import varnish-6.0.8-2.module+el8.7.0+17239+94d153bd.1

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
+SOURCES/varnish-6.0.8.tgz

.varnish.metadata

@@ -0,0 +1,2 @@
+db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
+7c5e50eabcd3c0ddb6c463ba4645678a2f71233a SOURCES/varnish-6.0.8.tgz

SOURCES/varnish-4.0.3_fix_varnish4_selinux.el6.patch

@@ -0,0 +1,17 @@
+diff -Nur ../varnish-4.0.3_pre_selinux/selinux/varnish4.te ./selinux/varnish4.te
+--- ../varnish-4.0.3_pre_selinux/selinux/varnish4.te	1970-01-01 01:00:00.000000000 +0100
++++ ./selinux/varnish4.te	2015-03-06 10:00:00.015151633 +0100
+@@ -0,0 +1,13 @@
++
++module varnish4 1.0;
++
++require {
++	type varnishd_t;
++	class capability { fowner chown fsetid };
++}
++
++#============= varnishd_t ==============
++allow varnishd_t self:capability fowner;
++allow varnishd_t self:capability chown;
++allow varnishd_t self:capability fsetid;
++

SOURCES/varnish-5.1.1.fix_ld_library_path_in_doc_build.patch

@@ -0,0 +1,52 @@
+diff --git a/doc/sphinx/Makefile.in b/doc/sphinx/Makefile.in
+index 0819064..11e4ba2 100644
+--- a/doc/sphinx/Makefile.in
++++ b/doc/sphinx/Makefile.in
+@@ -659,37 +659,47 @@ include/counters.rst: $(top_srcdir)/lib/libvcc/vsctool.py $(COUNTERS)
+ # XXX add varnishstat here when it's been _opt2rst'ed
+ 
+ include/varnishncsa_options.rst: $(top_builddir)/bin/varnishncsa/varnishncsa
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishncsa/varnishncsa --options > ${@}_
+ 	mv ${@}_ ${@}
+ include/varnishncsa_synopsis.rst: $(top_builddir)/bin/varnishncsa/varnishncsa
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishncsa/varnishncsa --synopsis > ${@}_
+ 	mv ${@}_ ${@}
+ 
+ include/varnishlog_options.rst: $(top_builddir)/bin/varnishlog/varnishlog
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishlog/varnishlog --options > ${@}_
+ 	mv ${@}_ ${@}
+ include/varnishlog_synopsis.rst: $(top_builddir)/bin/varnishlog/varnishlog
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishlog/varnishlog --synopsis > ${@}_
+ 	mv ${@}_ ${@}
+ 
+ include/varnishtop_options.rst: $(top_builddir)/bin/varnishtop/varnishtop
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishtop/varnishtop --options > ${@}_
+ 	mv ${@}_ ${@}
+ include/varnishtop_synopsis.rst: $(top_builddir)/bin/varnishtop/varnishtop
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishtop/varnishtop --synopsis > ${@}_
+ 	mv ${@}_ ${@}
+ 
+ include/varnishhist_options.rst: $(top_builddir)/bin/varnishhist/varnishhist
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishhist/varnishhist --options > ${@}_
+ 	mv ${@}_ ${@}
+ include/varnishhist_synopsis.rst: $(top_builddir)/bin/varnishhist/varnishhist
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishhist/varnishhist --synopsis > ${@}_
+ 	mv ${@}_ ${@}
+ 
+ include/varnishstat_options.rst: $(top_builddir)/bin/varnishstat/varnishstat
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishstat/varnishstat --options > ${@}_
+ 	mv ${@}_ ${@}
+ include/varnishstat_synopsis.rst: $(top_builddir)/bin/varnishstat/varnishstat
++	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
+ 	$(top_builddir)/bin/varnishstat/varnishstat --synopsis > ${@}_
+ 	mv ${@}_ ${@}
+ 

SOURCES/varnish-5.1.1.fix_python_version.patch

@@ -0,0 +1,62 @@
+--- configure.orig	2017-03-18 02:53:31.235204299 +0100
++++ configure	2017-03-18 02:54:54.229053852 +0100
+@@ -13545,13 +13545,13 @@
+ 
+         if test -n "$PYTHON"; then
+       # If the user set $PYTHON, use it and don't search something else.
+-      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 2.7" >&5
+-$as_echo_n "checking whether $PYTHON version is >= 2.7... " >&6; }
++      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 2.4" >&5
++$as_echo_n "checking whether $PYTHON version is >= 2.4... " >&6; }
+       prog="import sys
+ # split strings by '.' and convert to numeric.  Append some zeros
+ # because we need at least 4 digits for the hex conversion.
+ # map returns an iterator in Python 3.0 and a list in 2.x
+-minver = list(map(int, '2.7'.split('.'))) + [0, 0, 0]
++minver = list(map(int, '2.4'.split('.'))) + [0, 0, 0]
+ minverhex = 0
+ # xrange is not present in Python 3.0 and range returns an iterator
+ for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
+@@ -13572,8 +13572,8 @@
+     else
+       # Otherwise, try each interpreter until we find one that satisfies
+       # VERSION.
+-      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 2.7" >&5
+-$as_echo_n "checking for a Python interpreter with version >= 2.7... " >&6; }
++      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 2.4" >&5
++$as_echo_n "checking for a Python interpreter with version >= 2.4... " >&6; }
+ if ${am_cv_pathless_PYTHON+:} false; then :
+   $as_echo_n "(cached) " >&6
+ else
+@@ -13584,7 +13584,7 @@
+ # split strings by '.' and convert to numeric.  Append some zeros
+ # because we need at least 4 digits for the hex conversion.
+ # map returns an iterator in Python 3.0 and a list in 2.x
+-minver = list(map(int, '2.7'.split('.'))) + [0, 0, 0]
++minver = list(map(int, '2.4'.split('.'))) + [0, 0, 0]
+ minverhex = 0
+ # xrange is not present in Python 3.0 and range returns an iterator
+ for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
+@@ -13651,7 +13651,7 @@
+ 
+   if test "$PYTHON" = :; then
+ 
+-		as_fn_error $? "Python >= 2.7 is required." "$LINENO" 5
++		as_fn_error $? "Python >= 2.4 is required." "$LINENO" 5
+ 
+   else
+ 
+@@ -13698,11 +13698,11 @@
+     can_use_sysconfig = 0
+ else:
+     can_use_sysconfig = 1
+-# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
++# Can't use sysconfig in CPython 2.4, since it's broken in virtualenvs:
+ # <https://github.com/pypa/virtualenv/issues/118>
+ try:
+     from platform import python_implementation
+-    if python_implementation() == 'CPython' and sys.version[:3] == '2.7':
++    if python_implementation() == 'CPython' and sys.version[:3] == '2.4':
+         can_use_sysconfig = 0
+ except ImportError:
+     pass"

SOURCES/varnish-6.0.0.fix_el6_fortify_source.patch

@@ -0,0 +1,20 @@
+--- bin/varnishtest/vtc_process.c.orig	2018-04-26 14:12:29.539178105 +0100
++++ bin/varnishtest/vtc_process.c	2018-04-26 15:27:49.851948252 +0100
+@@ -216,7 +216,7 @@
+ 		vtc_dump(p->vl, 4, "stdout", buf, i);
+ 	else if (p->log == 3)
+ 		vtc_hexdump(p->vl, 4, "stdout", buf, i);
+-	(void)write(p->f_stdout, buf, i);
++	assert(write(p->f_stdout, buf, i) == i);
+ 	Term_Feed(p->term, buf, buf + i);
+ 	return (0);
+ }
+@@ -239,7 +239,7 @@
+ 	p->stderr_bytes += i;
+ 	AZ(pthread_mutex_unlock(&p->mtx));
+ 	vtc_dump(p->vl, 4, "stderr", buf, i);
+-	(void)write(p->f_stderr, buf, i);
++	assert(write(p->f_stdout, buf, i) == i);
+ 	return (0);
+ }
+ 

SOURCES/varnish-6.0.8-CVE-2022-45060.patch

@@ -0,0 +1,85 @@
+diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
+index d432629..b0dacb9 100644
+--- a/bin/varnishd/http2/cache_http2_hpack.c
++++ b/bin/varnishd/http2/cache_http2_hpack.c
+@@ -93,18 +93,25 @@ static h2_error
+ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ {
+ 	/* XXX: This might belong in cache/cache_http.c */
++	const char *b0;
+ 	unsigned n;
++	int disallow_empty;
++	char *p;
++	int i;
+ 
+ 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
+ 	AN(b);
+ 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
+ 	assert(namelen <= len);
++	
++	disallow_empty = 0;
+ 
+ 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
+ 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
+ 		return (H2SE_ENHANCE_YOUR_CALM);
+ 	}
+ 
++	b0 = b;
+ 	if (b[0] == ':') {
+ 		/* Match H/2 pseudo headers */
+ 		/* XXX: Should probably have some include tbl for
+@@ -113,10 +120,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_METHOD;
++			disallow_empty = 1;
++
++			/* First field cannot contain SP or CTL */
++			for (p = b, i = 0; i < len; p++, i++) {
++				if (vct_issp(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
+ 		} else if (!strncmp(b, ":path: ", namelen)) {
+ 			b += namelen;
+ 			len -= namelen;
+ 			n = HTTP_HDR_URL;
++			disallow_empty = 1;
++
++			/* Second field cannot contain LWS or CTL */
++			for (p = b, i = 0; i < len; p++, i++) {
++				if (vct_islws(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
+ 		} else if (!strncmp(b, ":scheme: ", namelen)) {
+ 			/* XXX: What to do about this one? (typically
+ 			   "http" or "https"). For now set it as a normal
+@@ -124,6 +145,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 			b++;
+ 			len-=1;
+ 			n = hp->nhd;
++
++			for (p = b + namelen, i = 0; i < len-namelen;
++			    p++, i++) {
++				if (vct_issp(*p) || vct_isctl(*p))
++					return (H2SE_PROTOCOL_ERROR);
++			}
++
++			if (!i)
++				return (H2SE_PROTOCOL_ERROR);
+ 		} else if (!strncmp(b, ":authority: ", namelen)) {
+ 			b+=6;
+ 			len-=6;
+@@ -160,6 +190,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
+ 	hp->hd[n].b = b;
+ 	hp->hd[n].e = b + len;
+ 
++	if (disallow_empty && !Tlen(hp->hd[n])) {
++		VSLb(hp->vsl, SLT_BogoHeader,
++		    "Empty pseudo-header %.*s",
++		    (int)namelen, b0);
++		return (H2SE_PROTOCOL_ERROR);
++	}
++
+ 	return (0);
+ }
+ 

SOURCES/varnish-6.0.8.CVE-2022-23959.patch

@@ -0,0 +1,13 @@
+diff --git a/bin/varnishd/cache/cache_req_body.c b/bin/varnishd/cache/cache_req_body.c
+index 463b75b..982bd73 100644
+--- a/bin/varnishd/cache/cache_req_body.c
++++ b/bin/varnishd/cache/cache_req_body.c
+@@ -254,6 +254,8 @@ VRB_Ignore(struct req *req)
+ 	if (req->req_body_status == REQ_BODY_WITH_LEN ||
+ 	    req->req_body_status == REQ_BODY_WITHOUT_LEN)
+ 		(void)VRB_Iterate(req, httpq_req_body_discard, NULL);
++	if (req->req_body_status == REQ_BODY_FAIL)
++		req->doclose = SC_RX_BODY;
+ 	return(0);
+ }
+