Bug#1101775: marked as done (bookworm-pu: package varnish/7.1.1-1.1+deb12u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <E1uGDzS-005KK7-V4@coccia.debian.org>
and subject line Close 1101775
has caused the Debian Bug report #1101775,
regarding bookworm-pu: package varnish/7.1.1-1.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1101775: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101775
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: bookworm-pu: package varnish/7.1.1-1.1+deb12u1
• From: Adrian Bunk <bunk@debian.org>
• Date: Tue, 01 Apr 2025 00:13:53 +0300
• Message-id: <174345563308.2664332.3943808633190483138.reportbug@localhost>

Package: release.debian.org
Severity: normal
Tags: bookworm moreinfo
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: security@debian.org, Varnish Package Maintainers <team+varnish-team@tracker.debian.org>

  * CVE-2025-30346: HTTP/1 client-side desync vulnerability

Tagged moreinfo, as question to the security team whether they want
this in pu or as DSA.

diffstat for varnish-7.1.1 varnish-7.1.1

 changelog                                                              |    7 +
 patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch |   53 ++++++++++
 patches/series                                                         |    1 
 3 files changed, 61 insertions(+)

diff -Nru varnish-7.1.1/debian/changelog varnish-7.1.1/debian/changelog
--- varnish-7.1.1/debian/changelog	2023-01-09 23:09:31.000000000 +0200
+++ varnish-7.1.1/debian/changelog	2025-03-31 16:06:56.000000000 +0300
@@ -1,3 +1,10 @@
+varnish (7.1.1-1.1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2025-30346: HTTP/1 client-side desync vulnerability
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 31 Mar 2025 16:06:56 +0300
+
 varnish (7.1.1-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch
--- varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch	1970-01-01 02:00:00.000000000 +0200
+++ varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch	2025-03-31 16:06:35.000000000 +0300
@@ -0,0 +1,53 @@
+From 07c5b24e265b2b852c23ec492fe425b575fd43cb Mon Sep 17 00:00:00 2001
+From: Dag Haavi Finstad <daghf@varnish-software.com>
+Date: Fri, 10 Jan 2025 13:07:54 +0100
+Subject: req_fsm: Close the connection on a malformed request
+
+---
+ bin/varnishd/cache/cache_req_fsm.c | 2 ++
+ bin/varnishtest/tests/b00037.vtc   | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c
+index 81217159f..a0b344960 100644
+--- a/bin/varnishd/cache/cache_req_fsm.c
++++ b/bin/varnishd/cache/cache_req_fsm.c
+@@ -940,6 +940,7 @@ cnt_recv(struct worker *wrk, struct req *req)
+ 	if (http_CountHdr(req->http0, H_Host) > 1) {
+ 		VSLb(req->vsl, SLT_BogoHeader, "Multiple Host: headers");
+ 		wrk->stats->client_req_400++;
++		req->doclose = SC_RX_BAD;
+ 		(void)req->transport->minimal_response(req, 400);
+ 		return (REQ_FSM_DONE);
+ 	}
+@@ -947,6 +948,7 @@ cnt_recv(struct worker *wrk, struct req *req)
+ 	if (http_CountHdr(req->http0, H_Content_Length) > 1) {
+ 		VSLb(req->vsl, SLT_BogoHeader, "Multiple Content-Length: headers");
+ 		wrk->stats->client_req_400++;
++		req->doclose = SC_RX_BAD;
+ 		(void)req->transport->minimal_response(req, 400);
+ 		return (REQ_FSM_DONE);
+ 	}
+diff --git a/bin/varnishtest/tests/b00037.vtc b/bin/varnishtest/tests/b00037.vtc
+index 63d8014dc..cb758cdbd 100644
+--- a/bin/varnishtest/tests/b00037.vtc
++++ b/bin/varnishtest/tests/b00037.vtc
+@@ -11,6 +11,7 @@ client c1 {
+ 
+ varnish v1 -vsl_catchup
+ varnish v1 -expect client_req_400 == 1
++varnish v1 -expect sc_rx_bad == 1
+ 
+ client c1 {
+ 	txreq -method POST -hdr "Content-Length: 12" -bodylen 12
+@@ -20,6 +21,7 @@ client c1 {
+ 
+ varnish v1 -vsl_catchup
+ varnish v1 -expect client_req_400 == 2
++varnish v1 -expect sc_rx_bad == 2
+ 
+ varnish v1 -cliok "param.set feature +http2"
+ 
+-- 
+2.30.2
+
diff -Nru varnish-7.1.1/debian/patches/series varnish-7.1.1/debian/patches/series
--- varnish-7.1.1/debian/patches/series	2023-01-09 23:06:58.000000000 +0200
+++ varnish-7.1.1/debian/patches/series	2025-03-31 16:06:56.000000000 +0300
@@ -1,2 +1,3 @@
 Add-all-well-known-headers-to-the-perfect-hash-looku.patch
 hpack-fix-pseudo-headers-handling.patch
+0001-req_fsm-Close-the-connection-on-a-malformed-request.patch

--- End Message ---

--- Begin Message ---

• To: 1101775-done@bugs.debian.org
• Subject: Close 1101775
• From: jmw@debian.org
• Date: Sat, 17 May 2025 09:37:58 +0000
• Message-id: <E1uGDzS-005KK7-V4@coccia.debian.org>

Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---