VMod releases for CVE-2023-44487 fix (7.3.1 / 7.4.2)

varnish / varnish-modules

Collection of Varnish Cache modules (vmods) by Varnish Software

Other

185 stars 86 forks source link

VMod releases for CVE-2023-44487 fix (7.3.1 / 7.4.2) #219

Closed theSCHAPPY closed 11 months ago

theSCHAPPY commented 11 months ago

Issue The Varnish security releases in Nov. 2023 7.3.1/7.4.2 addressing CVE-2023-44487 introduce new version string, e.g. 7.3.1 or 7.4.2, which are considered as incompatible by existing 7.3/7.4 vmods. After upgrading via debs from https://packagecloud.io/varnishcache/varnish73 or https://packagecloud.io/varnishcache/varnish74 the start of varnish fails due to missing vmods (if one of your local varnish rules make use of any of these vmods).

Could you please release a vmod compatible with the aforementioned versions or reduce subversion string checking in varnish itself.

Error message Error during startup of varnish server: ABI mismatch, expected <Varnish 7.3.1 f529d82f892cd4537b8272a18bac6c970be9deb6>, got <Varnish 7.3.0 84d79120b6d17b11819a663a93160743f293e63f>

Workaround As a workaround for the time being, you might want to consider the following:

download vmod source for your release tree
install 7.3.1/7.4.2 varnish update, which fails during restart of the server
recompile vmods and install from source
start varnish server, everything should work

Many thanks in advance!

gquintard commented 11 months ago

Hi,

how did you install varnish-modules in this instance?

Kind regards,

theSCHAPPY commented 11 months ago

I have upgraded to Varnish 7.3 a while ago using the deb provided in the repository https://packagecloud.io/varnishcache/varnish73 for Debian 11 (bullseye). I had to build varnish-modules from the github source, because the repo does not contain it and the Debian maintainer's version is only compatible up to Varnish 7.1.1. The latest Varnish 7.3.1 was installed using aptitude dist-upgrade from the 7.3 repo.

I would have expected a pre-install check for compatible varnish-modules and not ending up in broken installation after the updated varnish server was unable to start due to missing compatible varnish-modules installed. Another great alternative would be to auto build corresponding varnish-modules deb and integrate them into the packagecloud repo.

Many thanks!

gquintard commented 11 months ago

yup, so, you need to recompile varnish-modules and that'll be it. As you've seen, there's an ABI check (using the git commit) that happens when the module is loaded, so you need to compile varnish-modules against the varnish version it will run with.

I would have expected a pre-install check for compatible

as you compiled varnish-modules manually, there's not way for apt to know that they exist (not that you really had a choice). For example, if you look at the AUR repo, the varnish version is locked, preventing that kind of issues.

Anyway, recompiling will fix the issue, and you can use install-vmod to make things easier. Regarding packaging, that's being discussed, but not promises just yet.

theSCHAPPY commented 11 months ago

Consider it done. Thanks for the fast help.