Bug#991122: unblock: varnish/6.5.2-1
Hi, On 05-08-2021 20:23, Salvatore Bonaccorso wrote: > Hi Stig, > > On Thu, Jul 29, 2021 at 07:33:39PM +0200, Paul Gevers wrote: >> Control: tags -1 moreinfo >> >> On 20-07-2021 21:46, Stig Sandbeck Mathisen wrote: >>> On Mon, Jul 19, 2021 at 10:06:37PM +0200, Graham Inggs wrote: On Mon, 19 Jul 2021 at 13:00, Stig Sandbeck Mathisen wrote: > Attached is the diff. Changes are the upstream bugfix, as well as two > commits in the packaging repository: Thanks. Please go ahead and upload to unstable, then remove the moreinfo tag once it has built. >>> >>> Hello Graham, >>> >>> Thanks, will do. >> >> Bug #991348 has been raised do this upload. What's the proposal out of >> the current situation? > > Though probably too late now for this? (I assume we will face the same > problem for varnish to be released either via bullseye-security or > bullseye-pu?) I think the question is, are the varnish-modules incompatible due to the CVE fixes, or due to other changes included in the upload. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#991122: unblock: varnish/6.5.2-1
Hi Stig, On Thu, Jul 29, 2021 at 07:33:39PM +0200, Paul Gevers wrote: > Control: tags -1 moreinfo > > On 20-07-2021 21:46, Stig Sandbeck Mathisen wrote: > > On Mon, Jul 19, 2021 at 10:06:37PM +0200, Graham Inggs wrote: > >> On Mon, 19 Jul 2021 at 13:00, Stig Sandbeck Mathisen > >> wrote: > >>> Attached is the diff. Changes are the upstream bugfix, as well as two > >>> commits in the packaging repository: > >> > >> Thanks. Please go ahead and upload to unstable, then remove the moreinfo > >> tag > >> once it has built. > > > > Hello Graham, > > > > Thanks, will do. > > Bug #991348 has been raised do this upload. What's the proposal out of > the current situation? Though probably too late now for this? (I assume we will face the same problem for varnish to be released either via bullseye-security or bullseye-pu?) Regards, Salvatore
Processed: Re: Bug#991122: unblock: varnish/6.5.2-1
Processing control commands: > tags -1 moreinfo Bug #991122 [release.debian.org] unblock: varnish/6.5.2-1 Added tag(s) moreinfo. -- 991122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991122 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#991122: unblock: varnish/6.5.2-1
Control: tags -1 moreinfo On 20-07-2021 21:46, Stig Sandbeck Mathisen wrote: > On Mon, Jul 19, 2021 at 10:06:37PM +0200, Graham Inggs wrote: >> On Mon, 19 Jul 2021 at 13:00, Stig Sandbeck Mathisen wrote: >>> Attached is the diff. Changes are the upstream bugfix, as well as two >>> commits in the packaging repository: >> >> Thanks. Please go ahead and upload to unstable, then remove the moreinfo tag >> once it has built. > > Hello Graham, > > Thanks, will do. Bug #991348 has been raised do this upload. What's the proposal out of the current situation? Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#991122: unblock: varnish/6.5.2-1
On Mon, Jul 19, 2021 at 10:06:37PM +0200, Graham Inggs wrote: > On Mon, 19 Jul 2021 at 13:00, Stig Sandbeck Mathisen wrote: > > Attached is the diff. Changes are the upstream bugfix, as well as two > > commits in the packaging repository: > > Thanks. Please go ahead and upload to unstable, then remove the moreinfo tag > once it has built. Hello Graham, Thanks, will do. -- Stig Sandbeck Mathisen
Bug#991122: unblock: varnish/6.5.2-1
Control: tags -1 + confirmed Hi Stig On Mon, 19 Jul 2021 at 13:00, Stig Sandbeck Mathisen wrote: > Attached is the diff. Changes are the upstream bugfix, as well as two commits > in the packaging repository: Thanks. Please go ahead and upload to unstable, then remove the moreinfo tag once it has built. Regards Graham
Bug#991122: unblock: varnish/6.5.2-1
On Sun, Jul 18, 2021 at 10:14:46AM +0200, Graham Inggs wrote: > Control: tags -1 + moreinfo > > Hi Stig > > Please attach a filtered debdiff to this bug. Something like: > > filterdiff -x '*/build-aux/*' -x '*/doc/html/*' > varnish-6.5.1-1--6.5.2-1.debdiff >filtered.debdiff > > Please also show the command that you end up using, so we can see > which parts were excluded. Hello, I used the command filterdiff -x '*/build-aux/*' -x '*/doc/html/*' varnish-6.5.1-1--6.5.2-1.debdiff > varnish-6.5.1-1--6.5.2-1.filtered.debdiff Attached is the diff. Changes are the upstream bugfix, as well as two commits in the packaging repository: https://salsa.debian.org/varnish-team/varnish/-/commit/b38fddf5fb3a7acf5c88d6a0f9906cb0967f16bb (lint: debian/*.install, paths should not begin with /) https://salsa.debian.org/varnish-team/varnish/-/commit/46da54a751ae85afae8403fbf8ca360f322c349c (Declare compliance with Debian Policy 4.5.0) diff -Nru varnish-6.5.1/Makefile.in varnish-6.5.2/Makefile.in --- varnish-6.5.1/Makefile.in 2020-09-25 11:44:45.0 +0200 +++ varnish-6.5.2/Makefile.in 2021-07-02 13:57:15.0 +0200 @@ -207,7 +207,8 @@ $(top_srcdir)/build-aux/ltmain.sh \ $(top_srcdir)/build-aux/missing ChangeLog INSTALL \ build-aux/compile build-aux/config.guess build-aux/config.sub \ - build-aux/install-sh build-aux/ltmain.sh build-aux/missing + build-aux/depcomp build-aux/install-sh build-aux/ltmain.sh \ + build-aux/missing build-aux/ylwrap DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) diff -Nru varnish-6.5.1/bin/varnishd/http2/cache_http2.h varnish-6.5.2/bin/varnishd/http2/cache_http2.h --- varnish-6.5.1/bin/varnishd/http2/cache_http2.h 2020-09-25 11:14:30.0 +0200 +++ varnish-6.5.2/bin/varnishd/http2/cache_http2.h 2021-07-02 13:57:09.0 +0200 @@ -134,6 +134,8 @@ /* Where to wake this stream up */ struct worker *wrk; + ssize_t reqbody_bytes; + VTAILQ_ENTRY(h2_req)tx_list; h2_errorerror; }; diff -Nru varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c varnish-6.5.2/bin/varnishd/http2/cache_http2_proto.c --- varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c2020-09-25 11:14:30.0 +0200 +++ varnish-6.5.2/bin/varnishd/http2/cache_http2_proto.c2021-07-02 13:57:09.0 +0200 @@ -554,6 +554,7 @@ struct req *req, struct h2_req *r2) { h2_error h2e; + ssize_t cl; ASSERT_RXTHR(h2); assert(r2->state == H2_S_OPEN); @@ -574,16 +575,24 @@ // XXX: Have I mentioned H/2 Is hodge-podge ? http_CollectHdrSep(req->http, H_Cookie, "; "); // rfc7540,l,3114,3120 + cl = http_GetContentLength(req->http); + assert(cl >= -2); + if (cl == -2) { + VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length"); + return (H2SE_PROTOCOL_ERROR); + } + if (req->req_body_status == NULL) { - if (!http_GetHdr(req->http, H_Content_Length, NULL)) + if (cl == -1) req->req_body_status = BS_EOF; else req->req_body_status = BS_LENGTH; + req->htc->content_length = cl; } else { /* A HEADER frame contained END_STREAM */ assert (req->req_body_status == BS_NONE); r2->state = H2_S_CLOS_REM; - if (http_GetContentLength(req->http) > 0) + if (cl > 0) return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840 } @@ -737,6 +746,7 @@ int w1 = 0, w2 = 0; char buf[4]; unsigned wi; + ssize_t cl; CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC); ASSERT_RXTHR(h2); @@ -755,6 +765,23 @@ Lck_Unlock(>sess->mtx); return (h2->error ? h2->error : r2->error); } + + r2->reqbody_bytes += h2->rxf_len; + if (h2->rxf_flags & H2FF_DATA_END_STREAM) + r2->state = H2_S_CLOS_REM; + cl = r2->req->htc->content_length; + if (cl >= 0 && (r2->reqbody_bytes > cl || + (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) { + VSLb(h2->vsl, SLT_Debug, + "H2: stream %u: Received data and Content-Length" + " mismatch", h2->rxf_stream); + r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163 + if (r2->cond) + AZ(pthread_cond_signal(r2->cond)); + Lck_Unlock(>sess->mtx); + return (H2SE_PROTOCOL_ERROR); + } + AZ(h2->mailcall); h2->mailcall = r2; h2->req0->r_window -= h2->rxf_len; @@ -773,6 +800,8 @@ r2->r_window += wi; w2 = 1; } + +
Bug#991122: unblock: varnish/6.5.2-1
Control: tags -1 + moreinfo Hi Stig Please attach a filtered debdiff to this bug. Something like: filterdiff -x '*/build-aux/*' -x '*/doc/html/*' varnish-6.5.1-1--6.5.2-1.debdiff >filtered.debdiff Please also show the command that you end up using, so we can see which parts were excluded. Regards Graham