openSUSE-SU-2024:0220-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2024:0220-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2024:0220-1
Related
Published
2024-07-26T10:03:44Z
Modified
2024-07-26T10:03:44Z
Summary
Security update for caddy
Details

This update for caddy fixes the following issues:

  • Update to version 2.8.4:

    • cmd: fix regression in auto-detect of Caddyfile (#6362)
    • Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped

  • Update to version 2.8.2:

    • cmd: fix auto-detetction of .caddyfile extension (#6356)
    • caddyhttp: properly sanitize requests for root path (#6360)
    • caddytls: Implement certmagic.RenewalInfoGetter
    • build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)

  • Update to version 2.8.1:

    • caddyhttp: Fix merging consecutive client_ip or remote_ip matchers (#6350)
    • core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)

  • Update to version 2.8.0:

    • acmeserver: Add sign_with_root for Caddyfile (#6345)
    • caddyfile: Reject global request matchers earlier (#6339)
    • core: Fix bug in AppIfConfigured (fix #6336)
    • fix a typo (#6333)
    • autohttps: Move log WARN to INFO, reduce confusion (#6185)
    • reverseproxy: Support HTTP/3 transport to backend (#6312)
    • context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)
    • Fix lint error about deprecated method in smallstep/certificates/authority
    • go.mod: Upgrade dependencies
    • caddytls: fix permission requirement with AutomationPolicy (#6328)
    • caddytls: remove ClientHelloSNICtxKey (#6326)
    • caddyhttp: Trace individual middleware handlers (#6313)
    • templates: Add pathEscape template function and use it in file browser (#6278)
    • caddytls: set server name in context (#6324)
    • chore: downgrade minimum Go version in go.mod (#6318)
    • caddytest: normalize the JSON config (#6316)
    • caddyhttp: New experimental handler for intercepting responses (#6232)
    • httpcaddyfile: Set challenge ports when httpport or httpsport are used
    • logging: Add support for additional logger filters other than hostname (#6082)
    • caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)
    • Second half of 6dce493
    • caddyhttp: Alter log message when request is unhandled (close #5182)
    • chore: Bump Go version in CI (#6310)
    • go.mod: go 1.22.3
    • Fix typos (#6311)
    • reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)
    • tracing: add trace_id var (http.vars.trace_id placeholder) (#6308)
    • go.mod: CertMagic v0.21.0
    • reverseproxy: Implement healthfollowredirects (#6302)
    • caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
    • go.mod: Upgrade to quic-go v0.43.1
    • reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
    • caddytls: Ability to drop connections (close #6294)
    • build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)
    • httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
    • caddytls: Evict internal certs from cache based on issuer (#6266)
    • chore: add warn logs when using deprecated fields (#6276)
    • caddyhttp: Fix linter warning about deprecation
    • go.mod: Upgrade to quic-go v0.43.0
    • fileserver: Set 'Vary: Accept-Encoding' header (see #5849)
    • events: Add debug log
    • reverseproxy: handle buffered data during hijack (#6274)
    • ci: remove android and plan9 from cross-build workflow (#6268)
    • run golangci-lint run --fix --fast (#6270)
    • caddytls: Option to configure certificate lifetime (#6253)
    • replacer: Implement file.* global replacements (#5463)
    • caddyhttp: Address some Go 1.20 features (#6252)
    • Quell linter (false positive)
    • reverseproxy: Add graceperiod for SRV upstreams to Caddyfile (#6264)
    • doc: add verifier in ClientAuthentication caddyfile marshaler doc (#6263)
    • caddytls: Add Caddyfile support for on-demand permission module (close #6260)
    • reverseproxy: Remove long-deprecated buffering properties
    • reverseproxy: Reuse buffered request body even if partially drained
    • reverseproxy: Accept EOF when buffering
    • logging: Fix default access logger (#6251)
    • fileserver: Improve Vary handling (#5849)
    • cmd: Only validate config is proper JSON if config slice has data (#6250)
    • staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)
    • encode: Slight fix for the previous commit
    • encode: Improve Etag handling (fix #5849)
    • httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)
    • caddyfile: Populate regexp matcher names by default (#6145)
    • caddyhttp: record num. bytes read when response writer is hijacked (#6173)
    • caddyhttp: Support multiple logger names per host (#6088)
    • chore: fix some typos in comments (#6243)
    • encode: Configurable compression level for zstd (#6140)
    • caddytls: Remove shim code supporting deprecated lego-dns (#6231)
    • connection policy: add local_ip matcher (#6074)
    • reverseproxy: Wait for both ends of websocket to close (#6175)
    • caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)
    • caddytls: Still provision permission module if ask is specified
    • fileserver: read etags from precomputed files (#6222)
    • fileserver: Escape # and ? in img src (fix #6237)
    • reverseproxy: Implement modular CA provider for TLS transport (#6065)
    • caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
    • cmd: Fix panic related to config filename (fix #5919)
    • cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
    • admin: Make Etag a header, not a trailer (#6208)
    • caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)
    • caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)
    • gitignore: Add rule for caddyfile.go (#6225)
    • chore: Fix broken links in README.md (#6223)
    • chore: Upgrade some dependencies (#6221)
    • caddyhttp: Add plaintext response to file_server browse (#6093)
    • admin: Use xxhash for etag (#6207)
    • modules: fix some typo in conments (#6206)
    • caddyhttp: Replace sensitive headers with REDACTED (close #5669)
    • caddyhttp: close quic connections when server closes (#6202)
    • reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
    • caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
    • chore: upgrade deps (#6198)
    • chore: remove repetitive word (#6193)
    • Added a null check to avoid segfault on rewrite query ops (#6191)
    • rewrite: uri query replace operation (#6165)
    • logging: support ms duration format and add docs (#6187)
    • replacer: use RWMutex to protect static provider (#6184)
    • caddyhttp: Allow header replacement with empty string (#6163)
    • vars: Make nil values act as empty string instead of '<nil>' (#6174)
    • chore: Update quic-go to v0.42.0 (#6176)
    • caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)
    • reverseproxy: configurable active healthpasses and healthfails (#6154)
    • reverseproxy: Configurable forward proxy URL (#6114)
    • caddyhttp: upgrade to cel v0.20.0 (#6161)
    • chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)
    • caddyhttp: suppress flushing if the response is being buffered (#6150)
    • chore: encode: use FlushError instead of Flush (#6168)
    • encode: write status immediately when status code is informational (#6164)
    • httpcaddyfile: Keep deprecated skip_log in directive order (#6153)
    • httpcaddyfile: Add RegisterDirectiveOrder function for plugin authors (#5865)
    • rewrite: Implement uri query operations (#6120)
    • fix struct names (#6151)
    • fileserver: Preserve query during canonicalization redirect (#6109)
    • logging: Implement log_append handler (#6066)
    • httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
    • logging: Implement append encoder, allow flatter filters config (#6069)
    • ci: fix the integration test TestLeafCertLoaders (#6149)
    • vars: Allow overriding http.auth.user.id in replacer as a special case (#6108)
    • caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)
    • cmd: Adjust config load logs/errors (#6032)
    • reverseproxy: SRV dynamic upstream failover (#5832)
    • ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)
    • core: OnExit hooks (#6128)
    • cmd: fix the output of the Usage section (#6138)
    • caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
    • acmeserver: add policy field to define allow/deny rules (#5796)
    • reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)
    • caddytest: Rename adapt tests to *.caddyfiletest extension (#6119)
    • tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103)
    • caddyfile: Assert having a space after heredoc marker to simply check (#6117)
    • chore: Update Chroma to get the new Caddyfile lexer (#6118)
    • reverseproxy: use context.WithoutCancel (#6116)
    • caddyfile: Reject directives in the place of site addresses (#6104)
    • caddyhttp: Register post-shutdown callbacks (#5948)
    • caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
    • caddyauth: Drop support for scrypt (#6091)
    • Revert 'caddyfile: Reject long heredoc markers (#6098)' (#6100)
    • caddyauth: Rename basicauth to basic_auth (#6092)
    • logging: Inline Caddyfile syntax for ip_mask filter (#6094)
    • caddyfile: Reject long heredoc markers (#6098)
    • chore: Rename CI jobs, run on M1 mac (#6089)
    • update comment
    • improved list
    • fix: add back text/*
    • fix: add more media types to the compressed by default list
    • acmeserver: support specifying the allowed challenge types (#5794)
    • matchers: Drop forwarded option from remote_ip matcher (#6085)
    • caddyhttp: Test cases for %2F and %252F (#6084)
    • bump to golang 1.22 (#6083)
    • fileserver: Browse can show symlink target if enabled (#5973)
    • core: Support NO_COLOR env var to disable log coloring (#6078)
    • build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)
    • Update comment in setcap helper script
    • caddytls: Make on-demand 'ask' permission modular (#6055)
    • core: Add ctx.Slogger() which returns an slog logger (#5945)
    • chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)
    • chore: enabling a few more linters (#5961)
    • caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)
    • caddyfile: Switch to slices.Equal for better performance (#6061)
    • tls: modularize trusted CA providers (#5784)
    • logging: Automatic wrap default for filter encoder (#5980)
    • caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
    • caddyfile: Normalize & flatten all unmarshalers (#6037)
    • cmd: reverseproxy: log: use caddy logger (#6042)
    • matchers: query now ANDs multiple keys (#6054)
    • caddyfile: Add heredoc support to fmt command (#6056)
    • refactor: move automaxprocs init in caddycmd.Main()
    • caddyfile: Allow heredoc blank lines (#6051)
    • httpcaddyfile: Add optional status code argument to handle_errors directive (#5965)
    • httpcaddyfile: Rewrite root and rewrite parsing to allow omitting matcher (#5844)
    • fileserver: Implement caddyfile.Unmarshaler interface (#5850)
    • reverseproxy: Add tls_curves option to HTTP transport (#5851)
    • caddyhttp: Security enhancements for client IP parsing (#5805)
    • replacer: Fix escaped closing braces (#5995)
    • filesystem: Globally declared filesystems, fs directive (#5833)
    • ci/cd: use the build tag nobadger to exclude badgerdb (#6031)
    • httpcaddyfile: Fix redir <to> html (#6001)
    • httpcaddyfile: Support client auth verifiers (#6022)
    • tls: add reuseprivatekeys (#6025)
    • reverseproxy: Only change Content-Length when full request is buffered (#5830)
    • Switch Solaris-derivatives away from listen_unix (#6021)
    • build(deps): bump actions/upload-artifact from 3 to 4 (#6013)
    • build(deps): bump actions/setup-go from 4 to 5 (#6012)
    • chore: check against errors of io/fs instead of os (#6011)
    • caddyhttp: support unix sockets in caddy respond command (#6010)
    • fileserver: Add total file size to directory listing (#6003)
    • httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)
    • build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)
    • cmd: use automaxprocs for better perf in containers (#5711)
    • logging: Add zap.Option support (#5944)
    • httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
    • metrics: Record request metrics on HTTP errors (#5979)
    • go.mod: Updated quic-go to v0.40.1 (#5983)
    • fileserver: Enable compression for command by default (#5855)
    • fileserver: New --precompressed flag (#5880)
    • caddyhttp: Add uuid to access logs when used (#5859)
    • proxyprotocol: use github.com/pires/go-proxyproto (#5915)
    • cmd: Preserve LastModified date when exporting storage (#5968)
    • core: Always make AppDataDir for InstanceID (#5976)
    • chore: cross-build for AIX (#5971)
    • caddytls: Sync distributed storage cleaning (#5940)
    • caddytls: Context to DecisionFunc (#5923)
    • tls: accept placeholders in string values of certificate loaders (#5963)
    • templates: Offically make templates extensible (#5939)
    • http2 uses new round-robin scheduler (#5946)
    • panic when reading from backend failed to propagate stream error (#5952)
    • chore: Bump otel to v1.21.0. (#5949)
    • httpredirectlistener: Only set read limit for when request is HTTP (#5917)
    • fileserver: Add .m4v for browse template icon
    • Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
    • go.mod: update quic-go version to v0.40.0 (#5922)
    • update quic-go to v0.39.3 (#5918)
    • chore: Fix usage pool comment (#5916)
    • test: acmeserver: add smoke test for the ACME server directory (#5914)
    • Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
    • caddyhttp: Adjust scheme placeholder docs (#5910)
    • go.mod: Upgrade quic-go to v0.39.1
    • go.mod: CVE-2023-45142 Update opentelemetry (#5908)
    • templates: Delete headers on httpError to reset to clean slate (#5905)
    • httpcaddyfile: Remove port from logger names (#5881)
    • core: Apply SO_REUSEPORT to UDP sockets (#5725)
    • caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
    • cmd: Add newline character to version string in CLI output (#5895)
    • core: quic listener will manage the underlying socket by itself (#5749)
    • templates: Clarify include args docs, add .ClientIP (#5898)
    • httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
    • cmd: upgrade: resolve symlink of the executable (#5891)
    • caddyfile: Fix variadic placeholder false positive when token contains : (#5883)

  • CVEs:

    • CVE-2024-22189 (boo#1222468)
    • CVE-2023-45142

  • Update to version 2.7.6:

    • caddytls: Sync distributed storage cleaning (#5940)
    • caddytls: Context to DecisionFunc (#5923)
    • tls: accept placeholders in string values of certificate loaders (#5963)
    • templates: Offically make templates extensible (#5939)
    • http2 uses new round-robin scheduler (#5946)
    • panic when reading from backend failed to propagate stream error (#5952)
    • chore: Bump otel to v1.21.0. (#5949)
    • httpredirectlistener: Only set read limit for when request is HTTP (#5917)
    • fileserver: Add .m4v for browse template icon
    • Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
    • go.mod: update quic-go version to v0.40.0 (#5922)
    • update quic-go to v0.39.3 (#5918)
    • chore: Fix usage pool comment (#5916)
    • test: acmeserver: add smoke test for the ACME server directory (#5914)
    • Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
    • caddyhttp: Adjust scheme placeholder docs (#5910)
    • go.mod: Upgrade quic-go to v0.39.1
    • go.mod: CVE-2023-45142 Update opentelemetry (#5908)
    • templates: Delete headers on httpError to reset to clean slate (#5905)
    • httpcaddyfile: Remove port from logger names (#5881)
    • core: Apply SO_REUSEPORT to UDP sockets (#5725)
    • caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
    • cmd: Add newline character to version string in CLI output (#5895)
    • core: quic listener will manage the underlying socket by itself (#5749)
    • templates: Clarify include args docs, add .ClientIP (#5898)
    • httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
    • cmd: upgrade: resolve symlink of the executable (#5891)
    • caddyfile: Fix variadic placeholder false positive when token contains : (#5883)

  • Update to version 2.7.5:

    • admin: Respond with 4xx on non-existing config path (#5870)
    • ci: Force the Go version for govulncheck (#5879)
    • fileserver: Set canonical URL on browse template (#5867)
    • tls: Add X25519Kyber768Draft00 PQ 'curve' behind build tag (#5852)
    • reverseproxy: Add more debug logs (#5793)
    • reverseproxy: Fix least_conn policy regression (#5862)
    • reverseproxy: Add logging for dynamic A upstreams (#5857)
    • reverseproxy: Replace health header placeholders (#5861)
    • httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)
    • cmd: Fix exiting with custom status code, add caddy -v (#5874)
    • reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)
    • reverseproxy: Fix retries on 'upstreams unavailable' error (#5841)
    • httpcaddyfile: Enable TLS for catch-all site if tls directive is specified (#5808)
    • encode: Add application/wasm* to the default content types (#5869)
    • fileserver: Add command shortcuts -l and -a (#5854)
    • go.mod: Upgrade dependencies incl. x/net/http
    • templates: Add dummy RemoteAddr to httpInclude request, proxy compatibility (#5845)
    • reverseproxy: Allow fallthrough for response handlers without routes (#5780)
    • fix: caddytest.AssertResponseCode error message (#5853)
    • build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)
    • build(deps): bump actions/checkout from 3 to 4 (#5846)
    • caddyhttp: Use LimitedReader for HTTPRedirectListener
    • fileserver: browse template SVG icons and UI tweaks (#5812)
    • reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)
    • httpcaddyfile: fix placeholder shorthands in named routes (#5791)
    • cmd: Prevent overwriting existing env vars with --envfile (#5803)
    • ci: Run govulncheck (#5790)
    • logging: query filter for array of strings (#5779)
    • logging: Clone array on log filters, prevent side-effects (#5786)
    • fileserver: Export BrowseTemplate
    • ci: ensure short-sha is exported correctly on all platforms (#5781)
    • caddyfile: Fix case where heredoc marker is empty after newline (#5769)
    • go.mod: Update quic-go to v0.38.0 (#5772)
    • chore: Appease gosec linter (#5777)
    • replacer: change timezone to UTC for 'time.now.http' placeholders (#5774)
    • caddyfile: Adjust error formatting (#5765)
    • update quic-go to v0.37.6 (#5767)
    • httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)
    • caddyfile: Loosen heredoc parsing (#5761)
    • fileserver: docs: clarify the ability to produce JSON array with browse (#5751)
    • fix package typo (#5764)
References

Affected packages

SUSE:Package Hub 15 SP6 / caddy

Package

Name
caddy
Purl
purl:rpm/suse/caddy&distro=SUSE%20Package%20Hub%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.4-bp156.3.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "caddy": "2.8.4-bp156.3.3.1",
            "caddy-bash-completion": "2.8.4-bp156.3.3.1",
            "caddy-fish-completion": "2.8.4-bp156.3.3.1",
            "caddy-zsh-completion": "2.8.4-bp156.3.3.1"
        }
    ]
}

openSUSE:Leap 15.6 / caddy

Package

Name
caddy
Purl
purl:rpm/suse/caddy&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.4-bp156.3.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "caddy": "2.8.4-bp156.3.3.1",
            "caddy-bash-completion": "2.8.4-bp156.3.3.1",
            "caddy-fish-completion": "2.8.4-bp156.3.3.1",
            "caddy-zsh-completion": "2.8.4-bp156.3.3.1"
        }
    ]
}