openSUSE Security Update: Security update for caddy
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2024:0220-1
Rating:             moderate
References:         #1222468 
Cross-References:   CVE-2023-45142 CVE-2024-22189
CVSS scores:
                    CVE-2023-45142 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2023-45142 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2024-22189 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for caddy fixes the following issues:

   - Update to version 2.8.4:

     * cmd: fix regression in auto-detect of Caddyfile (#6362)
     * Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped

   - Update to version 2.8.2:

     * cmd: fix auto-detetction of .caddyfile extension (#6356)
     * caddyhttp: properly sanitize requests for root path (#6360)
     * caddytls: Implement certmagic.RenewalInfoGetter
     * build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)

   - Update to version 2.8.1:

     * caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers
       (#6350)
     * core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)

   - Update to version 2.8.0:

     * acmeserver: Add `sign_with_root` for Caddyfile (#6345)
     * caddyfile: Reject global request matchers earlier (#6339)
     * core: Fix bug in AppIfConfigured (fix #6336)
     * fix a typo (#6333)
     * autohttps: Move log WARN to INFO, reduce confusion (#6185)
     * reverseproxy: Support HTTP/3 transport to backend (#6312)
     * context: AppIfConfigured returns error; consider not-yet-provisioned
       modules (#6292)
     * Fix lint error about deprecated method in
       smallstep/certificates/authority
     * go.mod: Upgrade dependencies
     * caddytls: fix permission requirement with AutomationPolicy (#6328)
     * caddytls: remove ClientHelloSNICtxKey (#6326)
     * caddyhttp: Trace individual middleware handlers (#6313)
     * templates: Add `pathEscape` template function and use it in file
       browser (#6278)
     * caddytls: set server name in context (#6324)
     * chore: downgrade minimum Go version in go.mod (#6318)
     * caddytest: normalize the JSON config (#6316)
     * caddyhttp: New experimental handler for intercepting responses (#6232)
     * httpcaddyfile: Set challenge ports when http_port or https_port are
       used
     * logging: Add support for additional logger filters other than hostname
       (#6082)
     * caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)
     * Second half of 6dce493
     * caddyhttp: Alter log message when request is unhandled (close #5182)
     * chore: Bump Go version in CI (#6310)
     * go.mod: go 1.22.3
     * Fix typos (#6311)
     * reverseproxy: Pointer to struct when loading modules; remove
       LazyCertPool (#6307)
     * tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)
     * go.mod: CertMagic v0.21.0
     * reverseproxy: Implement health_follow_redirects (#6302)
     * caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
     * go.mod: Upgrade to quic-go v0.43.1
     * reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
     * caddytls: Ability to drop connections (close #6294)
     * build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)
     * httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
     * caddytls: Evict internal certs from cache based on issuer (#6266)
     * chore: add warn logs when using deprecated fields (#6276)
     * caddyhttp: Fix linter warning about deprecation
     * go.mod: Upgrade to quic-go v0.43.0
     * fileserver: Set "Vary: Accept-Encoding" header (see #5849)
     * events: Add debug log
     * reverseproxy: handle buffered data during hijack (#6274)
     * ci: remove `android` and `plan9` from cross-build workflow (#6268)
     * run `golangci-lint run --fix --fast` (#6270)
     * caddytls: Option to configure certificate lifetime (#6253)
     * replacer: Implement `file.*` global replacements (#5463)
     * caddyhttp: Address some Go 1.20 features (#6252)
     * Quell linter (false positive)
     * reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)
     * doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc
       (#6263)
     * caddytls: Add Caddyfile support for on-demand permission module (close
       #6260)
     * reverseproxy: Remove long-deprecated buffering properties
     * reverseproxy: Reuse buffered request body even if partially drained
     * reverseproxy: Accept EOF when buffering
     * logging: Fix default access logger (#6251)
     * fileserver: Improve Vary handling (#5849)
     * cmd: Only validate config is proper JSON if config slice has data
       (#6250)
     * staticresp: Use the evaluated response body for sniffing JSON
       content-type (#6249)
     * encode: Slight fix for the previous commit
     * encode: Improve Etag handling (fix #5849)
     * httpcaddyfile: Skip automate loader if disable_certs is specified (fix
       #6148)
     * caddyfile: Populate regexp matcher names by default (#6145)
     * caddyhttp: record num. bytes read when response writer is hijacked
       (#6173)
     * caddyhttp: Support multiple logger names per host (#6088)
     * chore: fix some typos in comments (#6243)
     * encode: Configurable compression level for zstd (#6140)
     * caddytls: Remove shim code supporting deprecated lego-dns (#6231)
     * connection policy: add `local_ip`  matcher (#6074)
     * reverseproxy: Wait for both ends of websocket to close (#6175)
     * caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes
       (#6229)
     * caddytls: Still provision permission module if ask is specified
     * fileserver: read etags from precomputed files (#6222)
     * fileserver: Escape # and ? in img src (fix #6237)
     * reverseproxy: Implement modular CA provider for TLS transport (#6065)
     * caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
     * cmd: Fix panic related to config filename (fix #5919)
     * cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
     * admin: Make `Etag` a header, not a trailer (#6208)
     * caddyhttp: remove duplicate strings.Count in path matcher (fixes
       #6233) (#6234)
     * caddyconfig: Use empty struct instead of bool in map (close #6224)
       (#6227)
     * gitignore: Add rule for caddyfile.go (#6225)
     * chore: Fix broken links in README.md (#6223)
     * chore: Upgrade some dependencies (#6221)
     * caddyhttp: Add plaintext response to `file_server browse` (#6093)
     * admin: Use xxhash for etag (#6207)
     * modules: fix some typo in conments (#6206)
     * caddyhttp: Replace sensitive headers with REDACTED (close #5669)
     * caddyhttp: close quic connections when server closes (#6202)
     * reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
     * caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
     * chore: upgrade deps (#6198)
     * chore: remove repetitive word (#6193)
     * Added a null check to avoid segfault on rewrite query ops (#6191)
     * rewrite: `uri query` replace operation (#6165)
     * logging: support `ms` duration format and add docs (#6187)
     * replacer: use RWMutex to protect static provider (#6184)
     * caddyhttp: Allow `header` replacement with empty string (#6163)
     * vars: Make nil values act as empty string instead of `""` (#6174)
     * chore: Update quic-go to v0.42.0 (#6176)
     * caddyhttp: Accept XFF header values with ports, when parsing client IP
       (#6183)
     * reverseproxy: configurable active health_passes and health_fails
       (#6154)
     * reverseproxy: Configurable forward proxy URL (#6114)
     * caddyhttp: upgrade to cel v0.20.0 (#6161)
     * chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)
     * caddyhttp: suppress flushing if the response is being buffered (#6150)
     * chore: encode: use FlushError instead of Flush (#6168)
     * encode: write status immediately when status code is informational
       (#6164)
     * httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)
     * httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin
       authors (#5865)
     * rewrite: Implement `uri query` operations (#6120)
     * fix struct names (#6151)
     * fileserver: Preserve query during canonicalization redirect (#6109)
     * logging: Implement `log_append` handler (#6066)
     * httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
     * logging: Implement `append` encoder, allow flatter filters config
       (#6069)
     * ci: fix the integration test `TestLeafCertLoaders` (#6149)
     * vars: Allow overriding `http.auth.user.id` in replacer as a special
       case (#6108)
     * caddytls: clientauth: leaf verifier: make trusted leaf certs source
       pluggable (#6050)
     * cmd: Adjust config load logs/errors (#6032)
     * reverseproxy: SRV dynamic upstream failover (#5832)
     * ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)
     * core: OnExit hooks (#6128)
     * cmd: fix the output of the `Usage` section (#6138)
     * caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
     * acmeserver: add policy field to define allow/deny rules (#5796)
     * reverseproxy: cookie should be Secure and SameSite=None when TLS
       (#6115)
     * caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)
     * tests: uses testing.TB interface for helper to be able to use test
       server in benchmarks. (#6103)
     * caddyfile: Assert having a space after heredoc marker to simply check
       (#6117)
     * chore: Update Chroma to get the new Caddyfile lexer (#6118)
     * reverseproxy: use context.WithoutCancel (#6116)
     * caddyfile: Reject directives in the place of site addresses (#6104)
     * caddyhttp: Register post-shutdown callbacks (#5948)
     * caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
     * caddyauth: Drop support for `scrypt` (#6091)
     * Revert "caddyfile: Reject long heredoc markers (#6098)" (#6100)
     * caddyauth: Rename `basicauth` to `basic_auth` (#6092)
     * logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)
     * caddyfile: Reject long heredoc markers (#6098)
     * chore: Rename CI jobs, run on M1 mac (#6089)
     * update comment
     * improved list
     * fix: add back text/*
     * fix: add more media types to the compressed by default list
     * acmeserver: support specifying the allowed challenge types (#5794)
     * matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)
     * caddyhttp: Test cases for `%2F` and `%252F` (#6084)
     * bump to golang 1.22 (#6083)
     * fileserver: Browse can show symlink target if enabled (#5973)
     * core: Support NO_COLOR env var to disable log coloring (#6078)
     * build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080)
     * Update comment in setcap helper script
     * caddytls: Make on-demand 'ask' permission modular (#6055)
     * core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)
     * chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)
     * chore: enabling a few more linters (#5961)
     * caddyfile: Correctly close the heredoc when the closing marker appears
       immediately (#6062)
     * caddyfile: Switch to slices.Equal for better performance (#6061)
     * tls: modularize trusted CA providers (#5784)
     * logging: Automatic `wrap` default for `filter` encoder (#5980)
     * caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
     * caddyfile: Normalize & flatten all unmarshalers (#6037)
     * cmd: reverseproxy: log: use caddy logger (#6042)
     * matchers: `query` now ANDs multiple keys (#6054)
     * caddyfile: Add heredoc support to `fmt` command (#6056)
     * refactor: move automaxprocs init in caddycmd.Main()
     * caddyfile: Allow heredoc blank lines (#6051)
     * httpcaddyfile: Add optional status code argument to `handle_errors`
       directive (#5965)
     * httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting
       matcher (#5844)
     * fileserver: Implement caddyfile.Unmarshaler interface (#5850)
     * reverseproxy: Add `tls_curves` option to HTTP transport (#5851)
     * caddyhttp: Security enhancements for client IP parsing (#5805)
     * replacer: Fix escaped closing braces (#5995)
     * filesystem: Globally declared filesystems, `fs` directive (#5833)
     * ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)
     * httpcaddyfile: Fix redir  html (#6001)
     * httpcaddyfile: Support client auth verifiers (#6022)
     * tls: add reuse_private_keys (#6025)
     * reverseproxy: Only change Content-Length when full request is buffered
       (#5830)
     * Switch Solaris-derivatives away from listen_unix (#6021)
     * build(deps): bump actions/upload-artifact from 3 to 4 (#6013)
     * build(deps): bump actions/setup-go from 4 to 5 (#6012)
     * chore: check against errors of `io/fs` instead of `os` (#6011)
     * caddyhttp: support unix sockets in `caddy respond` command (#6010)
     * fileserver: Add total file size to directory listing (#6003)
     * httpcaddyfile: Fix cert file decoding to load multiple PEM in one file
       (#5997)
     * build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994)
     * cmd: use automaxprocs for better perf in containers (#5711)
     * logging: Add `zap.Option` support (#5944)
     * httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
     * metrics: Record request metrics on HTTP errors (#5979)
     * go.mod: Updated quic-go to v0.40.1 (#5983)
     * fileserver: Enable compression for command by default (#5855)
     * fileserver: New --precompressed flag (#5880)
     * caddyhttp: Add `uuid` to access logs when used (#5859)
     * proxyprotocol: use github.com/pires/go-proxyproto (#5915)
     * cmd: Preserve LastModified date when exporting storage (#5968)
     * core: Always make AppDataDir for InstanceID (#5976)
     * chore: cross-build for AIX (#5971)
     * caddytls: Sync distributed storage cleaning (#5940)
     * caddytls: Context to DecisionFunc (#5923)
     * tls: accept placeholders in string values of certificate loaders
       (#5963)
     * templates: Offically make templates extensible (#5939)
     * http2 uses new round-robin scheduler (#5946)
     * panic when reading from backend failed to propagate stream error
       (#5952)
     * chore: Bump otel to v1.21.0. (#5949)
     * httpredirectlistener: Only set read limit for when request is HTTP
       (#5917)
     * fileserver: Add .m4v for browse template icon
     * Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations
       (#5848)" (#5924)
     * go.mod: update quic-go version to v0.40.0 (#5922)
     * update quic-go to v0.39.3 (#5918)
     * chore: Fix usage pool comment (#5916)
     * test: acmeserver: add smoke test for the ACME server directory (#5914)
     *  Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
     * caddyhttp: Adjust `scheme` placeholder docs (#5910)
     * go.mod: Upgrade quic-go to v0.39.1
     * go.mod: CVE-2023-45142 Update opentelemetry (#5908)
     * templates: Delete headers on `httpError` to reset to clean slate
       (#5905)
     * httpcaddyfile: Remove port from logger names (#5881)
     * core: Apply SO_REUSEPORT to UDP sockets (#5725)
     * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
     * cmd: Add newline character to version string in CLI output (#5895)
     * core: quic listener will manage the underlying socket by itself (#5749)
     * templates: Clarify `include` args docs, add `.ClientIP` (#5898)
     * httpcaddyfile: Fix TLS automation policy merging with get_certificate
       (#5896)
     * cmd: upgrade: resolve symlink of the executable (#5891)
     * caddyfile: Fix variadic placeholder false positive when token contains
       `:` (#5883)

   - CVEs:
     * CVE-2024-22189 (boo#1222468)
     * CVE-2023-45142

   - Update to version 2.7.6:

     * caddytls: Sync distributed storage cleaning (#5940)
     * caddytls: Context to DecisionFunc (#5923)
     * tls: accept placeholders in string values of certificate loaders
       (#5963)
     * templates: Offically make templates extensible (#5939)
     * http2 uses new round-robin scheduler (#5946)
     * panic when reading from backend failed to propagate stream error
       (#5952)
     * chore: Bump otel to v1.21.0. (#5949)
     * httpredirectlistener: Only set read limit for when request is HTTP
       (#5917)
     * fileserver: Add .m4v for browse template icon
     * Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations
       (#5848)" (#5924)
     * go.mod: update quic-go version to v0.40.0 (#5922)
     * update quic-go to v0.39.3 (#5918)
     * chore: Fix usage pool comment (#5916)
     * test: acmeserver: add smoke test for the ACME server directory (#5914)
     * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
     * caddyhttp: Adjust `scheme` placeholder docs (#5910)
     * go.mod: Upgrade quic-go to v0.39.1
     * go.mod: CVE-2023-45142 Update opentelemetry (#5908)
     * templates: Delete headers on `httpError` to reset to clean slate
       (#5905)
     * httpcaddyfile: Remove port from logger names (#5881)
     * core: Apply SO_REUSEPORT to UDP sockets (#5725)
     * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
     * cmd: Add newline character to version string in CLI output (#5895)
     * core: quic listener will manage the underlying socket by itself (#5749)
     * templates: Clarify `include` args docs, add `.ClientIP` (#5898)
     * httpcaddyfile: Fix TLS automation policy merging with get_certificate
       (#5896)
     * cmd: upgrade: resolve symlink of the executable (#5891)
     * caddyfile: Fix variadic placeholder false positive when token contains
       `:` (#5883)

   - Update to version 2.7.5:

     * admin: Respond with 4xx on non-existing config path (#5870)
     * ci: Force the Go version for govulncheck (#5879)
     * fileserver: Set canonical URL on browse template (#5867)
     * tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852)
     * reverseproxy: Add more debug logs (#5793)
     * reverseproxy: Fix `least_conn` policy regression (#5862)
     * reverseproxy: Add logging for dynamic A upstreams (#5857)
     * reverseproxy: Replace health header placeholders (#5861)
     * httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output
       (#5860)
     * cmd: Fix exiting with custom status code, add `caddy -v` (#5874)
     * reverseproxy: fix parsing Caddyfile fails for unlimited
       request/response buffers (#5828)
     * reverseproxy: Fix retries on "upstreams unavailable" error (#5841)
     * httpcaddyfile: Enable TLS for catch-all site if `tls` directive is
       specified (#5808)
     * encode: Add `application/wasm*` to the default content types (#5869)
     * fileserver: Add command shortcuts `-l` and `-a` (#5854)
     * go.mod: Upgrade dependencies incl. x/net/http
     * templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy
       compatibility (#5845)
     * reverseproxy: Allow fallthrough for response handlers without routes
       (#5780)
     * fix: caddytest.AssertResponseCode error message (#5853)
     * build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847)
     * build(deps): bump actions/checkout from 3 to 4 (#5846)
     * caddyhttp: Use LimitedReader for HTTPRedirectListener
     * fileserver: browse template SVG icons and UI tweaks (#5812)
     * reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams
       (#5811)
     * httpcaddyfile: fix placeholder shorthands in named routes (#5791)
     * cmd: Prevent overwriting existing env vars with `--envfile` (#5803)
     * ci: Run govulncheck (#5790)
     * logging: query filter for array of strings (#5779)
     * logging: Clone array on log filters, prevent side-effects (#5786)
     * fileserver: Export BrowseTemplate
     * ci: ensure short-sha is exported correctly on all platforms (#5781)
     * caddyfile: Fix case where heredoc marker is empty after newline (#5769)
     * go.mod: Update quic-go to v0.38.0 (#5772)
     * chore: Appease gosec linter (#5777)
     * replacer: change timezone to UTC for "time.now.http" placeholders
       (#5774)
     * caddyfile: Adjust error formatting (#5765)
     * update quic-go to v0.37.6 (#5767)
     * httpcaddyfile: Stricter errors for site and upstream address schemes
       (#5757)
     * caddyfile: Loosen heredoc parsing (#5761)
     * fileserver: docs: clarify the ability to produce JSON array with
       `browse` (#5751)
     * fix package typo (#5764)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2024-220=1



Package List:

   - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

      caddy-2.8.4-bp156.3.3.1

   - openSUSE Backports SLE-15-SP6 (noarch):

      caddy-bash-completion-2.8.4-bp156.3.3.1
      caddy-fish-completion-2.8.4-bp156.3.3.1
      caddy-zsh-completion-2.8.4-bp156.3.3.1


References:

   https://www.suse.com/security/cve/CVE-2023-45142.html
   https://www.suse.com/security/cve/CVE-2024-22189.html
   https://bugzilla.suse.com/1222468

openSUSE: 2024:0220-1 moderate: caddy Advisory Security Update

August 23, 2024
An update that fixes two vulnerabilities is now available

Description

This update for caddy fixes the following issues: - Update to version 2.8.4: * cmd: fix regression in auto-detect of Caddyfile (#6362) * Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped - Update to version 2.8.2: * cmd: fix auto-detetction of .caddyfile extension (#6356) * caddyhttp: properly sanitize requests for root path (#6360) * caddytls: Implement certmagic.RenewalInfoGetter * build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361) - Update to version 2.8.1: * caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350) * core: MkdirAll appDataDir in InstanceID with 0o700 (#6340) - Update to version 2.8.0: * acmeserver: Add `sign_with_root` for Caddyfile (#6345) * caddyfile: Reject global request matchers earlier (#6339) * core: Fix bug in AppIfConfigured (fix #6336) * fix a typo (#6333) * autohttps: Move log WARN to INFO, reduce confusion (#61...

Read the Full Advisory

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2024-220=1


Package List

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): caddy-2.8.4-bp156.3.3.1 - openSUSE Backports SLE-15-SP6 (noarch): caddy-bash-completion-2.8.4-bp156.3.3.1 caddy-fish-completion-2.8.4-bp156.3.3.1 caddy-zsh-completion-2.8.4-bp156.3.3.1


References

https://www.suse.com/security/cve/CVE-2023-45142.html https://www.suse.com/security/cve/CVE-2024-22189.html https://bugzilla.suse.com/1222468


Severity
Announcement ID: openSUSE-SU-2024:0220-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP6 .

Related News