Salvatore Bonaccorso <car...@debian.org> writes: > Thanks! Could you please upload them to security-master (needs to be > built with -sa as it's the first upload for varnish for both > squeeze-security and wheezy-security).
It will be done. > Btw, I would have prefered for review if the patch could be applied > separately via debian/patches/series (I think also Stable Release > Managers would prefer that way when it will hit pu-NEW ;-)). > > The debdiff for squeeze-security does not apply cleanly here on top of > 2.1.3-8, due to same changes removed as added; but the diff part for > #728989 for debian-changes-2.1.3-8+deb6u1 looks good. Handling upstream changes in git, either directly on the packaging branch or as a patch branch used by debian/source/git-changes, helps keep this package maintainer sane. However, I see that it makes the package much harder to review when looking at debdiffs to verify changes. Is there anything else I can do to help review changes, when uploading new changes to *-security? For example: * Adding links to the packaging repository: Packaging changes for the 2.1.3-8+deb6u1 release in the repository is: http://anonscm.debian.org/gitweb/?p=pkg-varnish/pkg-varnish.git;a=patch;h=c610c398ee802cf83a2bd7bcd91ac3614b3a08b3;hp=2660cfd2b8871766545e8dc6b5676e352dadf94b (or, with HTML markup) http://anonscm.debian.org/gitweb/?p=pkg-varnish/pkg-varnish.git;a=commitdiff;h=c610c398ee802cf83a2bd7bcd91ac3614b3a08b3;hp=2660cfd2b8871766545e8dc6b5676e352dadf94b * Attaching the output of tag differences from the packaging repository: "git log -p debian/2.1.3-8...debian/2.1.3-8+deb6u1" as a patch instead of, or in addition to, the .dsc debdiff (example patch attached)?
commit c610c398ee802cf83a2bd7bcd91ac3614b3a08b3
Author: Stig Sandbeck Mathisen <s...@debian.org>
Date: Mon Dec 9 01:11:13 2013 +0100
releasing package varnish version 2.1.3-8+deb6u1
diff --git a/debian/changelog b/debian/changelog
index 7f8e103..24348a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+varnish (2.1.3-8+deb6u1) squeeze-security; urgency=high
+
+ [ Salvatore Bonaccorso ]
+ * Backport upstream security patch.
+ A malformed request could in some configurations lead to Varnish
+ crashing. CVE-2013-4484 (Closes: #728989)
+
+ -- Stig Sandbeck Mathisen <s...@debian.org> Mon, 09 Dec 2013 01:19:45 +0100
+
varnish (2.1.3-8) unstable; urgency=high
* Fix random secret creation on non-Linux kernels (Closes: #596373)
commit 5455860bcb2d945c44a43c98026ec2ec77e9b29e
Author: Salvatore Bonaccorso <car...@debian.org>
Date: Wed Oct 30 13:48:20 2013 +0100
Import upstream security patch
A malformed request could in some configurations lead to Varnish
crashing. CVE-2013-4484
Git-Dch: Full
Closes: #728989
diff --git a/bin/varnishd/cache_center.c b/bin/varnishd/cache_center.c
index 3100c42..4407a01 100644
--- a/bin/varnishd/cache_center.c
+++ b/bin/varnishd/cache_center.c
@@ -1096,9 +1096,11 @@ DOT start -> recv [style=bold,color=green,weight=4]
static int
cnt_start(struct sess *sp)
{
- int done;
+ uint16_t err_code;
char *p;
- const char *r = "HTTP/1.1 100 Continue\r\n\r\n";
+ const char *r_100 = "HTTP/1.1 100 Continue\r\n\r\n";
+ const char *r_400 = "HTTP/1.1 400 Bad Request\r\n\r\n";
+ const char *r_417 = "HTTP/1.1 417 Expectation Failed\r\n\r\n";
CHECK_OBJ_NOTNULL(sp, SESS_MAGIC);
AZ(sp->restarts);
@@ -1121,10 +1123,12 @@ cnt_start(struct sess *sp)
sp->wrk->vcl = NULL;
http_Setup(sp->http, sp->ws);
- done = http_DissectRequest(sp);
+ err_code = http_DissectRequest(sp);
/* If we could not even parse the request, just close */
- if (done < 0) {
+ if (err_code == 400)
+ (void)write(sp->fd, r_400, strlen(r_400));
+ if (err_code != 0) {
sp->step = STP_DONE;
vca_close_session(sp, "junk");
return (0);
@@ -1136,12 +1140,6 @@ cnt_start(struct sess *sp)
/* Catch original request, before modification */
HTTP_Copy(sp->http0, sp->http);
- if (done != 0) {
- sp->err_code = done;
- sp->step = STP_ERROR;
- return (0);
- }
-
sp->doclose = http_DoConnection(sp->http);
/* XXX: Handle TRACE & OPTIONS of Max-Forwards = 0 */
@@ -1151,13 +1149,14 @@ cnt_start(struct sess *sp)
*/
if (http_GetHdr(sp->http, H_Expect, &p)) {
if (strcasecmp(p, "100-continue")) {
- sp->err_code = 417;
- sp->step = STP_ERROR;
+ (void)write(sp->fd, r_417, strlen(r_417));
+ sp->step = STP_DONE;
+ vca_close_session(sp, "junk");
return (0);
}
/* XXX: Don't bother with write failures for now */
- (void)write(sp->fd, r, strlen(r));
+ (void)write(sp->fd, r_100, strlen(r_100));
/* XXX: When we do ESI includes, this is not removed
* XXX: because we use http0 as our basis. Believed
* XXX: safe, but potentially confusing.
diff --git a/bin/varnishtest/tests/r01367.vtc b/bin/varnishtest/tests/r01367.vtc
new file mode 100644
index 0000000..c576e0b
--- /dev/null
+++ b/bin/varnishtest/tests/r01367.vtc
@@ -0,0 +1,30 @@
+test "blank GET"
+
+server s1 {
+ rxreq
+ txresp
+} -start
+
+varnish v1 -vcl+backend {
+ sub vcl_error {
+ return (restart);
+ }
+} -start
+
+client c1 {
+ send "GET \nHost: example.com\n\n"
+ rxresp
+ expect resp.status == 400
+} -run
+
+client c1 {
+ txreq -hdr "Expect: Santa-Claus"
+ rxresp
+ expect resp.status == 417
+} -run
+
+client c1 {
+ txreq
+ rxresp
+ expect resp.status == 200
+} -run
-- Stig Sandbeck Mathisen
signature.asc
Description: PGP signature
