opensuse-su-2024:0220-1
Vulnerability from csaf_opensuse
Published
2024-07-26 10:03
Modified
2024-07-26 10:03
Summary
Security update for caddy
Notes
Title of the patch
Security update for caddy
Description of the patch
This update for caddy fixes the following issues:
- Update to version 2.8.4:
* cmd: fix regression in auto-detect of Caddyfile (#6362)
* Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped
- Update to version 2.8.2:
* cmd: fix auto-detetction of .caddyfile extension (#6356)
* caddyhttp: properly sanitize requests for root path (#6360)
* caddytls: Implement certmagic.RenewalInfoGetter
* build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)
- Update to version 2.8.1:
* caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350)
* core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)
- Update to version 2.8.0:
* acmeserver: Add `sign_with_root` for Caddyfile (#6345)
* caddyfile: Reject global request matchers earlier (#6339)
* core: Fix bug in AppIfConfigured (fix #6336)
* fix a typo (#6333)
* autohttps: Move log WARN to INFO, reduce confusion (#6185)
* reverseproxy: Support HTTP/3 transport to backend (#6312)
* context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)
* Fix lint error about deprecated method in smallstep/certificates/authority
* go.mod: Upgrade dependencies
* caddytls: fix permission requirement with AutomationPolicy (#6328)
* caddytls: remove ClientHelloSNICtxKey (#6326)
* caddyhttp: Trace individual middleware handlers (#6313)
* templates: Add `pathEscape` template function and use it in file browser (#6278)
* caddytls: set server name in context (#6324)
* chore: downgrade minimum Go version in go.mod (#6318)
* caddytest: normalize the JSON config (#6316)
* caddyhttp: New experimental handler for intercepting responses (#6232)
* httpcaddyfile: Set challenge ports when http_port or https_port are used
* logging: Add support for additional logger filters other than hostname (#6082)
* caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)
* Second half of 6dce493
* caddyhttp: Alter log message when request is unhandled (close #5182)
* chore: Bump Go version in CI (#6310)
* go.mod: go 1.22.3
* Fix typos (#6311)
* reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)
* tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)
* go.mod: CertMagic v0.21.0
* reverseproxy: Implement health_follow_redirects (#6302)
* caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
* go.mod: Upgrade to quic-go v0.43.1
* reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
* caddytls: Ability to drop connections (close #6294)
* build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)
* httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
* caddytls: Evict internal certs from cache based on issuer (#6266)
* chore: add warn logs when using deprecated fields (#6276)
* caddyhttp: Fix linter warning about deprecation
* go.mod: Upgrade to quic-go v0.43.0
* fileserver: Set 'Vary: Accept-Encoding' header (see #5849)
* events: Add debug log
* reverseproxy: handle buffered data during hijack (#6274)
* ci: remove `android` and `plan9` from cross-build workflow (#6268)
* run `golangci-lint run --fix --fast` (#6270)
* caddytls: Option to configure certificate lifetime (#6253)
* replacer: Implement `file.*` global replacements (#5463)
* caddyhttp: Address some Go 1.20 features (#6252)
* Quell linter (false positive)
* reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)
* doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263)
* caddytls: Add Caddyfile support for on-demand permission module (close #6260)
* reverseproxy: Remove long-deprecated buffering properties
* reverseproxy: Reuse buffered request body even if partially drained
* reverseproxy: Accept EOF when buffering
* logging: Fix default access logger (#6251)
* fileserver: Improve Vary handling (#5849)
* cmd: Only validate config is proper JSON if config slice has data (#6250)
* staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)
* encode: Slight fix for the previous commit
* encode: Improve Etag handling (fix #5849)
* httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)
* caddyfile: Populate regexp matcher names by default (#6145)
* caddyhttp: record num. bytes read when response writer is hijacked (#6173)
* caddyhttp: Support multiple logger names per host (#6088)
* chore: fix some typos in comments (#6243)
* encode: Configurable compression level for zstd (#6140)
* caddytls: Remove shim code supporting deprecated lego-dns (#6231)
* connection policy: add `local_ip` matcher (#6074)
* reverseproxy: Wait for both ends of websocket to close (#6175)
* caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)
* caddytls: Still provision permission module if ask is specified
* fileserver: read etags from precomputed files (#6222)
* fileserver: Escape # and ? in img src (fix #6237)
* reverseproxy: Implement modular CA provider for TLS transport (#6065)
* caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
* cmd: Fix panic related to config filename (fix #5919)
* cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
* admin: Make `Etag` a header, not a trailer (#6208)
* caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)
* caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)
* gitignore: Add rule for caddyfile.go (#6225)
* chore: Fix broken links in README.md (#6223)
* chore: Upgrade some dependencies (#6221)
* caddyhttp: Add plaintext response to `file_server browse` (#6093)
* admin: Use xxhash for etag (#6207)
* modules: fix some typo in conments (#6206)
* caddyhttp: Replace sensitive headers with REDACTED (close #5669)
* caddyhttp: close quic connections when server closes (#6202)
* reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
* caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
* chore: upgrade deps (#6198)
* chore: remove repetitive word (#6193)
* Added a null check to avoid segfault on rewrite query ops (#6191)
* rewrite: `uri query` replace operation (#6165)
* logging: support `ms` duration format and add docs (#6187)
* replacer: use RWMutex to protect static provider (#6184)
* caddyhttp: Allow `header` replacement with empty string (#6163)
* vars: Make nil values act as empty string instead of `'<nil>'` (#6174)
* chore: Update quic-go to v0.42.0 (#6176)
* caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)
* reverseproxy: configurable active health_passes and health_fails (#6154)
* reverseproxy: Configurable forward proxy URL (#6114)
* caddyhttp: upgrade to cel v0.20.0 (#6161)
* chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)
* caddyhttp: suppress flushing if the response is being buffered (#6150)
* chore: encode: use FlushError instead of Flush (#6168)
* encode: write status immediately when status code is informational (#6164)
* httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)
* httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin authors (#5865)
* rewrite: Implement `uri query` operations (#6120)
* fix struct names (#6151)
* fileserver: Preserve query during canonicalization redirect (#6109)
* logging: Implement `log_append` handler (#6066)
* httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
* logging: Implement `append` encoder, allow flatter filters config (#6069)
* ci: fix the integration test `TestLeafCertLoaders` (#6149)
* vars: Allow overriding `http.auth.user.id` in replacer as a special case (#6108)
* caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)
* cmd: Adjust config load logs/errors (#6032)
* reverseproxy: SRV dynamic upstream failover (#5832)
* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)
* core: OnExit hooks (#6128)
* cmd: fix the output of the `Usage` section (#6138)
* caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* acmeserver: add policy field to define allow/deny rules (#5796)
* reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)
* caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)
* tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103)
* caddyfile: Assert having a space after heredoc marker to simply check (#6117)
* chore: Update Chroma to get the new Caddyfile lexer (#6118)
* reverseproxy: use context.WithoutCancel (#6116)
* caddyfile: Reject directives in the place of site addresses (#6104)
* caddyhttp: Register post-shutdown callbacks (#5948)
* caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
* caddyauth: Drop support for `scrypt` (#6091)
* Revert 'caddyfile: Reject long heredoc markers (#6098)' (#6100)
* caddyauth: Rename `basicauth` to `basic_auth` (#6092)
* logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)
* caddyfile: Reject long heredoc markers (#6098)
* chore: Rename CI jobs, run on M1 mac (#6089)
* update comment
* improved list
* fix: add back text/*
* fix: add more media types to the compressed by default list
* acmeserver: support specifying the allowed challenge types (#5794)
* matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)
* caddyhttp: Test cases for `%2F` and `%252F` (#6084)
* bump to golang 1.22 (#6083)
* fileserver: Browse can show symlink target if enabled (#5973)
* core: Support NO_COLOR env var to disable log coloring (#6078)
* build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)
* Update comment in setcap helper script
* caddytls: Make on-demand 'ask' permission modular (#6055)
* core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)
* chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)
* chore: enabling a few more linters (#5961)
* caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)
* caddyfile: Switch to slices.Equal for better performance (#6061)
* tls: modularize trusted CA providers (#5784)
* logging: Automatic `wrap` default for `filter` encoder (#5980)
* caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
* caddyfile: Normalize & flatten all unmarshalers (#6037)
* cmd: reverseproxy: log: use caddy logger (#6042)
* matchers: `query` now ANDs multiple keys (#6054)
* caddyfile: Add heredoc support to `fmt` command (#6056)
* refactor: move automaxprocs init in caddycmd.Main()
* caddyfile: Allow heredoc blank lines (#6051)
* httpcaddyfile: Add optional status code argument to `handle_errors` directive (#5965)
* httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting matcher (#5844)
* fileserver: Implement caddyfile.Unmarshaler interface (#5850)
* reverseproxy: Add `tls_curves` option to HTTP transport (#5851)
* caddyhttp: Security enhancements for client IP parsing (#5805)
* replacer: Fix escaped closing braces (#5995)
* filesystem: Globally declared filesystems, `fs` directive (#5833)
* ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)
* httpcaddyfile: Fix redir <to> html (#6001)
* httpcaddyfile: Support client auth verifiers (#6022)
* tls: add reuse_private_keys (#6025)
* reverseproxy: Only change Content-Length when full request is buffered (#5830)
* Switch Solaris-derivatives away from listen_unix (#6021)
* build(deps): bump actions/upload-artifact from 3 to 4 (#6013)
* build(deps): bump actions/setup-go from 4 to 5 (#6012)
* chore: check against errors of `io/fs` instead of `os` (#6011)
* caddyhttp: support unix sockets in `caddy respond` command (#6010)
* fileserver: Add total file size to directory listing (#6003)
* httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)
* build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)
* cmd: use automaxprocs for better perf in containers (#5711)
* logging: Add `zap.Option` support (#5944)
* httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
* metrics: Record request metrics on HTTP errors (#5979)
* go.mod: Updated quic-go to v0.40.1 (#5983)
* fileserver: Enable compression for command by default (#5855)
* fileserver: New --precompressed flag (#5880)
* caddyhttp: Add `uuid` to access logs when used (#5859)
* proxyprotocol: use github.com/pires/go-proxyproto (#5915)
* cmd: Preserve LastModified date when exporting storage (#5968)
* core: Always make AppDataDir for InstanceID (#5976)
* chore: cross-build for AIX (#5971)
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders (#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error (#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP (#5917)
* fileserver: Add .m4v for browse template icon
* Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate (#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)
- CVEs:
* CVE-2024-22189 (boo#1222468)
* CVE-2023-45142
- Update to version 2.7.6:
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders (#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error (#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP (#5917)
* fileserver: Add .m4v for browse template icon
* Revert 'caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)' (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate (#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)
- Update to version 2.7.5:
* admin: Respond with 4xx on non-existing config path (#5870)
* ci: Force the Go version for govulncheck (#5879)
* fileserver: Set canonical URL on browse template (#5867)
* tls: Add X25519Kyber768Draft00 PQ 'curve' behind build tag (#5852)
* reverseproxy: Add more debug logs (#5793)
* reverseproxy: Fix `least_conn` policy regression (#5862)
* reverseproxy: Add logging for dynamic A upstreams (#5857)
* reverseproxy: Replace health header placeholders (#5861)
* httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)
* cmd: Fix exiting with custom status code, add `caddy -v` (#5874)
* reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)
* reverseproxy: Fix retries on 'upstreams unavailable' error (#5841)
* httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)
* encode: Add `application/wasm*` to the default content types (#5869)
* fileserver: Add command shortcuts `-l` and `-a` (#5854)
* go.mod: Upgrade dependencies incl. x/net/http
* templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845)
* reverseproxy: Allow fallthrough for response handlers without routes (#5780)
* fix: caddytest.AssertResponseCode error message (#5853)
* build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)
* build(deps): bump actions/checkout from 3 to 4 (#5846)
* caddyhttp: Use LimitedReader for HTTPRedirectListener
* fileserver: browse template SVG icons and UI tweaks (#5812)
* reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)
* httpcaddyfile: fix placeholder shorthands in named routes (#5791)
* cmd: Prevent overwriting existing env vars with `--envfile` (#5803)
* ci: Run govulncheck (#5790)
* logging: query filter for array of strings (#5779)
* logging: Clone array on log filters, prevent side-effects (#5786)
* fileserver: Export BrowseTemplate
* ci: ensure short-sha is exported correctly on all platforms (#5781)
* caddyfile: Fix case where heredoc marker is empty after newline (#5769)
* go.mod: Update quic-go to v0.38.0 (#5772)
* chore: Appease gosec linter (#5777)
* replacer: change timezone to UTC for 'time.now.http' placeholders (#5774)
* caddyfile: Adjust error formatting (#5765)
* update quic-go to v0.37.6 (#5767)
* httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)
* caddyfile: Loosen heredoc parsing (#5761)
* fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751)
* fix package typo (#5764)
Patchnames
openSUSE-2024-220
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for caddy",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for caddy fixes the following issues:\n\n- Update to version 2.8.4:\n\n * cmd: fix regression in auto-detect of Caddyfile (#6362)\n * Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped\n\n- Update to version 2.8.2:\n\n * cmd: fix auto-detetction of .caddyfile extension (#6356)\n * caddyhttp: properly sanitize requests for root path (#6360)\n * caddytls: Implement certmagic.RenewalInfoGetter\n * build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)\n\n- Update to version 2.8.1:\n\n * caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350)\n * core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)\n\n- Update to version 2.8.0:\n\n * acmeserver: Add `sign_with_root` for Caddyfile (#6345)\n * caddyfile: Reject global request matchers earlier (#6339)\n * core: Fix bug in AppIfConfigured (fix #6336)\n * fix a typo (#6333)\n * autohttps: Move log WARN to INFO, reduce confusion (#6185)\n * reverseproxy: Support HTTP/3 transport to backend (#6312)\n * context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)\n * Fix lint error about deprecated method in smallstep/certificates/authority\n * go.mod: Upgrade dependencies\n * caddytls: fix permission requirement with AutomationPolicy (#6328)\n * caddytls: remove ClientHelloSNICtxKey (#6326)\n * caddyhttp: Trace individual middleware handlers (#6313)\n * templates: Add `pathEscape` template function and use it in file browser (#6278)\n * caddytls: set server name in context (#6324)\n * chore: downgrade minimum Go version in go.mod (#6318)\n * caddytest: normalize the JSON config (#6316)\n * caddyhttp: New experimental handler for intercepting responses (#6232)\n * httpcaddyfile: Set challenge ports when http_port or https_port are used\n * logging: Add support for additional logger filters other than hostname (#6082)\n * caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)\n * Second half of 6dce493\n * caddyhttp: Alter log message when request is unhandled (close #5182)\n * chore: Bump Go version in CI (#6310)\n * go.mod: go 1.22.3\n * Fix typos (#6311)\n * reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)\n * tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)\n * go.mod: CertMagic v0.21.0\n * reverseproxy: Implement health_follow_redirects (#6302)\n * caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)\n * go.mod: Upgrade to quic-go v0.43.1\n * reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)\n * caddytls: Ability to drop connections (close #6294)\n * build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)\n * httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)\n * caddytls: Evict internal certs from cache based on issuer (#6266)\n * chore: add warn logs when using deprecated fields (#6276)\n * caddyhttp: Fix linter warning about deprecation\n * go.mod: Upgrade to quic-go v0.43.0\n * fileserver: Set \u0027Vary: Accept-Encoding\u0027 header (see #5849)\n * events: Add debug log\n * reverseproxy: handle buffered data during hijack (#6274)\n * ci: remove `android` and `plan9` from cross-build workflow (#6268)\n * run `golangci-lint run --fix --fast` (#6270)\n * caddytls: Option to configure certificate lifetime (#6253)\n * replacer: Implement `file.*` global replacements (#5463)\n * caddyhttp: Address some Go 1.20 features (#6252)\n * Quell linter (false positive)\n * reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)\n * doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263)\n * caddytls: Add Caddyfile support for on-demand permission module (close #6260)\n * reverseproxy: Remove long-deprecated buffering properties\n * reverseproxy: Reuse buffered request body even if partially drained\n * reverseproxy: Accept EOF when buffering\n * logging: Fix default access logger (#6251)\n * fileserver: Improve Vary handling (#5849)\n * cmd: Only validate config is proper JSON if config slice has data (#6250)\n * staticresp: Use the evaluated response body for sniffing JSON content-type (#6249)\n * encode: Slight fix for the previous commit\n * encode: Improve Etag handling (fix #5849)\n * httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148)\n * caddyfile: Populate regexp matcher names by default (#6145)\n * caddyhttp: record num. bytes read when response writer is hijacked (#6173)\n * caddyhttp: Support multiple logger names per host (#6088)\n * chore: fix some typos in comments (#6243)\n * encode: Configurable compression level for zstd (#6140)\n * caddytls: Remove shim code supporting deprecated lego-dns (#6231)\n * connection policy: add `local_ip` matcher (#6074)\n * reverseproxy: Wait for both ends of websocket to close (#6175)\n * caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)\n * caddytls: Still provision permission module if ask is specified\n * fileserver: read etags from precomputed files (#6222)\n * fileserver: Escape # and ? in img src (fix #6237)\n * reverseproxy: Implement modular CA provider for TLS transport (#6065)\n * caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)\n * cmd: Fix panic related to config filename (fix #5919)\n * cmd: Assume Caddyfile based on filename prefix and suffix (#5919)\n * admin: Make `Etag` a header, not a trailer (#6208)\n * caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234)\n * caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227)\n * gitignore: Add rule for caddyfile.go (#6225)\n * chore: Fix broken links in README.md (#6223)\n * chore: Upgrade some dependencies (#6221)\n * caddyhttp: Add plaintext response to `file_server browse` (#6093)\n * admin: Use xxhash for etag (#6207)\n * modules: fix some typo in conments (#6206)\n * caddyhttp: Replace sensitive headers with REDACTED (close #5669)\n * caddyhttp: close quic connections when server closes (#6202)\n * reverseproxy: Use xxhash instead of fnv32 for LB (#6203)\n * caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)\n * chore: upgrade deps (#6198)\n * chore: remove repetitive word (#6193)\n * Added a null check to avoid segfault on rewrite query ops (#6191)\n * rewrite: `uri query` replace operation (#6165)\n * logging: support `ms` duration format and add docs (#6187)\n * replacer: use RWMutex to protect static provider (#6184)\n * caddyhttp: Allow `header` replacement with empty string (#6163)\n * vars: Make nil values act as empty string instead of `\u0027\u003cnil\u003e\u0027` (#6174)\n * chore: Update quic-go to v0.42.0 (#6176)\n * caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183)\n * reverseproxy: configurable active health_passes and health_fails (#6154)\n * reverseproxy: Configurable forward proxy URL (#6114)\n * caddyhttp: upgrade to cel v0.20.0 (#6161)\n * chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)\n * caddyhttp: suppress flushing if the response is being buffered (#6150)\n * chore: encode: use FlushError instead of Flush (#6168)\n * encode: write status immediately when status code is informational (#6164)\n * httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)\n * httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin authors (#5865)\n * rewrite: Implement `uri query` operations (#6120)\n * fix struct names (#6151)\n * fileserver: Preserve query during canonicalization redirect (#6109)\n * logging: Implement `log_append` handler (#6066)\n * httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)\n * logging: Implement `append` encoder, allow flatter filters config (#6069)\n * ci: fix the integration test `TestLeafCertLoaders` (#6149)\n * vars: Allow overriding `http.auth.user.id` in replacer as a special case (#6108)\n * caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)\n * cmd: Adjust config load logs/errors (#6032)\n * reverseproxy: SRV dynamic upstream failover (#5832)\n * ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)\n * core: OnExit hooks (#6128)\n * cmd: fix the output of the `Usage` section (#6138)\n * caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)\n * acmeserver: add policy field to define allow/deny rules (#5796)\n * reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115)\n * caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)\n * tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103)\n * caddyfile: Assert having a space after heredoc marker to simply check (#6117)\n * chore: Update Chroma to get the new Caddyfile lexer (#6118)\n * reverseproxy: use context.WithoutCancel (#6116)\n * caddyfile: Reject directives in the place of site addresses (#6104)\n * caddyhttp: Register post-shutdown callbacks (#5948)\n * caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)\n * caddyauth: Drop support for `scrypt` (#6091)\n * Revert \u0027caddyfile: Reject long heredoc markers (#6098)\u0027 (#6100)\n * caddyauth: Rename `basicauth` to `basic_auth` (#6092)\n * logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)\n * caddyfile: Reject long heredoc markers (#6098)\n * chore: Rename CI jobs, run on M1 mac (#6089)\n * update comment\n * improved list\n * fix: add back text/*\n * fix: add more media types to the compressed by default list\n * acmeserver: support specifying the allowed challenge types (#5794)\n * matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)\n * caddyhttp: Test cases for `%2F` and `%252F` (#6084)\n * bump to golang 1.22 (#6083)\n * fileserver: Browse can show symlink target if enabled (#5973)\n * core: Support NO_COLOR env var to disable log coloring (#6078)\n * build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)\n * Update comment in setcap helper script\n * caddytls: Make on-demand \u0027ask\u0027 permission modular (#6055)\n * core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)\n * chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)\n * chore: enabling a few more linters (#5961)\n * caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062)\n * caddyfile: Switch to slices.Equal for better performance (#6061)\n * tls: modularize trusted CA providers (#5784)\n * logging: Automatic `wrap` default for `filter` encoder (#5980)\n * caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)\n * caddyfile: Normalize \u0026 flatten all unmarshalers (#6037)\n * cmd: reverseproxy: log: use caddy logger (#6042)\n * matchers: `query` now ANDs multiple keys (#6054)\n * caddyfile: Add heredoc support to `fmt` command (#6056)\n * refactor: move automaxprocs init in caddycmd.Main()\n * caddyfile: Allow heredoc blank lines (#6051)\n * httpcaddyfile: Add optional status code argument to `handle_errors` directive (#5965)\n * httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting matcher (#5844)\n * fileserver: Implement caddyfile.Unmarshaler interface (#5850)\n * reverseproxy: Add `tls_curves` option to HTTP transport (#5851)\n * caddyhttp: Security enhancements for client IP parsing (#5805)\n * replacer: Fix escaped closing braces (#5995)\n * filesystem: Globally declared filesystems, `fs` directive (#5833)\n * ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)\n * httpcaddyfile: Fix redir \u003cto\u003e html (#6001)\n * httpcaddyfile: Support client auth verifiers (#6022)\n * tls: add reuse_private_keys (#6025)\n * reverseproxy: Only change Content-Length when full request is buffered (#5830)\n * Switch Solaris-derivatives away from listen_unix (#6021)\n * build(deps): bump actions/upload-artifact from 3 to 4 (#6013)\n * build(deps): bump actions/setup-go from 4 to 5 (#6012)\n * chore: check against errors of `io/fs` instead of `os` (#6011)\n * caddyhttp: support unix sockets in `caddy respond` command (#6010)\n * fileserver: Add total file size to directory listing (#6003)\n * httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997)\n * build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)\n * cmd: use automaxprocs for better perf in containers (#5711)\n * logging: Add `zap.Option` support (#5944)\n * httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)\n * metrics: Record request metrics on HTTP errors (#5979)\n * go.mod: Updated quic-go to v0.40.1 (#5983)\n * fileserver: Enable compression for command by default (#5855)\n * fileserver: New --precompressed flag (#5880)\n * caddyhttp: Add `uuid` to access logs when used (#5859)\n * proxyprotocol: use github.com/pires/go-proxyproto (#5915)\n * cmd: Preserve LastModified date when exporting storage (#5968)\n * core: Always make AppDataDir for InstanceID (#5976)\n * chore: cross-build for AIX (#5971)\n * caddytls: Sync distributed storage cleaning (#5940)\n * caddytls: Context to DecisionFunc (#5923)\n * tls: accept placeholders in string values of certificate loaders (#5963)\n * templates: Offically make templates extensible (#5939)\n * http2 uses new round-robin scheduler (#5946)\n * panic when reading from backend failed to propagate stream error (#5952)\n * chore: Bump otel to v1.21.0. (#5949)\n * httpredirectlistener: Only set read limit for when request is HTTP (#5917)\n * fileserver: Add .m4v for browse template icon\n * Revert \u0027caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\u0027 (#5924)\n * go.mod: update quic-go version to v0.40.0 (#5922)\n * update quic-go to v0.39.3 (#5918)\n * chore: Fix usage pool comment (#5916)\n * test: acmeserver: add smoke test for the ACME server directory (#5914)\n * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)\n * caddyhttp: Adjust `scheme` placeholder docs (#5910)\n * go.mod: Upgrade quic-go to v0.39.1\n * go.mod: CVE-2023-45142 Update opentelemetry (#5908)\n * templates: Delete headers on `httpError` to reset to clean slate (#5905)\n * httpcaddyfile: Remove port from logger names (#5881)\n * core: Apply SO_REUSEPORT to UDP sockets (#5725)\n * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\n * cmd: Add newline character to version string in CLI output (#5895)\n * core: quic listener will manage the underlying socket by itself (#5749)\n * templates: Clarify `include` args docs, add `.ClientIP` (#5898)\n * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)\n * cmd: upgrade: resolve symlink of the executable (#5891)\n * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)\n\n- CVEs:\n * CVE-2024-22189 (boo#1222468)\n * CVE-2023-45142\n\n- Update to version 2.7.6:\n\n * caddytls: Sync distributed storage cleaning (#5940)\n * caddytls: Context to DecisionFunc (#5923)\n * tls: accept placeholders in string values of certificate loaders (#5963)\n * templates: Offically make templates extensible (#5939)\n * http2 uses new round-robin scheduler (#5946)\n * panic when reading from backend failed to propagate stream error (#5952)\n * chore: Bump otel to v1.21.0. (#5949)\n * httpredirectlistener: Only set read limit for when request is HTTP (#5917)\n * fileserver: Add .m4v for browse template icon\n * Revert \u0027caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\u0027 (#5924)\n * go.mod: update quic-go version to v0.40.0 (#5922)\n * update quic-go to v0.39.3 (#5918)\n * chore: Fix usage pool comment (#5916)\n * test: acmeserver: add smoke test for the ACME server directory (#5914)\n * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)\n * caddyhttp: Adjust `scheme` placeholder docs (#5910)\n * go.mod: Upgrade quic-go to v0.39.1\n * go.mod: CVE-2023-45142 Update opentelemetry (#5908)\n * templates: Delete headers on `httpError` to reset to clean slate (#5905)\n * httpcaddyfile: Remove port from logger names (#5881)\n * core: Apply SO_REUSEPORT to UDP sockets (#5725)\n * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)\n * cmd: Add newline character to version string in CLI output (#5895)\n * core: quic listener will manage the underlying socket by itself (#5749)\n * templates: Clarify `include` args docs, add `.ClientIP` (#5898)\n * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896)\n * cmd: upgrade: resolve symlink of the executable (#5891)\n * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883)\n\n- Update to version 2.7.5:\n\n * admin: Respond with 4xx on non-existing config path (#5870)\n * ci: Force the Go version for govulncheck (#5879)\n * fileserver: Set canonical URL on browse template (#5867)\n * tls: Add X25519Kyber768Draft00 PQ \u0027curve\u0027 behind build tag (#5852)\n * reverseproxy: Add more debug logs (#5793)\n * reverseproxy: Fix `least_conn` policy regression (#5862)\n * reverseproxy: Add logging for dynamic A upstreams (#5857)\n * reverseproxy: Replace health header placeholders (#5861)\n * httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860)\n * cmd: Fix exiting with custom status code, add `caddy -v` (#5874)\n * reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828)\n * reverseproxy: Fix retries on \u0027upstreams unavailable\u0027 error (#5841)\n * httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808)\n * encode: Add `application/wasm*` to the default content types (#5869)\n * fileserver: Add command shortcuts `-l` and `-a` (#5854)\n * go.mod: Upgrade dependencies incl. x/net/http\n * templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845)\n * reverseproxy: Allow fallthrough for response handlers without routes (#5780)\n * fix: caddytest.AssertResponseCode error message (#5853)\n * build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)\n * build(deps): bump actions/checkout from 3 to 4 (#5846)\n * caddyhttp: Use LimitedReader for HTTPRedirectListener\n * fileserver: browse template SVG icons and UI tweaks (#5812)\n * reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811)\n * httpcaddyfile: fix placeholder shorthands in named routes (#5791)\n * cmd: Prevent overwriting existing env vars with `--envfile` (#5803)\n * ci: Run govulncheck (#5790)\n * logging: query filter for array of strings (#5779)\n * logging: Clone array on log filters, prevent side-effects (#5786)\n * fileserver: Export BrowseTemplate\n * ci: ensure short-sha is exported correctly on all platforms (#5781)\n * caddyfile: Fix case where heredoc marker is empty after newline (#5769)\n * go.mod: Update quic-go to v0.38.0 (#5772)\n * chore: Appease gosec linter (#5777)\n * replacer: change timezone to UTC for \u0027time.now.http\u0027 placeholders (#5774)\n * caddyfile: Adjust error formatting (#5765)\n * update quic-go to v0.37.6 (#5767)\n * httpcaddyfile: Stricter errors for site and upstream address schemes (#5757)\n * caddyfile: Loosen heredoc parsing (#5761)\n * fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751)\n * fix package typo (#5764)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2024-220",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_0220-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:0220-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNDMJCVODSMOIFD655EHBVQRLNUDXLQK/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:0220-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNDMJCVODSMOIFD655EHBVQRLNUDXLQK/"
},
{
"category": "self",
"summary": "SUSE Bug 1222468",
"url": "https://bugzilla.suse.com/1222468"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-45142 page",
"url": "https://www.suse.com/security/cve/CVE-2023-45142/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-22189 page",
"url": "https://www.suse.com/security/cve/CVE-2024-22189/"
}
],
"title": "Security update for caddy",
"tracking": {
"current_release_date": "2024-07-26T10:03:44Z",
"generator": {
"date": "2024-07-26T10:03:44Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:0220-1",
"initial_release_date": "2024-07-26T10:03:44Z",
"revision_history": [
{
"date": "2024-07-26T10:03:44Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.aarch64",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.aarch64",
"product_id": "caddy-2.8.4-bp156.3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.i586",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.i586",
"product_id": "caddy-2.8.4-bp156.3.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"product": {
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"product_id": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"product": {
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"product_id": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"product": {
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"product_id": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"product_id": "caddy-2.8.4-bp156.3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.s390x",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.s390x",
"product_id": "caddy-2.8.4-bp156.3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "caddy-2.8.4-bp156.3.3.1.x86_64",
"product": {
"name": "caddy-2.8.4-bp156.3.3.1.x86_64",
"product_id": "caddy-2.8.4-bp156.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP6",
"product": {
"name": "SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.aarch64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.i586 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.i586",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.s390x as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.s390x",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.x86_64 as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch as component of SUSE Package Hub 15 SP6",
"product_id": "SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.i586 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.i586",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-2.8.4-bp156.3.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64"
},
"product_reference": "caddy-2.8.4-bp156.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
},
"product_reference": "caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-45142",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-45142"
}
],
"notes": [
{
"category": "general",
"text": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server\u0027s potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-45142",
"url": "https://www.suse.com/security/cve/CVE-2023-45142"
},
{
"category": "external",
"summary": "SUSE Bug 1228553 for CVE-2023-45142",
"url": "https://bugzilla.suse.com/1228553"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-26T10:03:44Z",
"details": "important"
}
],
"title": "CVE-2023-45142"
},
{
"cve": "CVE-2024-22189",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-22189"
}
],
"notes": [
{
"category": "general",
"text": "quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker can prevent the receiver from sending out (the vast majority of) these `RETIRE_CONNECTION_ID` frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer\u0027s RTT estimate. Version 0.42.0 contains a patch for the issue. No known workarounds are available.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-22189",
"url": "https://www.suse.com/security/cve/CVE-2024-22189"
},
{
"category": "external",
"summary": "SUSE Bug 1222461 for CVE-2024-22189",
"url": "https://bugzilla.suse.com/1222461"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.aarch64",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.i586",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.s390x",
"SUSE Package Hub 15 SP6:caddy-2.8.4-bp156.3.3.1.x86_64",
"SUSE Package Hub 15 SP6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"SUSE Package Hub 15 SP6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.aarch64",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.i586",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.ppc64le",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.s390x",
"openSUSE Leap 15.6:caddy-2.8.4-bp156.3.3.1.x86_64",
"openSUSE Leap 15.6:caddy-bash-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-fish-completion-2.8.4-bp156.3.3.1.noarch",
"openSUSE Leap 15.6:caddy-zsh-completion-2.8.4-bp156.3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-26T10:03:44Z",
"details": "important"
}
],
"title": "CVE-2024-22189"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…