bfe4e3 100644
--- a/varnish.spec
+++ b/varnish.spec
@@ -31,8 +31,8 @@
Summary: High-performance HTTP accelerator
Name: varnish
-Version: 7.7.1
-Release: 4%{?dist}
+Version: 7.7.3
+Release: 1%{?dist}
License: BSD-2-Clause AND (BSD-2-Clause-FreeBSD AND BSD-3-Clause AND LicenseRef-Fedora-Public-Domain AND Zlib)
URL: https://www.varnish-cache.org/
Source0: http://varnish-cache.org/_downloads/%{name}-%{version}.tgz
@@ -44,6 +44,15 @@ Source3: https://github.com/jemalloc/jemalloc/releases/download/%{jemalloc_versi
# https://github.com/varnishcache/varnish-cache/issues/4298
Patch0: varnish-7.7.0_fix_4298.patch
+# Upstream patches for VSV00018
+Patch1: varnish-8.0_vsv18_f89df57a.patch
+Patch2: varnish-8.0_vsv18_73dcb85e.patch
+Patch3: varnish-8.0_vsv18_5c016b07.patch
+Patch4: varnish-8.0_vsv18_e8eccd46.patch
+Patch5: varnish-8.0_vsv18_1a907310.patch
+# Upstream patches for VSV00019
+Patch6: varnish-8.0_vsv19_db19a0c6-9985187a.patch
+
%if %{with bundled_jemalloc}
# bundled jemalloc patch
Patch100: jemalloc-5.3.0_fno-builtin.patch
@@ -153,12 +162,22 @@ Documentation files for %name
%prep
%setup -q
%patch 0 -p1
+%patch 1 -p1
+%patch 2 -p1
+%patch 3 -p1
+%patch 4 -p1
+%patch 5 -p1
+%patch 6 -p1
+
tar xzf %SOURCE1
ln -s pkg-varnish-cache-%{commit1}/redhat redhat
ln -s pkg-varnish-cache-%{commit1}/debian debian
cp redhat/find-provides .
sed -i 's,rst2man-3.6,rst2man-3.4,g; s,rst2html-3.6,rst2html-3.4,g; s,phinx-build-3.6,phinx-build-3.4,g' configure
+# Not yet implemented
+rm bin/varnishtest/tests/r01255.vtc
+
# jemalloc
%if %{with bundled_jemalloc}
tar xjf %SOURCE3
@@ -223,7 +242,7 @@ export CFLAGS="$CFLAGS -ffloat-store -fexcess-precision=standard"
%endif
%if 0%{?fedora} > 41 || 0%{?rhel} > 10
-export CFLAGS="$CFLAGS -std=gnu17"
+export CFLAGS="$CFLAGS -std=gnu17 -Wno-error=discarded-qualifiers"
%endif
%ifarch s390x
@@ -407,7 +426,13 @@ test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc
%changelog
-* Fri Jun 31 2025 Luboš Uhliarik <luhliari@redhat.com> - 7.7.1-4
+* Mon Jun 15 2026 Ingvar Hagelund <ingvar@redpill-linpro.com> - 7.7.3-1
+- Update to latest 7.7.x release available, a security release
+- Includes fixes for VSV00017 aka CVE-2025-8671
+- Added patches for for VSV00018 aka CVE-2026-34475
+- Added patches for for VSV00019
+
+* Fri Jul 25 2025 Luboš Uhliarik <luhliari@redhat.com> - 7.7.1-4
- bundle jemalloc in RHEL
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 7.7.1-3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-17 7:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-17 7:14 [rpms/varnish] f43: Update to latest 7.7.x release available, a security release Ingvar Hagelund
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox