Version in base suite: 6.5.1-1

Base version: varnish_6.5.1-1
Target version: varnish_6.5.1-1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/v/varnish/varnish_6.5.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/v/varnish/varnish_6.5.1-1+deb11u2.dsc

 changelog              |   14 ++++
 patches/debian-changes |  151 +++++++++++++++++++++++++++++++++++++++++++++++++
 patches/series         |    1 
 3 files changed, 166 insertions(+)

diff -Nru varnish-6.5.1/debian/changelog varnish-6.5.1/debian/changelog
--- varnish-6.5.1/debian/changelog	2020-09-29 21:21:31.000000000 +0000
+++ varnish-6.5.1/debian/changelog	2022-02-13 13:45:59.000000000 +0000
@@ -1,3 +1,17 @@
+varnish (6.5.1-1+deb11u2) bullseye-security; urgency=medium
+
+  * Apply upstream patch to fix: VSV00008 Varnish HTTP/1 Request Smuggling
+    Vulnerability (CVE-2022-23959).  (Closes: #1004433)
+
+ -- Florian Weimer <fw@deneb.enyo.de>  Sun, 13 Feb 2022 14:45:59 +0100
+
+varnish (6.5.1-1+deb11u1) bullseye-security; urgency=medium
+
+  * Apply upstream patches to fix VSV00007: Varnish HTTP/2 Request
+    Smuggling Attack (CVE-2021-36740).  (Closes: #991040)
+
+ -- Florian Weimer <fw@deneb.enyo.de>  Sun, 26 Dec 2021 18:49:24 +0100
+
 varnish (6.5.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru varnish-6.5.1/debian/patches/debian-changes varnish-6.5.1/debian/patches/debian-changes
--- varnish-6.5.1/debian/patches/debian-changes	1970-01-01 00:00:00.000000000 +0000
+++ varnish-6.5.1/debian/patches/debian-changes	2022-02-13 13:45:59.000000000 +0000
@@ -0,0 +1,151 @@
+The Debian packaging of varnish is maintained in git, using the merging
+workflow described in dgit-maint-merge(7). There isn't a patch queue
+that can be represented as a quilt series.
+
+A detailed breakdown of the changes is available from their canonical
+representation - git commits in the packaging repository. For example,
+to see the changes made by the Debian maintainer in the first upload
+of upstream version 1.2.3, you could use:
+
+    % git clone https://git.dgit.debian.org/varnish
+    % cd varnish
+    % git log --oneline 1.2.3..debian/1.2.3-1 -- . ':!debian'
+
+(If you have dgit, use `dgit clone varnish`, rather than plain `git
+clone`.)
+
+A single combined diff, containing all the changes, follows.
+--- varnish-6.5.1.orig/bin/varnishd/cache/cache_req_body.c
++++ varnish-6.5.1/bin/varnishd/cache/cache_req_body.c
+@@ -252,6 +252,8 @@ VRB_Ignore(struct req *req)
+ 	if (req->req_body_status->avail > 0)
+ 		(void)VRB_Iterate(req->wrk, req->vsl, req,
+ 		    httpq_req_body_discard, NULL);
++	if (req->req_body_status == BS_ERROR)
++		req->doclose = SC_RX_BODY;
+ 	return (0);
+ }
+ 
+--- varnish-6.5.1.orig/bin/varnishd/http2/cache_http2.h
++++ varnish-6.5.1/bin/varnishd/http2/cache_http2.h
+@@ -134,6 +134,8 @@ struct h2_req {
+ 	/* Where to wake this stream up */
+ 	struct worker			*wrk;
+ 
++	ssize_t				reqbody_bytes;
++
+ 	VTAILQ_ENTRY(h2_req)		tx_list;
+ 	h2_error			error;
+ };
+--- varnish-6.5.1.orig/bin/varnishd/http2/cache_http2_proto.c
++++ varnish-6.5.1/bin/varnishd/http2/cache_http2_proto.c
+@@ -554,6 +554,7 @@ h2_end_headers(struct worker *wrk, struc
+     struct req *req, struct h2_req *r2)
+ {
+ 	h2_error h2e;
++	ssize_t cl;
+ 
+ 	ASSERT_RXTHR(h2);
+ 	assert(r2->state == H2_S_OPEN);
+@@ -574,16 +575,24 @@ h2_end_headers(struct worker *wrk, struc
+ 	// XXX: Have I mentioned H/2 Is hodge-podge ?
+ 	http_CollectHdrSep(req->http, H_Cookie, "; ");	// rfc7540,l,3114,3120
+ 
++	cl = http_GetContentLength(req->http);
++	assert(cl >= -2);
++	if (cl == -2) {
++		VSLb(h2->vsl, SLT_Debug, "Non-parseable Content-Length");
++		return (H2SE_PROTOCOL_ERROR);
++	}
++
+ 	if (req->req_body_status == NULL) {
+-		if (!http_GetHdr(req->http, H_Content_Length, NULL))
++		if (cl == -1)
+ 			req->req_body_status = BS_EOF;
+ 		else
+ 			req->req_body_status = BS_LENGTH;
++		req->htc->content_length = cl;
+ 	} else {
+ 		/* A HEADER frame contained END_STREAM */
+ 		assert (req->req_body_status == BS_NONE);
+ 		r2->state = H2_S_CLOS_REM;
+-		if (http_GetContentLength(req->http) > 0)
++		if (cl > 0)
+ 			return (H2CE_PROTOCOL_ERROR); //rfc7540,l,1838,1840
+ 	}
+ 
+@@ -737,6 +746,7 @@ h2_rx_data(struct worker *wrk, struct h2
+ 	int w1 = 0, w2 = 0;
+ 	char buf[4];
+ 	unsigned wi;
++	ssize_t cl;
+ 
+ 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
+ 	ASSERT_RXTHR(h2);
+@@ -755,6 +765,23 @@ h2_rx_data(struct worker *wrk, struct h2
+ 		Lck_Unlock(&h2->sess->mtx);
+ 		return (h2->error ? h2->error : r2->error);
+ 	}
++
++	r2->reqbody_bytes += h2->rxf_len;
++	if (h2->rxf_flags & H2FF_DATA_END_STREAM)
++		r2->state = H2_S_CLOS_REM;
++	cl = r2->req->htc->content_length;
++	if (cl >= 0 && (r2->reqbody_bytes > cl ||
++	      (r2->state >= H2_S_CLOS_REM && r2->reqbody_bytes != cl))) {
++		VSLb(h2->vsl, SLT_Debug,
++		    "H2: stream %u: Received data and Content-Length"
++		    " mismatch", h2->rxf_stream);
++		r2->error = H2SE_PROTOCOL_ERROR; // rfc7540,l,3150,3163
++		if (r2->cond)
++			AZ(pthread_cond_signal(r2->cond));
++		Lck_Unlock(&h2->sess->mtx);
++		return (H2SE_PROTOCOL_ERROR);
++	}
++
+ 	AZ(h2->mailcall);
+ 	h2->mailcall = r2;
+ 	h2->req0->r_window -= h2->rxf_len;
+@@ -773,6 +800,8 @@ h2_rx_data(struct worker *wrk, struct h2
+ 		r2->r_window += wi;
+ 		w2 = 1;
+ 	}
++
++
+ 	Lck_Unlock(&h2->sess->mtx);
+ 
+ 	if (w1 || w2) {
+@@ -795,7 +824,7 @@ h2_vfp_body(struct vfp_ctx *vc, struct v
+ 	struct h2_req *r2;
+ 	struct h2_sess *h2;
+ 	unsigned l;
+-	enum vfp_status retval = VFP_OK;
++	enum vfp_status retval;
+ 
+ 	CHECK_OBJ_NOTNULL(vc, VFP_CTX_MAGIC);
+ 	CHECK_OBJ_NOTNULL(vfe, VFP_ENTRY_MAGIC);
+@@ -808,7 +837,6 @@ h2_vfp_body(struct vfp_ctx *vc, struct v
+ 	*lp = 0;
+ 
+ 	Lck_Lock(&h2->sess->mtx);
+-	assert (r2->state == H2_S_OPEN);
+ 	r2->cond = &vc->wrk->cond;
+ 	while (h2->mailcall != r2 && h2->error == 0 && r2->error == 0)
+ 		AZ(Lck_CondWait(r2->cond, &h2->sess->mtx, 0));
+@@ -831,12 +859,10 @@ h2_vfp_body(struct vfp_ctx *vc, struct v
+ 			Lck_Unlock(&h2->sess->mtx);
+ 			return (VFP_OK);
+ 		}
+-		if (h2->rxf_len == 0) {
+-			if (h2->rxf_flags & H2FF_DATA_END_STREAM) {
+-				retval = VFP_END;
+-				r2->state = H2_S_CLOS_REM;
+-			}
+-		}
++		if (h2->rxf_len == 0 && r2->state >= H2_S_CLOS_REM)
++			retval = VFP_END;
++		else
++			retval = VFP_OK;
+ 		h2->mailcall = NULL;
+ 		AZ(pthread_cond_signal(h2->cond));
+ 	}
diff -Nru varnish-6.5.1/debian/patches/series varnish-6.5.1/debian/patches/series
--- varnish-6.5.1/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ varnish-6.5.1/debian/patches/series	2021-12-26 18:14:42.000000000 +0000
@@ -0,0 +1 @@
+debian-changes