Comment # 2 on bug 1234586 from Alexandre Vicenzi 
Caddy vendors golang.org/x/crypto/ssh but there are no calls to
ServerConfig.PublicKeyCallback in Caddy or its vendored dependencies.

Since they don't use the affected code, the following codestreams are not
affected:

openSUSE:Backports:SLE-15-SP5/caddy
openSUSE:Backports:SLE-15-SP6/caddy
openSUSE:Backports:SLE-15-SP6:Update/caddy
openSUSE:Factory/caddy

There's a PR [1] that bumps golang.org/x/net to v0.32.0, but there's no release
yet. Once released Factory will get an update, but hardly the other codestreams
since this CVE does not affect it.

Andrea, can we close this?

[1]: https://github.com/caddyserver/caddy/pull/6728

You are receiving this mail because: