Version in base suite: 7.1.1-1.1 Base version: varnish_7.1.1-1.1 Target version: varnish_7.1.1-1.1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/v/varnish/varnish_7.1.1-1.1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/v/varnish/varnish_7.1.1-1.1+deb12u1.dsc changelog | 7 + patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch | 53 ++++++++++ patches/series | 1 3 files changed, 61 insertions(+) diff -Nru varnish-7.1.1/debian/changelog varnish-7.1.1/debian/changelog --- varnish-7.1.1/debian/changelog 2023-01-09 21:09:31.000000000 +0000 +++ varnish-7.1.1/debian/changelog 2025-03-31 13:06:56.000000000 +0000 @@ -1,3 +1,10 @@ +varnish (7.1.1-1.1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * CVE-2025-30346: HTTP/1 client-side desync vulnerability + + -- Adrian Bunk Mon, 31 Mar 2025 16:06:56 +0300 + varnish (7.1.1-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch --- varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch 1970-01-01 00:00:00.000000000 +0000 +++ varnish-7.1.1/debian/patches/0001-req_fsm-Close-the-connection-on-a-malformed-request.patch 2025-03-31 13:06:35.000000000 +0000 @@ -0,0 +1,53 @@ +From 07c5b24e265b2b852c23ec492fe425b575fd43cb Mon Sep 17 00:00:00 2001 +From: Dag Haavi Finstad +Date: Fri, 10 Jan 2025 13:07:54 +0100 +Subject: req_fsm: Close the connection on a malformed request + +--- + bin/varnishd/cache/cache_req_fsm.c | 2 ++ + bin/varnishtest/tests/b00037.vtc | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/bin/varnishd/cache/cache_req_fsm.c b/bin/varnishd/cache/cache_req_fsm.c +index 81217159f..a0b344960 100644 +--- a/bin/varnishd/cache/cache_req_fsm.c ++++ b/bin/varnishd/cache/cache_req_fsm.c +@@ -940,6 +940,7 @@ cnt_recv(struct worker *wrk, struct req *req) + if (http_CountHdr(req->http0, H_Host) > 1) { + VSLb(req->vsl, SLT_BogoHeader, "Multiple Host: headers"); + wrk->stats->client_req_400++; ++ req->doclose = SC_RX_BAD; + (void)req->transport->minimal_response(req, 400); + return (REQ_FSM_DONE); + } +@@ -947,6 +948,7 @@ cnt_recv(struct worker *wrk, struct req *req) + if (http_CountHdr(req->http0, H_Content_Length) > 1) { + VSLb(req->vsl, SLT_BogoHeader, "Multiple Content-Length: headers"); + wrk->stats->client_req_400++; ++ req->doclose = SC_RX_BAD; + (void)req->transport->minimal_response(req, 400); + return (REQ_FSM_DONE); + } +diff --git a/bin/varnishtest/tests/b00037.vtc b/bin/varnishtest/tests/b00037.vtc +index 63d8014dc..cb758cdbd 100644 +--- a/bin/varnishtest/tests/b00037.vtc ++++ b/bin/varnishtest/tests/b00037.vtc +@@ -11,6 +11,7 @@ client c1 { + + varnish v1 -vsl_catchup + varnish v1 -expect client_req_400 == 1 ++varnish v1 -expect sc_rx_bad == 1 + + client c1 { + txreq -method POST -hdr "Content-Length: 12" -bodylen 12 +@@ -20,6 +21,7 @@ client c1 { + + varnish v1 -vsl_catchup + varnish v1 -expect client_req_400 == 2 ++varnish v1 -expect sc_rx_bad == 2 + + varnish v1 -cliok "param.set feature +http2" + +-- +2.30.2 + diff -Nru varnish-7.1.1/debian/patches/series varnish-7.1.1/debian/patches/series --- varnish-7.1.1/debian/patches/series 2023-01-09 21:06:58.000000000 +0000 +++ varnish-7.1.1/debian/patches/series 2025-03-31 13:06:56.000000000 +0000 @@ -1,2 +1,3 @@ Add-all-well-known-headers-to-the-perfect-hash-looku.patch hpack-fix-pseudo-headers-handling.patch +0001-req_fsm-Close-the-connection-on-a-malformed-request.patch