https://bugzilla.suse.com/show_bug.cgi?id=1234586 https://bugzilla.suse.com/show_bug.cgi?id=1234586#c2 --- Comment #2 from Alexandre Vicenzi <alexandre.vicenzi@suse.com> --- Caddy vendors golang.org/x/crypto/ssh but there are no calls to ServerConfig.PublicKeyCallback in Caddy or its vendored dependencies. Since they don't use the affected code, the following codestreams are not affected: openSUSE:Backports:SLE-15-SP5/caddy openSUSE:Backports:SLE-15-SP6/caddy openSUSE:Backports:SLE-15-SP6:Update/caddy openSUSE:Factory/caddy There's a PR [1] that bumps golang.org/x/net to v0.32.0, but there's no release yet. Once released Factory will get an update, but hardly the other codestreams since this CVE does not affect it. Andrea, can we close this? [1]: https://github.com/caddyserver/caddy/pull/6728 -- You are receiving this mail because: You are on the CC list for the bug.