11 changed files with 371 additions and 2083 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz
+SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
-SOURCES/varnish-6.6.2.tgz
+SOURCES/varnish-6.0.13.tgz
--- a/.varnish.metadata
+++ b/.varnish.metadata
@ -1,2 +1,2 @@
-d15a2afe52d546c45b46875b656ec3542c69e2f2 SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz
+db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz
-d2423c88186f5d409c72870199c8b46d489fdb48 SOURCES/varnish-6.6.2.tgz
+614d305e69b01255347f33000f76ed6a4fa3c3f7 SOURCES/varnish-6.0.13.tgz
--- a/SOURCES/varnish-4.0.3_fix_varnish4_selinux.el6.patch
+++ b/SOURCES/varnish-4.0.3_fix_varnish4_selinux.el6.patch
@ -0,0 +1,17 @@
 diff -Nur ../varnish-4.0.3_pre_selinux/selinux/varnish4.te ./selinux/varnish4.te
 --- ../varnish-4.0.3_pre_selinux/selinux/varnish4.te	1970-01-01 01:00:00.000000000 +0100
 +++ ./selinux/varnish4.te	2015-03-06 10:00:00.015151633 +0100
@@ -0,0 +1,13 @@
 +
 +module varnish4 1.0;
 +
 +require {
 +	type varnishd_t;
 +	class capability { fowner chown fsetid };
 +}
 +
 +#============= varnishd_t ==============
 +allow varnishd_t self:capability fowner;
 +allow varnishd_t self:capability chown;
 +allow varnishd_t self:capability fsetid;
 +
--- a/SOURCES/varnish-5.1.1.fix_ld_library_path_in_doc_build.patch
+++ b/SOURCES/varnish-5.1.1.fix_ld_library_path_in_doc_build.patch
@ -0,0 +1,52 @@
 diff --git a/doc/sphinx/Makefile.in b/doc/sphinx/Makefile.in
 index 0819064..11e4ba2 100644
 --- a/doc/sphinx/Makefile.in
 +++ b/doc/sphinx/Makefile.in
@@ -659,37 +659,47 @@ include/counters.rst: $(top_srcdir)/lib/libvcc/vsctool.py $(COUNTERS)
 # XXX add varnishstat here when it's been _opt2rst'ed
 include/varnishncsa_options.rst: $(top_builddir)/bin/varnishncsa/varnishncsa
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishncsa/varnishncsa --options > ${@}_
 	mv ${@}_ ${@}
 include/varnishncsa_synopsis.rst: $(top_builddir)/bin/varnishncsa/varnishncsa
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishncsa/varnishncsa --synopsis > ${@}_
 	mv ${@}_ ${@}
 include/varnishlog_options.rst: $(top_builddir)/bin/varnishlog/varnishlog
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishlog/varnishlog --options > ${@}_
 	mv ${@}_ ${@}
 include/varnishlog_synopsis.rst: $(top_builddir)/bin/varnishlog/varnishlog
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishlog/varnishlog --synopsis > ${@}_
 	mv ${@}_ ${@}
 include/varnishtop_options.rst: $(top_builddir)/bin/varnishtop/varnishtop
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishtop/varnishtop --options > ${@}_
 	mv ${@}_ ${@}
 include/varnishtop_synopsis.rst: $(top_builddir)/bin/varnishtop/varnishtop
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishtop/varnishtop --synopsis > ${@}_
 	mv ${@}_ ${@}
 include/varnishhist_options.rst: $(top_builddir)/bin/varnishhist/varnishhist
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishhist/varnishhist --options > ${@}_
 	mv ${@}_ ${@}
 include/varnishhist_synopsis.rst: $(top_builddir)/bin/varnishhist/varnishhist
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishhist/varnishhist --synopsis > ${@}_
 	mv ${@}_ ${@}
 include/varnishstat_options.rst: $(top_builddir)/bin/varnishstat/varnishstat
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishstat/varnishstat --options > ${@}_
 	mv ${@}_ ${@}
 include/varnishstat_synopsis.rst: $(top_builddir)/bin/varnishstat/varnishstat
 +	LD_LIBRARY_PATH=$(top_builddir)/lib/libvarnishapi/.libs \
 	$(top_builddir)/bin/varnishstat/varnishstat --synopsis > ${@}_
 	mv ${@}_ ${@}
--- a/SOURCES/varnish-5.1.1.fix_python_version.patch
+++ b/SOURCES/varnish-5.1.1.fix_python_version.patch
@ -0,0 +1,62 @@
 --- configure.orig	2017-03-18 02:53:31.235204299 +0100
 +++ configure	2017-03-18 02:54:54.229053852 +0100
@@ -13545,13 +13545,13 @@
         if test -n "$PYTHON"; then
       # If the user set $PYTHON, use it and don't search something else.
 -      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 2.7" >&5
 -$as_echo_n "checking whether $PYTHON version is >= 2.7... " >&6; }
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 2.4" >&5
 +$as_echo_n "checking whether $PYTHON version is >= 2.4... " >&6; }
       prog="import sys
 # split strings by '.' and convert to numeric.  Append some zeros
 # because we need at least 4 digits for the hex conversion.
 # map returns an iterator in Python 3.0 and a list in 2.x
 -minver = list(map(int, '2.7'.split('.'))) + [0, 0, 0]
 +minver = list(map(int, '2.4'.split('.'))) + [0, 0, 0]
 minverhex = 0
 # xrange is not present in Python 3.0 and range returns an iterator
 for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
@@ -13572,8 +13572,8 @@
     else
       # Otherwise, try each interpreter until we find one that satisfies
       # VERSION.
 -      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 2.7" >&5
 -$as_echo_n "checking for a Python interpreter with version >= 2.7... " >&6; }
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 2.4" >&5
 +$as_echo_n "checking for a Python interpreter with version >= 2.4... " >&6; }
 if ${am_cv_pathless_PYTHON+:} false; then :
   $as_echo_n "(cached) " >&6
 else
@@ -13584,7 +13584,7 @@
 # split strings by '.' and convert to numeric.  Append some zeros
 # because we need at least 4 digits for the hex conversion.
 # map returns an iterator in Python 3.0 and a list in 2.x
 -minver = list(map(int, '2.7'.split('.'))) + [0, 0, 0]
 +minver = list(map(int, '2.4'.split('.'))) + [0, 0, 0]
 minverhex = 0
 # xrange is not present in Python 3.0 and range returns an iterator
 for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
@@ -13651,7 +13651,7 @@
   if test "$PYTHON" = :; then
 -		as_fn_error $? "Python >= 2.7 is required." "$LINENO" 5
 +		as_fn_error $? "Python >= 2.4 is required." "$LINENO" 5
   else
@@ -13698,11 +13698,11 @@
     can_use_sysconfig = 0
 else:
     can_use_sysconfig = 1
 -# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs:
 +# Can't use sysconfig in CPython 2.4, since it's broken in virtualenvs:
 # <https://github.com/pypa/virtualenv/issues/118>
 try:
     from platform import python_implementation
 -    if python_implementation() == 'CPython' and sys.version[:3] == '2.7':
 +    if python_implementation() == 'CPython' and sys.version[:3] == '2.4':
         can_use_sysconfig = 0
 except ImportError:
     pass"
--- a/SOURCES/varnish-6.0.0.fix_el6_fortify_source.patch
+++ b/SOURCES/varnish-6.0.0.fix_el6_fortify_source.patch
@ -0,0 +1,20 @@
 --- bin/varnishtest/vtc_process.c.orig	2018-04-26 14:12:29.539178105 +0100
 +++ bin/varnishtest/vtc_process.c	2018-04-26 15:27:49.851948252 +0100
@@ -216,7 +216,7 @@
 		vtc_dump(p->vl, 4, "stdout", buf, i);
 	else if (p->log == 3)
 		vtc_hexdump(p->vl, 4, "stdout", buf, i);
 -	(void)write(p->f_stdout, buf, i);
 +	assert(write(p->f_stdout, buf, i) == i);
 	Term_Feed(p->term, buf, buf + i);
 	return (0);
 }
@@ -239,7 +239,7 @@
 	p->stderr_bytes += i;
 	AZ(pthread_mutex_unlock(&p->mtx));
 	vtc_dump(p->vl, 4, "stderr", buf, i);
 -	(void)write(p->f_stderr, buf, i);
 +	assert(write(p->f_stdout, buf, i) == i);
 	return (0);
 }
--- a/SOURCES/varnish-6.6.2-CVE-2022-45060.patch
+++ b/SOURCES/varnish-6.6.2-CVE-2022-45060.patch
@ -1,76 +0,0 @@
 diff --git a/bin/varnishd/http2/cache_http2_hpack.c b/bin/varnishd/http2/cache_http2_hpack.c
 index 6bc062e..570b871 100644
 --- a/bin/varnishd/http2/cache_http2_hpack.c
 +++ b/bin/varnishd/http2/cache_http2_hpack.c
@@ -97,11 +97,16 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
 	/* XXX: This might belong in cache/cache_http.c */
 	const char *b0;
 	unsigned n;
 +	int disallow_empty;
 +	char *p;
 +	int i;
 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
 	AN(b);
 	assert(namelen >= 2);	/* 2 chars from the ': ' that we added */
 	assert(namelen <= len);
 +	
 +	disallow_empty = 0;
 	if (len > UINT_MAX) {	/* XXX: cache_param max header size */
 		VSLb(hp->vsl, SLT_BogoHeader, "Header too large: %.20s", b);
@@ -117,10 +122,24 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
 			b += namelen;
 			len -= namelen;
 			n = HTTP_HDR_METHOD;
 +			disallow_empty = 1;
 +
 +			/* First field cannot contain SP or CTL */
 +			for (p = b, i = 0; i < len; p++, i++) {
 +				if (vct_issp(*p) || vct_isctl(*p))
 +					return (H2SE_PROTOCOL_ERROR);
 +			}
 		} else if (!strncmp(b, ":path: ", namelen)) {
 			b += namelen;
 			len -= namelen;
 			n = HTTP_HDR_URL;
 +			disallow_empty = 1;
 +
 +			/* Second field cannot contain LWS or CTL */
 +			for (p = b, i = 0; i < len; p++, i++) {
 +				if (vct_islws(*p) || vct_isctl(*p))
 +					return (H2SE_PROTOCOL_ERROR);
 +			}
 		} else if (!strncmp(b, ":scheme: ", namelen)) {
 			/* XXX: What to do about this one? (typically
 			   "http" or "https"). For now set it as a normal
@@ -128,6 +147,15 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
 			b++;
 			len-=1;
 			n = hp->nhd;
 +
 +			for (p = b + namelen, i = 0; i < len-namelen;
 +			    p++, i++) {
 +				if (vct_issp(*p) || vct_isctl(*p))
 +					return (H2SE_PROTOCOL_ERROR);
 +			}
 +
 +			if (!i)
 +				return (H2SE_PROTOCOL_ERROR);
 		} else if (!strncmp(b, ":authority: ", namelen)) {
 			b+=6;
 			len-=6;
@@ -164,6 +192,13 @@ h2h_addhdr(struct http *hp, char *b, size_t namelen, size_t len)
 	hp->hd[n].b = b;
 	hp->hd[n].e = b + len;
 +	if (disallow_empty && !Tlen(hp->hd[n])) {
 +		VSLb(hp->vsl, SLT_BogoHeader,
 +		    "Empty pseudo-header %.*s",
 +		    (int)namelen, b0);
 +		return (H2SE_PROTOCOL_ERROR);
 +	}
 +
 	return (0);
 }
--- a/SOURCES/varnish-6.6.2-CVE-2023-44487-rate_limit.patch
+++ b/SOURCES/varnish-6.6.2-CVE-2023-44487-rate_limit.patch
@ -1,319 +0,0 @@
 commit bb3f607590a102321a15a8a17474d87da8bec32c
 Author: Tomas Korbar <tkorbar@redhat.com>
 Date:   Tue Oct 17 16:52:32 2023 +0200
    Upstream #3997 PR
    Fix CVE-2023-44487
 diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
 index 7b32584..d55b9df 100644
 --- a/bin/varnishd/VSC_main.vsc
 +++ b/bin/varnishd/VSC_main.vsc
@@ -631,6 +631,14 @@
 	Number of session closes with Error VCL_FAILURE (VCL failure)
 +.. varnish_vsc:: sc_rapid_reset
 +       :level: diag
 +       :oneliner:      Session Err RAPID_RESET
 +
 +       Number of times we failed an http/2 session because it hit its
 +       configured limits for the number of permitted rapid stream
 +       resets.
 +
 .. varnish_vsc:: client_resp_500
 	:level: diag
 	:group: wrk
 diff --git a/bin/varnishd/http2/cache_http2.h b/bin/varnishd/http2/cache_http2.h
 index ea5eb52..9088e21 100644
 --- a/bin/varnishd/http2/cache_http2.h
 +++ b/bin/varnishd/http2/cache_http2.h
@@ -184,6 +184,8 @@ struct h2_sess {
 	VTAILQ_HEAD(,h2_req)		txqueue;
 	h2_error			error;
 +	double				rst_budget;
 +	vtim_real			last_rst;
 };
 #define ASSERT_RXTHR(h2) do {assert(h2->rxthr == pthread_self());} while(0)
 diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
 index 3597ec1..408acad 100644
 --- a/bin/varnishd/http2/cache_http2_proto.c
 +++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -45,6 +45,7 @@
 #include "vtcp.h"
 #include "vtim.h"
 +#define H2_CUSTOM_ERRORS
 #define H2EC1(U,v,r,d) const struct h2_error_s H2CE_##U[1] = {{#U,d,v,0,1,r}};
 #define H2EC2(U,v,r,d) const struct h2_error_s H2SE_##U[1] = {{#U,d,v,1,0,r}};
 #define H2EC3(U,v,r,d) H2EC1(U,v,r,d) H2EC2(U,v,r,d)
@@ -304,9 +305,46 @@ h2_rx_push_promise(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 /**********************************************************************
  */
 +static h2_error
 +h2_rapid_reset(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 +{
 +	vtim_real now;
 +	vtim_dur d;
 +
 +	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
 +	ASSERT_RXTHR(h2);
 +	CHECK_OBJ_NOTNULL(r2, H2_REQ_MAGIC);
 +
 +	if (cache_param->h2_rapid_reset_limit == 0)
 +		return (0);
 +
 +	now = VTIM_real();
 +	CHECK_OBJ_NOTNULL(r2->req, REQ_MAGIC);
 +	AN(r2->req->t_first);
 +	if (now - r2->req->t_first > cache_param->h2_rapid_reset)
 +		return (0);
 +
 +	d = now - h2->last_rst;
 +	h2->rst_budget += cache_param->h2_rapid_reset_limit * d /
 +	    cache_param->h2_rapid_reset_period;
 +	h2->rst_budget = vmin_t(double, h2->rst_budget,
 +	    cache_param->h2_rapid_reset_limit);
 +	h2->last_rst = now;
 +
 +	if (h2->rst_budget < 1.0) {
 +		Lck_Lock(&h2->sess->mtx);
 +		VSLb(h2->vsl, SLT_Error, "H2: Hit RST limit. Closing session.");
 +		Lck_Unlock(&h2->sess->mtx);
 +		return (H2CE_RAPID_RESET);
 +	}
 +	h2->rst_budget -= 1.0;
 +	return (0);
 +}
 +
 static h2_error v_matchproto_(h2_rxframe_f)
 h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 {
 +	h2_error h2e;
 	CHECK_OBJ_NOTNULL(wrk, WORKER_MAGIC);
 	ASSERT_RXTHR(h2);
@@ -316,8 +354,9 @@ h2_rx_rst_stream(struct worker *wrk, struct h2_sess *h2, struct h2_req *r2)
 		return (H2CE_FRAME_SIZE_ERROR);
 	if (r2 == NULL)
 		return (0);
 +	h2e = h2_rapid_reset(wrk, h2, r2);
 	h2_kill_req(wrk, h2, r2, h2_streamerror(vbe32dec(h2->rxf_data)));
 -	return (0);
 +	return (h2e);
 }
 /**********************************************************************
 diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
 index 36d4a1c..f81c94a 100644
 --- a/bin/varnishd/http2/cache_http2_session.c
 +++ b/bin/varnishd/http2/cache_http2_session.c
@@ -128,6 +128,9 @@ h2_init_sess(const struct worker *wrk, struct sess *sp,
 	h2_local_settings(&h2->local_settings);
 	h2->remote_settings = H2_proto_settings;
 	h2->decode = decode;
 +	h2->rst_budget = cache_param->h2_rapid_reset_limit;
 +	h2->last_rst = sp->t_open;
 +	AZ(isnan(h2->last_rst));
 	AZ(VHT_Init(h2->dectbl, h2->local_settings.header_table_size));
 diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc
 new file mode 100644
 index 0000000..3fee370
 --- /dev/null
 +++ b/bin/varnishtest/tests/r03996.vtc
@@ -0,0 +1,51 @@
 +varnishtest "h2 rapid reset"
 +
 +barrier b1 sock 5
 +
 +server s1 {
 +	rxreq
 +	txresp
 +} -start
 +
 +varnish v1 -cliok "param.set feature +http2"
 +varnish v1 -cliok "param.set debug +syncvsl"
 +varnish v1 -cliok "param.set h2_rapid_reset_limit 3"
 +varnish v1 -cliok "param.set h2_rapid_reset 5"
 +
 +varnish v1 -vcl+backend {
 +	import vtc;
 +
 +	sub vcl_recv {
 +		vtc.barrier_sync("${b1_sock}");
 +	}
 +
 +} -start
 +
 +client c1 {
 +	stream 0 {
 +		rxgoaway
 +		expect goaway.err == ENHANCE_YOUR_CALM
 +	} -start
 +
 +	stream 1 {
 +		txreq
 +		txrst
 +	} -run
 +	stream 3 {
 +		txreq
 +		txrst
 +	} -run
 +	stream 5 {
 +		txreq
 +		txrst
 +	} -run
 +	stream 7 {
 +		txreq
 +		txrst
 +	} -run
 +
 +	barrier b1 sync
 +	stream 0 -wait
 +} -run
 +
 +varnish v1 -expect sc_rapid_reset == 1
 diff --git a/include/tbl/h2_error.h b/include/tbl/h2_error.h
 index e8104f8..11051de 100644
 --- a/include/tbl/h2_error.h
 +++ b/include/tbl/h2_error.h
@@ -147,5 +147,17 @@ H2_ERROR(
 	/* descr */	"Use HTTP/1.1 for the request"
 )
 +#ifdef H2_CUSTOM_ERRORS
 +H2_ERROR(
 +       /* name */      RAPID_RESET,
 +       /* val */       11, /* ENHANCE_YOUR_CALM */
 +       /* types */     1,
 +       /* reason */    SC_RAPID_RESET,
 +       /* descr */     "http/2 rapid reset detected"
 +)
 +
 +#  undef H2_CUSTOM_ERRORS
 +#endif
 +
 #undef H2_ERROR
 /*lint -restore */
 diff --git a/include/tbl/params.h b/include/tbl/params.h
 index cca420c..4014dd6 100644
 --- a/include/tbl/params.h
 +++ b/include/tbl/params.h
@@ -1217,6 +1217,47 @@ PARAM_SIMPLE(
 	"HTTP2 maximum size of an uncompressed header list."
 )
 +PARAM_SIMPLE(
 +	/* name */	h2_rapid_reset,
 +	/* typ */	timeout,
 +	/* min */	"0.000",
 +	/* max */	NULL,
 +	/* def */	"1.000",
 +	/* units */	"seconds",
 +	/* descr */
 +       "The upper threshold for how rapid an http/2 RST has to come for "
 +       "it to be treated as suspect and subjected to the rate limits "
 +       "specified by h2_rapid_reset_limit and h2_rapid_reset_period.",
 +	/* flags */	EXPERIMENTAL,
 +)
 +
 +PARAM_SIMPLE(
 +	/* name */	h2_rapid_reset_limit,
 +	/* typ */	uint,
 +	/* min */	"0",
 +	/* max */	NULL,
 +	/* def */	"3600",
 +	/* units */	NULL,
 +	/* descr */
 +	"HTTP2 RST Allowance.\n"
 +	"Specifies the maximum number of allowed stream resets issued by\n"
 +	"a client over a time period before the connection is closed.\n"
 +	"Setting this parameter to 0 disables the limit.",
 +	/* flags */	EXPERIMENTAL,
 +)
 +
 +PARAM_SIMPLE(
 +	/* name */	h2_rapid_reset_period,
 +	/* typ */	timeout,
 +	/* min */	"1.000",
 +	/* max */	NULL,
 +	/* def */	"60.000",
 +	/* units */	"seconds",
 +	/* descr */
 +	"HTTP2 sliding window duration for h2_rapid_reset_limit.",
 +	/* flags */	EXPERIMENTAL|WIZARD,
 +)
 +
 /*--------------------------------------------------------------------
  * Memory pool parameters
  */
 diff --git a/include/tbl/sess_close.h b/include/tbl/sess_close.h
 index 9748314..6d2f635 100644
 --- a/include/tbl/sess_close.h
 +++ b/include/tbl/sess_close.h
@@ -50,6 +50,7 @@ SESS_CLOSE(PIPE_OVERFLOW, pipe_overflow,1,	"Session pipe overflow")
 SESS_CLOSE(RANGE_SHORT,   range_short,	1,	"Insufficient data for range")
 SESS_CLOSE(REQ_HTTP20,	  req_http20,	1,	"HTTP2 not accepted")
 SESS_CLOSE(VCL_FAILURE,	  vcl_failure,	1,	"VCL failure")
 +SESS_CLOSE(RAPID_RESET,	  rapid_reset,  1,      "HTTP2 rapid reset")
 #undef SESS_CLOSE
 /*lint -restore */
 diff --git a/include/vdef.h b/include/vdef.h
 index a9111fe..c85bea8 100644
 --- a/include/vdef.h
 +++ b/include/vdef.h
@@ -106,6 +106,47 @@
 #  define v_dont_optimize
 #endif
 +/**********************************************************************
 + * Find the minimum or maximum values.
 + * Only evaluate the expression once and perform type checking.
 + */
 +
 +/* ref: https://stackoverflow.com/a/17624752 */
 +
 +#define VINDIRECT(a, b, c)	a ## b ## c
 +#define VCOMBINE(a, b, c)	VINDIRECT(a, b, c)
 +
 +#if defined(__COUNTER__)
 +#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, __COUNTER__)
 +#else
 +#	define VUNIQ_NAME(base)	VCOMBINE(base, __LINE__, 0)
 +#endif
 +
 +#ifdef _lint
 +#define typeof(x) __typeof__(x)
 +#endif
 +
 +/* ref: https://gcc.gnu.org/onlinedocs/gcc/Typeof.html */
 +
 +#define _vtake(op, ta, tb, a, b, _va, _vb)				\
 +	({								\
 +	ta _va = (a);							\
 +	tb _vb = (b);							\
 +	(void)(&_va == &_vb);						\
 +	_va op _vb ? _va : _vb;						\
 +})
 +
 +#define opmin <
 +#define opmax >
 +#define vtake(n, ta, tb, a, b)	_vtake(op ## n, ta, tb, a, b,		\
 +    VUNIQ_NAME(_v ## n ## A), VUNIQ_NAME(_v ## n ## B))
 +
 +#define vmin(a, b)		vtake(min, typeof(a), typeof(b), a, b)
 +#define vmax(a, b)		vtake(max, typeof(a), typeof(b), a, b)
 +
 +#define vmin_t(type, a, b)	vtake(min, type, type, a, b)
 +#define vmax_t(type, a, b)	vtake(max, type, type, a, b)
 +
 /*********************************************************************
  * Pointer alignment magic
  */
--- a/SOURCES/varnish-6.6.2-CVE-2023-44487-vcl_vrt.patch
+++ b/SOURCES/varnish-6.6.2-CVE-2023-44487-vcl_vrt.patch
@ -1,328 +0,0 @@
 commit bb44b34d5e9078ede3769ef519badb65d340351a
 Author: Tomas Korbar <tkorbar@redhat.com>
 Date:   Wed Oct 18 12:32:24 2023 +0200
    vcl_vrt: Skip VCL execution if the client is gone
    Upstream PR #3998
    and 4991d9f6e40f381d058a83fc21ceed90e34a822e for r03996.vtc
 diff --git a/bin/varnishd/VSC_main.vsc b/bin/varnishd/VSC_main.vsc
 index d55b9df..0978c2f 100644
 --- a/bin/varnishd/VSC_main.vsc
 +++ b/bin/varnishd/VSC_main.vsc
@@ -342,6 +342,15 @@
 	Number of times an HTTP/2 stream was refused because the queue was
 	too long already. See also parameter thread_queue_limit.
 +.. varnish_vsc:: req_reset
 +	:group: wrk
 +	:oneliner:	Requests reset
 +
 +	Number of times a client left before the VCL processing of its
 +	requests completed. For HTTP/2 sessions, either the stream was
 +	reset by an RST_STREAM frame from the client, or a stream or
 +	connection error occurred.
 +
 .. varnish_vsc:: n_object
 	:type:	gauge
 	:group: wrk
 diff --git a/bin/varnishd/cache/cache_transport.h b/bin/varnishd/cache/cache_transport.h
 index 3650291..be396b9 100644
 --- a/bin/varnishd/cache/cache_transport.h
 +++ b/bin/varnishd/cache/cache_transport.h
@@ -44,6 +44,7 @@ typedef void vtr_sess_panic_f (struct vsb *, const struct sess *);
 typedef void vtr_req_panic_f (struct vsb *, const struct req *);
 typedef void vtr_req_fail_f (struct req *, enum sess_close);
 typedef void vtr_reembark_f (struct worker *, struct req *);
 +typedef int vtr_poll_f (struct req *);
 typedef int vtr_minimal_response_f (struct req *, uint16_t status);
 struct transport {
@@ -64,6 +65,7 @@ struct transport {
 	vtr_sess_panic_f		*sess_panic;
 	vtr_req_panic_f			*req_panic;
 	vtr_reembark_f			*reembark;
 +	vtr_poll_f			*poll;
 	vtr_minimal_response_f		*minimal_response;
 	VTAILQ_ENTRY(transport)		list;
 diff --git a/bin/varnishd/cache/cache_vrt_vcl.c b/bin/varnishd/cache/cache_vrt_vcl.c
 index 023ba00..2fbaff6 100644
 --- a/bin/varnishd/cache/cache_vrt_vcl.c
 +++ b/bin/varnishd/cache/cache_vrt_vcl.c
@@ -42,6 +42,7 @@
 #include "vbm.h"
 #include "cache_director.h"
 +#include "cache_transport.h"
 #include "cache_vcl.h"
 #include "vcc_interface.h"
@@ -437,6 +438,40 @@ VRT_VCL_Allow_Discard(struct vclref **refp)
 	FREE_OBJ(ref);
 }
 +/*--------------------------------------------------------------------
 + */
 +
 +static int
 +req_poll(struct worker *wrk, struct req *req)
 +{
 +	struct req *top;
 +
 +	/* NB: Since a fail transition leads to vcl_synth, the request may be
 +	 * short-circuited twice.
 +	 */
 +	if (req->req_reset) {
 +		wrk->handling = VCL_RET_FAIL;
 +		return (-1);
 +	}
 +
 +	top = req->top->topreq;
 +	CHECK_OBJ_NOTNULL(top, REQ_MAGIC);
 +	CHECK_OBJ_NOTNULL(top->transport, TRANSPORT_MAGIC);
 +
 +	if (!FEATURE(FEATURE_VCL_REQ_RESET))
 +		return (0);
 +	if (top->transport->poll == NULL)
 +		return (0);
 +	if (top->transport->poll(top) >= 0)
 +		return (0);
 +
 +	VSLb_ts_req(req, "Reset", W_TIM_real(wrk));
 +	wrk->stats->req_reset++;
 +	wrk->handling = VCL_RET_FAIL;
 +	req->req_reset = 1;
 +	return (-1);
 +}
 +
 /*--------------------------------------------------------------------
  * Method functions to call into VCL programs.
  *
@@ -468,6 +503,8 @@ vcl_call_method(struct worker *wrk, struct req *req, struct busyobj *bo,
 		CHECK_OBJ_NOTNULL(req->sp, SESS_MAGIC);
 		CHECK_OBJ_NOTNULL(req->vcl, VCL_MAGIC);
 		CHECK_OBJ_NOTNULL(req->top, REQTOP_MAGIC);
 +		if (req_poll(wrk, req))
 +			return;
 		VCL_Req2Ctx(&ctx, req);
 	}
 	assert(ctx.now != 0);
 diff --git a/bin/varnishd/http2/cache_http2_session.c b/bin/varnishd/http2/cache_http2_session.c
 index f81c94a..f978763 100644
 --- a/bin/varnishd/http2/cache_http2_session.c
 +++ b/bin/varnishd/http2/cache_http2_session.c
@@ -439,6 +439,16 @@ h2_new_session(struct worker *wrk, void *arg)
 	h2_del_sess(wrk, h2, h2->error->reason);
 }
 +static int v_matchproto_(vtr_poll_f)
 +h2_poll(struct req *req)
 +{
 +	struct h2_req *r2;
 +
 +	CHECK_OBJ_NOTNULL(req, REQ_MAGIC);
 +	CAST_OBJ_NOTNULL(r2, req->transport_priv, H2_REQ_MAGIC);
 +	return (r2->error ? -1 : 1);
 +}
 +
 struct transport H2_transport = {
 	.name =			"H2",
 	.magic =		TRANSPORT_MAGIC,
@@ -448,4 +458,5 @@ struct transport H2_transport = {
 	.req_body =		h2_req_body,
 	.req_fail =		h2_req_fail,
 	.sess_panic =		h2_sess_panic,
 +	.poll =			h2_poll,
 };
 diff --git a/bin/varnishd/mgt/mgt_param_bits.c b/bin/varnishd/mgt/mgt_param_bits.c
 index d6a9c3f..6d9b32a 100644
 --- a/bin/varnishd/mgt/mgt_param_bits.c
 +++ b/bin/varnishd/mgt/mgt_param_bits.c
@@ -276,7 +276,7 @@ struct parspec VSL_parspec[] = {
 #undef DEBUG_BIT
 		},
 	{ "feature", tweak_feature, NULL,
 -		NULL, NULL, "default",
 +		NULL, NULL, "+validate_headers +vcl_req_reset",
 		NULL,
 		"Enable/Disable various minor features.\n"
 		"\tdefault\tSet default value\n"
 diff --git a/bin/varnishtest/tests/r03996.vtc b/bin/varnishtest/tests/r03996.vtc
 index 3fee370..7faf783 100644
 --- a/bin/varnishtest/tests/r03996.vtc
 +++ b/bin/varnishtest/tests/r03996.vtc
@@ -1,6 +1,7 @@
 varnishtest "h2 rapid reset"
 -barrier b1 sock 5
 +barrier b1 sock 2 -cyclic
 +barrier b2 sock 5 -cyclic
 server s1 {
 	rxreq
@@ -16,7 +17,10 @@ varnish v1 -vcl+backend {
 	import vtc;
 	sub vcl_recv {
 -		vtc.barrier_sync("${b1_sock}");
 +		if (req.http.barrier) {
 +			vtc.barrier_sync(req.http.barrier);
 +		}
 +		vtc.barrier_sync("${b2_sock}");
 	}
 } -start
@@ -27,6 +31,41 @@ client c1 {
 		expect goaway.err == ENHANCE_YOUR_CALM
 	} -start
 +	stream 1 {
 +		txreq -hdr barrier ${b1_sock}
 +		barrier b1 sync
 +		txrst
 +	} -run
 +	stream 3 {
 +		txreq -hdr barrier ${b1_sock}
 +		barrier b1 sync
 +		txrst
 +	} -run
 +	stream 5 {
 +		txreq -hdr barrier ${b1_sock}
 +		barrier b1 sync
 +		txrst
 +	} -run
 +	stream 7 {
 +		txreq -hdr barrier ${b1_sock}
 +		barrier b1 sync
 +		txrst
 +	} -run
 +
 +	barrier b2 sync
 +	stream 0 -wait
 +} -run
 +
 +varnish v1 -expect sc_rapid_reset == 1
 +
 +varnish v1 -cliok "param.set feature -vcl_req_reset"
 +
 +client c2 {
 +	stream 0 {
 +		rxgoaway
 +		expect goaway.err == ENHANCE_YOUR_CALM
 +	} -start
 +
 	stream 1 {
 		txreq
 		txrst
@@ -44,8 +83,8 @@ client c1 {
 		txrst
 	} -run
 -	barrier b1 sync
 +	barrier b2 sync
 	stream 0 -wait
 } -run
 -varnish v1 -expect sc_rapid_reset == 1
 +varnish v1 -expect sc_rapid_reset == 2
 diff --git a/bin/varnishtest/tests/t02025.vtc b/bin/varnishtest/tests/t02025.vtc
 new file mode 100644
 index 0000000..3b7e90e
 --- /dev/null
 +++ b/bin/varnishtest/tests/t02025.vtc
@@ -0,0 +1,49 @@
 +varnishtest "h2 reset interrupt"
 +
 +barrier b1 sock 2
 +barrier b2 sock 2
 +
 +varnish v1 -cliok "param.set feature +http2"
 +varnish v1 -cliok "param.set debug +syncvsl"
 +varnish v1 -vcl {
 +	import vtc;
 +
 +	backend be none;
 +
 +	sub vcl_recv {
 +		vtc.barrier_sync("${b1_sock}");
 +		vtc.barrier_sync("${b2_sock}");
 +	}
 +
 +	sub vcl_miss {
 +		vtc.panic("unreachable");
 +	}
 +} -start
 +
 +logexpect l1 -v v1 -g raw -i Debug {
 +	expect * * Debug "^H2RXF RST_STREAM"
 +} -start
 +
 +client c1 {
 +	stream 1 {
 +		txreq
 +		barrier b1 sync
 +		txrst
 +	} -run
 +} -start
 +
 +logexpect l1 -wait
 +barrier b2 sync
 +
 +varnish v1 -vsl_catchup
 +varnish v1 -expect req_reset == 1
 +
 +# NB: The varnishncsa command below shows a minimal pattern to collect
 +# "rapid reset" suspects per session, with the IP address. Here rapid
 +# is interpreted as before a second elapsed. Session VXIDs showing up
 +# numerous times become increasingly more suspicious. The format can of
 +# course be extended to add anything else useful for data mining.
 +shell -expect "1000 ${localhost}" {
 +	varnishncsa -n ${v1_name} -d \
 +		-q 'Timestamp:Reset[2] < 1.0' -F '%{VSL:Begin[2]}x %h'
 +}
 diff --git a/doc/sphinx/reference/vsl.rst b/doc/sphinx/reference/vsl.rst
 index cf63089..f1ed987 100644
 --- a/doc/sphinx/reference/vsl.rst
 +++ b/doc/sphinx/reference/vsl.rst
@@ -76,6 +76,11 @@ Resp
 Restart
 	Client request is being restarted.
 +Reset
 +        The client closed its connection, reset its stream or caused
 +        a stream error that forced Varnish to reset the stream. Request
 +        processing is interrupted and considered failed.
 +
 Pipe handling timestamps
 ~~~~~~~~~~~~~~~~~~~~~~~~
 diff --git a/include/tbl/feature_bits.h b/include/tbl/feature_bits.h
 index d51b22c..3d6ac35 100644
 --- a/include/tbl/feature_bits.h
 +++ b/include/tbl/feature_bits.h
@@ -82,6 +82,11 @@ FEATURE_BIT(BUSY_STATS_RATE,	busy_stats_rate,
     "Make busy workers comply with thread_stats_rate."
 )
 +FEATURE_BIT(VCL_REQ_RESET,			vcl_req_reset,
 +    "Stop processing client VCL once the client is gone. "
 +    "When this happens MAIN.req_reset is incremented."
 +)
 +
 #undef FEATURE_BIT
 /*lint -restore */
 diff --git a/include/tbl/req_flags.h b/include/tbl/req_flags.h
 index 2e82660..9e72312 100644
 --- a/include/tbl/req_flags.h
 +++ b/include/tbl/req_flags.h
@@ -41,6 +41,7 @@ REQ_FLAG(is_hitpass,		1, 0, "")
 REQ_FLAG(waitinglist,		0, 0, "")
 REQ_FLAG(want100cont,		0, 0, "")
 REQ_FLAG(late100cont,		0, 0, "")
 +REQ_FLAG(req_reset,		0, 0, "")
 #undef REQ_FLAG
 /*lint -restore */
--- a/SOURCES/varnish-6.6.2-CVE-2024-30156.patch
+++ b/SOURCES/varnish-6.6.2-CVE-2024-30156.patch
--- a/SPECS/varnish.spec
+++ b/SPECS/varnish.spec
@ -1,135 +1,87 @@
-%global _hardened_build 0
+%global _hardened_build 1
 # https://github.com/varnishcache/varnish-cache/issues/2269
 %global debug_package %{nil}
-
+# https://github.com/varnishcache/varnish-cache/issues/2269
 %if 0%{?rhel} == 7
 %global _use_internal_dependency_generator 0
 %global __find_provides %{_builddir}/%{name}-%{version}/find-provides %__find_provides
 %global __python /usr/bin/python3.4
 %else
 %global __python %{__python3}
 %endif
 %global __provides_exclude_from ^%{_libdir}/varnish/vmods
 %global abi 17c51b08e037fc8533fb3687a042a867235fc72f
 %global vrt 13.0
 # Package scripts are now external
 # https://github.com/varnishcache/pkg-varnish-cache
-%global commit1 ec7ad9e6c6dd7c9b4f4ba60c5b223376908c3ca6
+%global commit1 0ad2f22629c4a368959c423a19e352c9c6c79682
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 %bcond_without python2
 %bcond_with python3
 %if %{with python2} == %{with python3}
 %error Pick exactly one Python version
 %endif
 Summary: High-performance HTTP accelerator
 Name: varnish
-Version: 6.6.2
+Version: 6.0.13
-Release: 4%{?dist}.1
+Release: 1%{?dist}
 License: BSD
 Group: System Environment/Daemons
 URL: https://www.varnish-cache.org/
-Source0: http://varnish-cache.org/_downloads/%{name}-%{version}.tgz
+Source0: http://varnish-cache.org/_downloads/%{name}-%{version}%{?vd_rc}.tgz
 Source1: https://github.com/varnishcache/pkg-varnish-cache/archive/%{commit1}.tar.gz#/pkg-varnish-cache-%{shortcommit1}.tar.gz
 Patch1:  varnish-5.1.1.fix_ld_library_path_in_doc_build.patch
 Patch4:  varnish-4.0.3_fix_varnish4_selinux.el6.patch
 Patch9:  varnish-5.1.1.fix_python_version.patch
-# Patches:
+# https://github.com/varnishcache/varnish-cache/commit/5220c394232c25bb7a807a35e7394059ecefa821#diff-2279587378a4426edde05f42e1acca5e
-# Patch  001: Because of Fedora's libtool no-rpath requirement, it is still
+Patch11: varnish-6.0.0.fix_el6_fortify_source.patch
 #             necessary to add LD_LIBRARY_PATH when building the documentation
 #             (Fixed by using LT_SYS_LIBRARY_PATH)
 #Patch1:  varnish-6.1.1_fix_ld_library_path_in_doc_build.patch
 # Patch  004: varnish selinux support for el6
 #Patch4:  varnish-4.0.3_fix_varnish4_selinux.el6.patch
 # Patch  009: Hard code older python support in configure for older el releases
 #Patch9:  varnish-5.1.1.fix_python_version.patch
 # Patch  012: Fix test for variants of ncurses, based on upstream commit 9bdc5f75, upstream issue #2668
 #Patch12: varnish-6.0.1_fix_bug2668.patch
 # Patch  013: Just a simple format error
 #Patch13: varnish-6.1.0_fix_testu00008.patch
 # Patch  014: Another formatting error fixed upstream, issue 2879
 #Patch14: varnish-6.1.1_fix_upstrbug_2879.patch
 # Patch  015: pcre-jit fixed upstream, issue #2912
 #Patch15: varnish-6.1.1_fix_issue_2912.patch
-# Patch  016: Fix some warnings that prohibited clean -Werror compilation
+# Security patches ...
-#             on el6. Will not be fixed upstream. Patch grows more stupid
+# Patch100: varnish-6.0.13.CVE-.....patch
 #             for each iteration :-(
 #Patch16: varnish-6.5.0_el6_fix_warning_from_old_gcc.patch
-# Patch  017: Fix stack size on ppc64 in test c_00057, upstream commit 88948d9
+Obsoletes: varnish-libs
 #Patch17: varnish-6.2.0_fix_ppc64_for_test_c00057.patch
-# Patch 018: gcc-10.0.1/s390x compilation fix, upstream commit b0af060
+%if %{with python3}
 #Patch18: varnish-6.3.2_fix_s390x.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2141844
 Patch100: varnish-6.6.2-CVE-2022-45060.patch
 # https://issues.redhat.com/browse/RHEL-12817
 Patch101: varnish-6.6.2-CVE-2023-44487-rate_limit.patch
 # https://issues.redhat.com/browse/RHEL-12817
 Patch102: varnish-6.6.2-CVE-2023-44487-vcl_vrt.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2271486
 Patch103: varnish-6.6.2-CVE-2024-30156.patch
 %if 0%{?fedora} > 29
 Provides: varnish%{_isa} = %{version}-%{release}
 Provides: varnishd(abi)%{_isa} = %{abi}
 Provides: varnishd(vrt)%{_isa} = %{vrt}
 Provides: vmod(blob)%{_isa} = %{version}-%{release}
 Provides: vmod(directors)%{_isa} = %{version}-%{release}
 Provides: vmod(proxy)%{_isa} = %{version}-%{release}
 Provides: vmod(purge)%{_isa} = %{version}-%{release}
 Provides: vmod(std)%{_isa} = %{version}-%{release}
 Provides: vmod(unix)%{_isa} = %{version}-%{release}
 Provides: vmod(vtc)%{_isa} = %{version}-%{release}
 %endif
 Obsoletes: varnish-libs < %{version}-%{release}
 %if 0%{?rhel} == 7
 BuildRequires: python34 python34-sphinx python34-docutils
 %else
 BuildRequires: python3, python3-sphinx, python3-docutils
 %else
 %if 0%{?rhel} >= 6
 BuildRequires: python-sphinx
 %endif
 BuildRequires: python-docutils
 %endif
 # Drop jemalloc dependency in RHEL-9
 # BuildRequires: jemalloc-devel
 BuildRequires: libedit-devel
 BuildRequires: ncurses-devel
 BuildRequires: pcre-devel
 BuildRequires: pkgconfig
 BuildRequires: gcc
 BuildRequires: make
-
+BuildRequires: graphviz
 # Extra requirements for the build suite
 BuildRequires: nghttp2
-# haproxy is broken in rawhide now
+%if 0%{?rhel} == 6
-#if 0#{?fedora} || 0#{?rhel} >= 8
+BuildRequires: selinux-policy
-#BuildRequires: haproxy
+%endif
 #endif
 Requires: logrotate
 Requires: ncurses
 Requires: pcre
 # Drop jemalloc dependency in RHEL-9
 # Requires: jemalloc
 Requires: redhat-rpm-config
 Requires(pre): shadow-utils
 Requires(post): /usr/bin/uuidgen
 # Varnish actually needs gcc installed to work. It uses the C compiler 
 # at runtime to compile the VCL configuration files. This is by design.
 Requires: gcc
 %if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
 Requires(post): systemd-units
 Requires(post): systemd-sysv
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 BuildRequires: systemd-units
 %endif
 %if 0%{?rhel} == 6
 Requires: %{name}-selinux
 Requires(post): policycoreutils, 
 Requires(preun): policycoreutils
 Requires(postun): policycoreutils
 Requires(post): /sbin/chkconfig
 Requires(preun): /sbin/chkconfig
 Requires(preun): /sbin/service
 %endif
 %description
 This is Varnish Cache, a high-performance HTTP accelerator.
@ -144,95 +96,121 @@ available on: https://www.varnish-cache.org/
 %package devel
 Summary: Development files for %{name}
-#BuildRequires: ncurses-devel
+Group: Development/Libraries
-Provides: varnish-libs-devel%{?isa} = %{version}-%{release}
+BuildRequires: ncurses-devel
 Provides: varnish-libs-devel = %{version}-%{release}
-Obsoletes: varnish-libs-devel < %{version}-%{release}
+Obsoletes: varnish-libs-devel
 %if %{with python2}
 Requires: python
 %endif
 Requires: %{name} = %{version}-%{release}
 Requires: python3
 %description devel
 Development files for %{name}
 Varnish Cache is a high-performance HTTP accelerator
 %package docs
 Summary: Documentation files for %name
 Group: Documentation
 %description docs
 Documentation files for %name
 %if 0%{?rhel} == 6
 %package selinux
 Summary: Minimal selinux policy for running varnish
 Group:   System Environment/Daemons
 %description selinux
 Minimal selinux policy for running varnish4
 %endif
 %prep
-%setup -q
+%setup -q -n varnish-%{version}%{?vd_rc}
 tar xzf %SOURCE1
 ln -s pkg-varnish-cache-%{commit1}/redhat redhat
 ln -s pkg-varnish-cache-%{commit1}/debian debian
 cp redhat/find-provides .
-sed -i 's,rst2man-3.6,rst2man-3.4,g; s,rst2html-3.6,rst2html-3.4,g; s,phinx-build-3.6,phinx-build-3.4,g' configure
+%if 0%{?rhel} == 6
 cp pkg-varnish-cache-%{commit1}/sysv/redhat/* redhat/
 sed -i '8 i\RPM_BUILD_ROOT=%{buildroot}' find-provides
 %endif
-%patch100 -p1 -b .CVE-2022-45060
+%patch1 -p1
-%patch101 -p1 -b .CVE-2023-44487
+%if 0%{?rhel} == 6
-%patch102 -p1 -b .CVE-2023-44487-vcl
+%patch4 -p0
-%patch103 -p1 -b .CVE-2024-30156
+%patch9 -p0
 %patch11 -p0
 %endif
 %build
 %if 0%{?rhel} == 6
 export CFLAGS="%{optflags} -fPIC"
 export LDFLAGS=" -pie"
 %endif
 # https://gcc.gnu.org/wiki/FAQ#PR323
 %ifarch %ix86
 %if 0%{?fedora} > 21
 export CFLAGS="%{optflags} -ffloat-store -fexcess-precision=standard"
 %endif
 %if 0%{?rhel} >= 6
 export CFLAGS="%{optflags} -fPIC -ffloat-store"
 %endif
 %ifarch s390x
 export CFLAGS="%{optflags} -Wno-error=free-nonheap-object"
 %endif
 # What gcc version is this?
 gcc --version
 # What is the page size
 getconf PAGESIZE
 # Man pages are prebuilt. No need to regenerate them.
 export RST2MAN=/bin/true
 # Explicit python, please
 export PYTHON=%{__python}
-%configure LT_SYS_LIBRARY_PATH=%_libdir \
+%configure --disable-static \
- --disable-static \
+  --with-jemalloc=no \
  --localstatedir=/var/lib  \
-  --docdir=%{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} \
+  --docdir=%{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
-  --without-jemalloc \
+#ifarch x86_64 #arm
 #  --disable-pcre-jit \
 #endif
 # We have to remove rpath - not allowed in Fedora
 # (This problem only visible on 64 bit arches)
 sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g;
        s|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 # I'll never understand libtool
 mkdir lib/libvarnishapi/.libs
 pushd lib/libvarnishapi/.libs
 ln -s libvarnishapi.so libvarnishapi.so.1
 popd
 # Upstream github issue #2265
 %if 0%{?rhel} == 6 
 sed -i 's/-Werror$//g;' bin/varnishd/Makefile
 sed -i 's/-Werror$//g;' lib/libvarnishapi/Makefile
 %endif
 make %{?_smp_mflags} V=1 
 # One varnish user is enough
 sed -i 's,User=varnishlog,User=varnish,g;' redhat/varnishncsa.service
 # Explicit python, please
 %if %{with python2}
 sed -i 's/env python3/python2/g;' lib/libvcc/vmodtool.py lib/libvcc/vsctool.py
 %else
 sed -i 's/env python3/python3/g;' lib/libvcc/vmodtool.py lib/libvcc/vsctool.py
 %endif
 # Clean up the html documentation
 rm -rf doc/html/_sources
 %check
-
+%ifarch ppc64 ppc64le aarch64
-# Remove this for now. Hard to get the size and timing right
+sed -i 's/48/128/g;' bin/varnishtest/tests/c00057.vtc
 %ifarch s390 s390x aarch64
 rm bin/varnishtest/tests/o00005.vtc
 %endif
-# disable test because of CVE-2023-44487 fix
+#make %{?_smp_mflags} check LD_LIBRARY_PATH="%{buildroot}%{_libdir}:%{buildroot}%{_libdir}/%{name}" VERBOSE=1
 # https://github.com/varnishcache/varnish-cache/pull/3998#issuecomment-1764649216
 rm bin/varnishtest/tests/t02014.vtc
 make %{?_smp_mflags} check VERBOSE=1
 %install
 rm -rf %{buildroot}
-
+make install DESTDIR=%{buildroot} INSTALL="install -p"
 # mock el7 defaults to LANG=C, which makes python3 fail when parsing utf8 text
 %if 0%{?rhel} == 7
 export LANG=en_US.UTF-8
 %endif
 %{make_install}
 # None of these for fedora
 find %{buildroot}/%{_libdir}/ -name '*.la' -exec rm -f {} ';'
@ -246,19 +224,32 @@ install -D -m 0644 redhat/varnish.logrotate %{buildroot}%{_sysconfdir}/logrotate
 install -D -m 0644 include/vcs_version.h %{buildroot}%{_includedir}/varnish
 install -D -m 0644 include/vrt.h %{buildroot}%{_includedir}/varnish
 # systemd support
 %if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
 mkdir -p %{buildroot}%{_unitdir}
 install -D -m 0644 redhat/varnish.service %{buildroot}%{_unitdir}/varnish.service
 install -D -m 0644 redhat/varnishncsa.service %{buildroot}%{_unitdir}/varnishncsa.service
 # default is standard sysvinit
 %else
 install -D -m 0644 redhat/varnish.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/varnish
 install -D -m 0755 redhat/varnish.initrc %{buildroot}%{_initrddir}/varnish
 install -D -m 0755 redhat/varnishncsa.initrc %{buildroot}%{_initrddir}/varnishncsa
 %endif
 install -D -m 0755 redhat/varnishreload %{buildroot}%{_sbindir}/varnishreload
 echo %{_libdir}/varnish > %{buildroot}%{_sysconfdir}/ld.so.conf.d/varnish-%{_arch}.conf
 # No idea why these ends up with mode 600 in the debug package
 %if 0%{debug_package}
 chmod 644 lib/libvmod_*/*.c
 chmod 644 lib/libvmod_*/*.h
 %endif
 # selinux module for el6
 %if 0%{?rhel} == 6
 cd selinux
 make -f %{_datadir}/selinux/devel/Makefile
 install -p -m 644 -D varnish4.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/varnish4.pp
 %endif
 %files
 %{_sbindir}/*
@ -279,9 +270,18 @@ chmod 644 lib/libvmod_*/*.h
 %config %{_sysconfdir}/ld.so.conf.d/varnish-%{_arch}.conf
 # systemd from fedora 17 and rhel 7
 %if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
 %{_unitdir}/varnish.service
 %{_unitdir}/varnishncsa.service
 # default is standard sysvinit
 %else
 %config(noreplace) %{_sysconfdir}/sysconfig/varnish
 %{_initrddir}/varnish
 %{_initrddir}/varnishncsa
 %endif
 %files devel
 %license LICENSE
 %doc README.rst
@ -296,6 +296,10 @@ chmod 644 lib/libvmod_*/*.h
 %doc doc/html
 %doc doc/changes*.html
 %if 0%{?rhel} == 6
 %files selinux
 %{_datadir}/selinux/packages/%{name}/varnish4.pp
 %endif
 %pre
 getent group varnish >/dev/null || groupadd -r varnish
@ -304,180 +308,99 @@ getent passwd varnish >/dev/null || \
               -c "Varnish Cache" varnish
 exit 0
 %post
-%systemd_post varnish varnishncsa
+%if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
-/sbin/ldconfig
+%systemd_post varnish.service
 test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc/varnish/secret)
 %postun
 %systemd_postun_with_restart varnish varnishncsa
 /sbin/ldconfig
 %preun
 %systemd_preun varnish varnishncsa
 %changelog
 * Sat Mar 30 2024 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-4.1
 - Resolves: RHEL-30387 - varnish: HTTP/2 Broken Window Attack may result
  in denial of service (CVE-2024-30156)
 * Thu Oct 19 2023 Tomas Korbar <tkorbar@redhat.com> - 6.6.2-4
 - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487
 - Resolves: RHEL-12817
 * Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-3
 - Resolves: #2142096 - CVE-2022-45060 varnish: Request Forgery Vulnerability
 * Thu Feb 17 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.6.2-2
 - new version 6.6.2
 - Resolves: #2007641 - rebase Varnish to 6.6.2
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 6.5.2-2
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Wed Jul 21 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.5.2-1
 - new version 6.5.2
 - Resolves: #1984185 - Rebase varnish to 6.5.2
 - Resolves: #1982858 - CVE-2021-36740 varnish: HTTP/2 request smuggling attack
  via a large Content-Length header for a POST request 
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 6.5.1-5
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Feb 24 2021 Lubos Uhliarik <luhliari@redhat.com> - 6.5.1-4
 - Resolves: #1918406 - Drop jemalloc dependency in RHEL 9
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.5.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Thu Jan 21 2021 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.5.1-2
 - Pulled support for el6
 - Pulled support for sysvinit
 - aarch64 builds now with jemalloc again on el7
 * Fri Sep 25 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.5.1-1
 - New upstream release varnish-6.5.1
 * Wed Sep 16 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.5.0-1
 - New upstream release varnish-6.5.0
 - Respun silly patch to get rid of compiler warnings on el6
 * Tue Aug 04 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> 6.4.0-4
 - Added -Wno-error=free-nonheap-object to CFLAGS to build on s390x
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.0-3
+# Other distros: Use chkconfig
- Second attempt - Rebuilt for
+%else
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+/sbin/chkconfig --add varnish
-
+/sbin/chkconfig --add varnishncsa 
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.0-2
+%endif
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Mar 16 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.4.0-1
 - New upstream release
 - Respin patches for 6.4.0
 - Removed patches merged upstream
 - Deactivated a test on s390*. Too hard to get size and timing right
 * Wed Feb 12 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.2-3
 - Got corrected compilation fix patch from upstream
 * Tue Feb 11 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.2-2
 - Added simple compilation fix for gcc-10.0.1/s390x
 * Tue Feb 11 2020 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.2-1
 - New upstream release, a security release. Includes fix for VSV00005
 - Added new checkout of pkg-varnish
 - Temporarily disable haproxy unit tests, as haproxy seems broken in rawhide
 * Mon Feb 10 2020 Joe Orton <jorton@redhat.com> - 6.3.1-3
 - drop buildreq on (retired) vttest (#1800232)
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Oct 22 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.1-1
 - New upstream release. A security release. Includes fix for VSV00004
 * Fri Sep 20 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.0-2
 - Respin patch for el6
 * Mon Sep 16 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.3.0-1
 - New upstream release
 * Wed Sep 04 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.1-4
 - New upstream release. A security release. Includes fix for CVE-2019-15892
 * Thu Aug 08 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.0-4
 - Pull in extra requirements to the build requirements to run more
  tests (on fedora: haproxy, vttest)
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.2.0-3
+/sbin/ldconfig
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-* Thu Apr 04 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.0-2
+# Previous versions had varnishlog and varnishncsa running as root
- Run configure with LT_SYS_LIBRARY_PATH, removing the need for
+chown varnish:varnish /var/log/varnish/varnishncsa.log 2>/dev/null || true
  killing RPATH in libtool with sed and scattering LD_LIBRARY_PATH around
  with patches
 - Some explicit python version fixes needed for el7 python34 vs python36
 - aarch64 now builds with jemalloc again on fedora
-* Fri Mar 15 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.2.0-1
+test -f /etc/varnish/secret || (uuidgen > /etc/varnish/secret && chmod 0600 /etc/varnish/secret)
 - New upstream release varnish-6.2
 - Removed patches merged upstream
 - Remove misc sed hacks for bugs that are fixed upstream
 - Added a patch for gcc-4.4 -Werror support on el6
 - Added a patch from upstream to fix too small thread pool stack in a test
 - Override macro __python to make brp-python-bytecompile choose python3
 - Explicitly use python-3.4
 - Switch to make_install macro
 - Better documentation of patches
 - Updated checkout of pkg-varnish-cache
-* Thu Mar 07 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-5
+# selinux module for el6
- Adding a patch based on upstream commits, fixing pcre-jit, see 
+%if 0%{?rhel} == 6
-  upstream bug 2912
+%post selinux
 if [ "$1" -le "1" ] ; then # First install
 semodule -i %{_datadir}/selinux/packages/%{name}/varnish4.pp 2>/dev/null || :
 fi
-* Thu Feb 14 2019 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-4
+%preun selinux
- Adding a patch from upstream fixing a simple formatting bug on gcc-9
+if [ "$1" -lt "1" ] ; then # Final removal
 semodule -r varnish4 2>/dev/null || :
 fi
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.1-3
+%postun
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
 %systemd_postun_with_restart varnish.service
 %endif
 /sbin/ldconfig
 * Wed Nov 07 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-2
 - Respun ld_library_path patch for varnish-6.1.1
-* Wed Nov 07 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.1-1
+%postun selinux
- New upstream release
+if [ "$1" -ge "1" ] ; then # Upgrade
 semodule -i %{_datadir}/selinux/packages/%{name}/varnish4.pp 2>/dev/null || :
 fi
-* Tue Nov 06 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.0-3
+%endif
 - Dropped the depricated external dependency generator in Fedora
 - Hard coded vmod, abi and vrt provides
-* Fri Nov 02 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.0-2
+%preun
 - Added a patch to fix a failing test in the testsuite
-* Fri Nov 02 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.1.0-1
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
- New upstream release
+%systemd_preun varnish.service
- Respin patches for 6.1.0
+%else
 - Disable pcre-jit for now, ref upstream bug #2817
-* Tue Oct 09 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.0.1-3
+if [ $1 -lt 1 ]; then
- Explicitly using utf8 under install on el6 and el7 for python quirks
+  # Package removal, not upgrade
  %if 0%{?fedora} >= 17 || 0%{?rhel} >= 7
  /bin/systemctl --no-reload disable varnish.service > /dev/null 2>&1 || :
  /bin/systemctl stop varnish.service > /dev/null 2>&1 || :
  /bin/systemctl stop varnishncsa.service > /dev/null 2>&1 || :
  %else
  /sbin/service varnish stop > /dev/null 2>&1
  /sbin/service varnishncsa stop > /dev/null 2>%1
  /sbin/chkconfig --del varnish
  /sbin/chkconfig --del varnishncsa 
  %endif
 fi
 %endif
 * Tue Oct 09 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.0.1-2
 - Explicitly using python3 on all targets
-* Thu Sep 27 2018 Ingvar Hagelund <ingvar@redpill-linpro.com> - 6.0.1-1
+%changelog
- New upstream release
+* Thu Mar 28 2024 Luboš Uhliarik <luhliari@redhat.com> - 6.0.13-1
- Removed graphciz from BuildRequires. It is not used
+- new version 6.0.13
- Removed patch for fortify_source on el6. It is merged upstream
+- Resolves: RHEL-30378 - varnish:6/varnish: HTTP/2 Broken Window Attack may
- Small workaround for test suite problem with old readline/curses on el6
+  result in denial of service (CVE-2024-30156)
- Supports bcond_with python3, for simpler future deprication of python2
+
- Added -fno-exceptions to CFLAGS on el6, see upstream issue #2793
+* Tue Feb 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1.1
 - Resolves: #2047648 - CVE-2022-23959 varnish:6/varnish: Varnish HTTP/1 Request
  Smuggling Vulnerability
 * Thu Jul 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 6.0.8-1
 - new version 6.0.8
 - Resolves: #1982862 - CVE-2021-36740 varnish:6/varnish: HTTP/2 request
  smuggling attack via a large Content-Length header for a POST request
 * Tue Apr 14 2020 Lubos Uhliarik <luhliari@redhat.com> - 6.0.6-2
 - new version 6.0.6
 - Resolves: #1795673 - RFE: rebase varnish:6 to latest 6.0.x LTS
 - Resolves: #1790907 - CVE-2019-20637 varnish: not clearing pointer between two
  client requests leads to information disclosure
 - Resolves: #1763958 - CVE-2019-15892 varnish:6/varnish: denial of service 
  handling certain crafted HTTP/1 requests 
 * Mon Oct 08 2018 Lubos Uhliarik <luhliari@redhat.com> - 6.0.2-1
 - new version 6.0.2 (#1633338)
 * Wed Aug 01 2018 Luboš Uhliarik <luhliari@redhat.com> - 6.0.0-3
 - Resolves: #1591765 - varnish: Remove dependency on jemalloc
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
`@ -1,2 +1,2 @@`
	`SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz`	`SOURCES/pkg-varnish-cache-0ad2f22.tar.gz`
	`SOURCES/varnish-6.6.2.tgz`	`SOURCES/varnish-6.0.13.tgz`
`@ -1,2 +1,2 @@`
	`d15a2afe52d546c45b46875b656ec3542c69e2f2 SOURCES/pkg-varnish-cache-ec7ad9e.tar.gz`	`db2cd6c296e7f19d65c09e642b7011338d9d0e04 SOURCES/pkg-varnish-cache-0ad2f22.tar.gz`
	`d2423c88186f5d409c72870199c8b46d489fdb48 SOURCES/varnish-6.6.2.tgz`	`614d305e69b01255347f33000f76ed6a4fa3c3f7 SOURCES/varnish-6.0.13.tgz`