Security update for varnish (important)

An update that solves two vulnerabilities and has one
errata is now available.

Description:

This update for varnish fixes the following issues:

varnish was updated to release 7.1.0 [boo#1195188] [CVE-2022-23959]

• VCL: It is now possible to assign a BLOB value to a BODY variable, in
  addition to STRING as before.
• VMOD: New STRING strftime(TIME time, STRING format) function for UTC
  formatting.

Update to release 6.6.1

• CVE-2021-36740: Fix an HTTP/2.0 request smuggling vulnerability.
  [boo#1188470]

Update to release 6.6.0:

• The ban_cutoff parameter now refers to the overall length of the ban
  list, including completed bans, where before only non-completed
  (���active���) bans were counted towards ban_cutoff.
• Body bytes accounting has been fixed to always represent the number of
  body bytes moved on the wire, exclusive of protocol-specific overhead
  like HTTP/1 chunked encoding or HTTP/2 framing.
• The connection close reason has been fixed to properly report
  SC_RESP_CLOSE where previously only SC_REQ_CLOSE was reported.
• Unless the new validate_headers feature is disabled, all newly set
  headers are now validated to contain only characters allowed by RFC7230.
• The filter_re, keep_re and get_re functions from the bundled cookie vmod
  have been changed to take the VCL_REGEX type. This implies that their
  regular expression arguments now need to be literal, not e.g. string.
• The interface for private pointers in VMODs has been changed, the VRT
  backend interface has been changed, many filter (VDP/VFP) related
  signatures have been changed, and the stevedore API has been changed.
  (Details thereto, see online changelog.)

Update to release 6.5.1

• Bump the VRT_MAJOR_VERSION number defined in the vrt.h

Update to release 6.5.0

• PRIV_TOP is now thread-safe to support parallel ESI implementations.
• varnishstat’s JSON output format (-j option) has been changed.
• Behavior for 304-type responses was changed not to update the
  Content-Encoding response header of the stored object.

• Update Git-Web repository link

Update to release 6.4.0

• The MAIN.sess_drop counter is gone.
• backend “none” was added for “no backend”.
• The hash algorithm of the hash director was changed, so backend
  selection will change once only when upgrading.
• It is now possible for VMOD authors to customize the connection pooling
  of a dynamic backend.
• For more, see changes.rst.

Update to release 6.3.2

• Fix a denial of service vulnerability when using the proxy protocol
  version 2.

Update to release 6.3.0

• The Host: header is folded to lower-case in the builtin_vcl.
• Improved performance of shared memory statistics counters.
• Synthetic objects created from vcl_backend_error {} now replace existing
  stale objects as ordinary backend fetches would (for details see
  changes.rst)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Backports SLE-15-SP3:

  zypper in -t patch openSUSE-2022-148=1