openSUSE Security Update: Security update for caddy ______________________________________________________________________________ Announcement ID: openSUSE-SU-2024:0220-1 Rating: moderate References: #1222468 Cross-References: CVE-2023-45142 CVE-2024-22189 CVSS scores: CVE-2023-45142 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-45142 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-22189 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP6 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for caddy fixes the following issues: - Update to version 2.8.4: * cmd: fix regression in auto-detect of Caddyfile (#6362) * Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped - Update to version 2.8.2: * cmd: fix auto-detetction of .caddyfile extension (#6356) * caddyhttp: properly sanitize requests for root path (#6360) * caddytls: Implement certmagic.RenewalInfoGetter * build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361) - Update to version 2.8.1: * caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350) * core: MkdirAll appDataDir in InstanceID with 0o700 (#6340) - Update to version 2.8.0: * acmeserver: Add `sign_with_root` for Caddyfile (#6345) * caddyfile: Reject global request matchers earlier (#6339) * core: Fix bug in AppIfConfigured (fix #6336) * fix a typo (#6333) * autohttps: Move log WARN to INFO, reduce confusion (#6185) * reverseproxy: Support HTTP/3 transport to backend (#6312) * context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292) * Fix lint error about deprecated method in smallstep/certificates/authority * go.mod: Upgrade dependencies * caddytls: fix permission requirement with AutomationPolicy (#6328) * caddytls: remove ClientHelloSNICtxKey (#6326) * caddyhttp: Trace individual middleware handlers (#6313) * templates: Add `pathEscape` template function and use it in file browser (#6278) * caddytls: set server name in context (#6324) * chore: downgrade minimum Go version in go.mod (#6318) * caddytest: normalize the JSON config (#6316) * caddyhttp: New experimental handler for intercepting responses (#6232) * httpcaddyfile: Set challenge ports when http_port or https_port are used * logging: Add support for additional logger filters other than hostname (#6082) * caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106) * Second half of 6dce493 * caddyhttp: Alter log message when request is unhandled (close #5182) * chore: Bump Go version in CI (#6310) * go.mod: go 1.22.3 * Fix typos (#6311) * reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307) * tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308) * go.mod: CertMagic v0.21.0 * reverseproxy: Implement health_follow_redirects (#6302) * caddypki: Allow use of root CA without a key. Fixes #6290 (#6298) * go.mod: Upgrade to quic-go v0.43.1 * reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301) * caddytls: Ability to drop connections (close #6294) * build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289) * httpcaddyfile: Fix expression matcher shortcut in snippets (#6288) * caddytls: Evict internal certs from cache based on issuer (#6266) * chore: add warn logs when using deprecated fields (#6276) * caddyhttp: Fix linter warning about deprecation * go.mod: Upgrade to quic-go v0.43.0 * fileserver: Set "Vary: Accept-Encoding" header (see #5849) * events: Add debug log * reverseproxy: handle buffered data during hijack (#6274) * ci: remove `android` and `plan9` from cross-build workflow (#6268) * run `golangci-lint run --fix --fast` (#6270) * caddytls: Option to configure certificate lifetime (#6253) * replacer: Implement `file.*` global replacements (#5463) * caddyhttp: Address some Go 1.20 features (#6252) * Quell linter (false positive) * reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264) * doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263) * caddytls: Add Caddyfile support for on-demand permission module (close #6260) * reverseproxy: Remove long-deprecated buffering properties * reverseproxy: Reuse buffered request body even if partially drained * reverseproxy: Accept EOF when buffering * logging: Fix default access logger (#6251) * fileserver: Improve Vary handling (#5849) * cmd: Only validate config is proper JSON if config slice has data (#6250) * staticresp: Use the evaluated response body for sniffing JSON content-type (#6249) * encode: Slight fix for the previous commit * encode: Improve Etag handling (fix #5849) * httpcaddyfile: Skip automate loader if disable_certs is specified (fix #6148) * caddyfile: Populate regexp matcher names by default (#6145) * caddyhttp: record num. bytes read when response writer is hijacked (#6173) * caddyhttp: Support multiple logger names per host (#6088) * chore: fix some typos in comments (#6243) * encode: Configurable compression level for zstd (#6140) * caddytls: Remove shim code supporting deprecated lego-dns (#6231) * connection policy: add `local_ip` matcher (#6074) * reverseproxy: Wait for both ends of websocket to close (#6175) * caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229) * caddytls: Still provision permission module if ask is specified * fileserver: read etags from precomputed files (#6222) * fileserver: Escape # and ? in img src (fix #6237) * reverseproxy: Implement modular CA provider for TLS transport (#6065) * caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226) * cmd: Fix panic related to config filename (fix #5919) * cmd: Assume Caddyfile based on filename prefix and suffix (#5919) * admin: Make `Etag` a header, not a trailer (#6208) * caddyhttp: remove duplicate strings.Count in path matcher (fixes #6233) (#6234) * caddyconfig: Use empty struct instead of bool in map (close #6224) (#6227) * gitignore: Add rule for caddyfile.go (#6225) * chore: Fix broken links in README.md (#6223) * chore: Upgrade some dependencies (#6221) * caddyhttp: Add plaintext response to `file_server browse` (#6093) * admin: Use xxhash for etag (#6207) * modules: fix some typo in conments (#6206) * caddyhttp: Replace sensitive headers with REDACTED (close #5669) * caddyhttp: close quic connections when server closes (#6202) * reverseproxy: Use xxhash instead of fnv32 for LB (#6203) * caddyhttp: add http.request.local{,.host,.port} placeholder (#6182) * chore: upgrade deps (#6198) * chore: remove repetitive word (#6193) * Added a null check to avoid segfault on rewrite query ops (#6191) * rewrite: `uri query` replace operation (#6165) * logging: support `ms` duration format and add docs (#6187) * replacer: use RWMutex to protect static provider (#6184) * caddyhttp: Allow `header` replacement with empty string (#6163) * vars: Make nil values act as empty string instead of `"<nil>"` (#6174) * chore: Update quic-go to v0.42.0 (#6176) * caddyhttp: Accept XFF header values with ports, when parsing client IP (#6183) * reverseproxy: configurable active health_passes and health_fails (#6154) * reverseproxy: Configurable forward proxy URL (#6114) * caddyhttp: upgrade to cel v0.20.0 (#6161) * chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169) * caddyhttp: suppress flushing if the response is being buffered (#6150) * chore: encode: use FlushError instead of Flush (#6168) * encode: write status immediately when status code is informational (#6164) * httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153) * httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin authors (#5865) * rewrite: Implement `uri query` operations (#6120) * fix struct names (#6151) * fileserver: Preserve query during canonicalization redirect (#6109) * logging: Implement `log_append` handler (#6066) * httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113) * logging: Implement `append` encoder, allow flatter filters config (#6069) * ci: fix the integration test `TestLeafCertLoaders` (#6149) * vars: Allow overriding `http.auth.user.id` in replacer as a special case (#6108) * caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050) * cmd: Adjust config load logs/errors (#6032) * reverseproxy: SRV dynamic upstream failover (#5832) * ci: bump golangci/golangci-lint-action from 3 to 4 (#6141) * core: OnExit hooks (#6128) * cmd: fix the output of the `Usage` section (#6138) * caddytls: verifier: caddyfile: re-add Caddyfile support (#6127) * acmeserver: add policy field to define allow/deny rules (#5796) * reverseproxy: cookie should be Secure and SameSite=None when TLS (#6115) * caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119) * tests: uses testing.TB interface for helper to be able to use test server in benchmarks. (#6103) * caddyfile: Assert having a space after heredoc marker to simply check (#6117) * chore: Update Chroma to get the new Caddyfile lexer (#6118) * reverseproxy: use context.WithoutCancel (#6116) * caddyfile: Reject directives in the place of site addresses (#6104) * caddyhttp: Register post-shutdown callbacks (#5948) * caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102) * caddyauth: Drop support for `scrypt` (#6091) * Revert "caddyfile: Reject long heredoc markers (#6098)" (#6100) * caddyauth: Rename `basicauth` to `basic_auth` (#6092) * logging: Inline Caddyfile syntax for `ip_mask` filter (#6094) * caddyfile: Reject long heredoc markers (#6098) * chore: Rename CI jobs, run on M1 mac (#6089) * update comment * improved list * fix: add back text/* * fix: add more media types to the compressed by default list * acmeserver: support specifying the allowed challenge types (#5794) * matchers: Drop `forwarded` option from `remote_ip` matcher (#6085) * caddyhttp: Test cases for `%2F` and `%252F` (#6084) * bump to golang 1.22 (#6083) * fileserver: Browse can show symlink target if enabled (#5973) * core: Support NO_COLOR env var to disable log coloring (#6078) * build(deps): bump peter-evans/repository-dispatch from 2 to 3 (#6080) * Update comment in setcap helper script * caddytls: Make on-demand 'ask' permission modular (#6055) * core: Add `ctx.Slogger()` which returns an `slog` logger (#5945) * chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043) * chore: enabling a few more linters (#5961) * caddyfile: Correctly close the heredoc when the closing marker appears immediately (#6062) * caddyfile: Switch to slices.Equal for better performance (#6061) * tls: modularize trusted CA providers (#5784) * logging: Automatic `wrap` default for `filter` encoder (#5980) * caddyhttp: Fix panic when request missing ClientIPVarKey (#6040) * caddyfile: Normalize & flatten all unmarshalers (#6037) * cmd: reverseproxy: log: use caddy logger (#6042) * matchers: `query` now ANDs multiple keys (#6054) * caddyfile: Add heredoc support to `fmt` command (#6056) * refactor: move automaxprocs init in caddycmd.Main() * caddyfile: Allow heredoc blank lines (#6051) * httpcaddyfile: Add optional status code argument to `handle_errors` directive (#5965) * httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting matcher (#5844) * fileserver: Implement caddyfile.Unmarshaler interface (#5850) * reverseproxy: Add `tls_curves` option to HTTP transport (#5851) * caddyhttp: Security enhancements for client IP parsing (#5805) * replacer: Fix escaped closing braces (#5995) * filesystem: Globally declared filesystems, `fs` directive (#5833) * ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031) * httpcaddyfile: Fix redir <to> html (#6001) * httpcaddyfile: Support client auth verifiers (#6022) * tls: add reuse_private_keys (#6025) * reverseproxy: Only change Content-Length when full request is buffered (#5830) * Switch Solaris-derivatives away from listen_unix (#6021) * build(deps): bump actions/upload-artifact from 3 to 4 (#6013) * build(deps): bump actions/setup-go from 4 to 5 (#6012) * chore: check against errors of `io/fs` instead of `os` (#6011) * caddyhttp: support unix sockets in `caddy respond` command (#6010) * fileserver: Add total file size to directory listing (#6003) * httpcaddyfile: Fix cert file decoding to load multiple PEM in one file (#5997) * build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#5994) * cmd: use automaxprocs for better perf in containers (#5711) * logging: Add `zap.Option` support (#5944) * httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990) * metrics: Record request metrics on HTTP errors (#5979) * go.mod: Updated quic-go to v0.40.1 (#5983) * fileserver: Enable compression for command by default (#5855) * fileserver: New --precompressed flag (#5880) * caddyhttp: Add `uuid` to access logs when used (#5859) * proxyprotocol: use github.com/pires/go-proxyproto (#5915) * cmd: Preserve LastModified date when exporting storage (#5968) * core: Always make AppDataDir for InstanceID (#5976) * chore: cross-build for AIX (#5971) * caddytls: Sync distributed storage cleaning (#5940) * caddytls: Context to DecisionFunc (#5923) * tls: accept placeholders in string values of certificate loaders (#5963) * templates: Offically make templates extensible (#5939) * http2 uses new round-robin scheduler (#5946) * panic when reading from backend failed to propagate stream error (#5952) * chore: Bump otel to v1.21.0. (#5949) * httpredirectlistener: Only set read limit for when request is HTTP (#5917) * fileserver: Add .m4v for browse template icon * Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)" (#5924) * go.mod: update quic-go version to v0.40.0 (#5922) * update quic-go to v0.39.3 (#5918) * chore: Fix usage pool comment (#5916) * test: acmeserver: add smoke test for the ACME server directory (#5914) * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913) * caddyhttp: Adjust `scheme` placeholder docs (#5910) * go.mod: Upgrade quic-go to v0.39.1 * go.mod: CVE-2023-45142 Update opentelemetry (#5908) * templates: Delete headers on `httpError` to reset to clean slate (#5905) * httpcaddyfile: Remove port from logger names (#5881) * core: Apply SO_REUSEPORT to UDP sockets (#5725) * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848) * cmd: Add newline character to version string in CLI output (#5895) * core: quic listener will manage the underlying socket by itself (#5749) * templates: Clarify `include` args docs, add `.ClientIP` (#5898) * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896) * cmd: upgrade: resolve symlink of the executable (#5891) * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883) - CVEs: * CVE-2024-22189 (boo#1222468) * CVE-2023-45142 - Update to version 2.7.6: * caddytls: Sync distributed storage cleaning (#5940) * caddytls: Context to DecisionFunc (#5923) * tls: accept placeholders in string values of certificate loaders (#5963) * templates: Offically make templates extensible (#5939) * http2 uses new round-robin scheduler (#5946) * panic when reading from backend failed to propagate stream error (#5952) * chore: Bump otel to v1.21.0. (#5949) * httpredirectlistener: Only set read limit for when request is HTTP (#5917) * fileserver: Add .m4v for browse template icon * Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)" (#5924) * go.mod: update quic-go version to v0.40.0 (#5922) * update quic-go to v0.39.3 (#5918) * chore: Fix usage pool comment (#5916) * test: acmeserver: add smoke test for the ACME server directory (#5914) * Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913) * caddyhttp: Adjust `scheme` placeholder docs (#5910) * go.mod: Upgrade quic-go to v0.39.1 * go.mod: CVE-2023-45142 Update opentelemetry (#5908) * templates: Delete headers on `httpError` to reset to clean slate (#5905) * httpcaddyfile: Remove port from logger names (#5881) * core: Apply SO_REUSEPORT to UDP sockets (#5725) * caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848) * cmd: Add newline character to version string in CLI output (#5895) * core: quic listener will manage the underlying socket by itself (#5749) * templates: Clarify `include` args docs, add `.ClientIP` (#5898) * httpcaddyfile: Fix TLS automation policy merging with get_certificate (#5896) * cmd: upgrade: resolve symlink of the executable (#5891) * caddyfile: Fix variadic placeholder false positive when token contains `:` (#5883) - Update to version 2.7.5: * admin: Respond with 4xx on non-existing config path (#5870) * ci: Force the Go version for govulncheck (#5879) * fileserver: Set canonical URL on browse template (#5867) * tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852) * reverseproxy: Add more debug logs (#5793) * reverseproxy: Fix `least_conn` policy regression (#5862) * reverseproxy: Add logging for dynamic A upstreams (#5857) * reverseproxy: Replace health header placeholders (#5861) * httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (#5860) * cmd: Fix exiting with custom status code, add `caddy -v` (#5874) * reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (#5828) * reverseproxy: Fix retries on "upstreams unavailable" error (#5841) * httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (#5808) * encode: Add `application/wasm*` to the default content types (#5869) * fileserver: Add command shortcuts `-l` and `-a` (#5854) * go.mod: Upgrade dependencies incl. x/net/http * templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (#5845) * reverseproxy: Allow fallthrough for response handlers without routes (#5780) * fix: caddytest.AssertResponseCode error message (#5853) * build(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5847) * build(deps): bump actions/checkout from 3 to 4 (#5846) * caddyhttp: Use LimitedReader for HTTPRedirectListener * fileserver: browse template SVG icons and UI tweaks (#5812) * reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (#5811) * httpcaddyfile: fix placeholder shorthands in named routes (#5791) * cmd: Prevent overwriting existing env vars with `--envfile` (#5803) * ci: Run govulncheck (#5790) * logging: query filter for array of strings (#5779) * logging: Clone array on log filters, prevent side-effects (#5786) * fileserver: Export BrowseTemplate * ci: ensure short-sha is exported correctly on all platforms (#5781) * caddyfile: Fix case where heredoc marker is empty after newline (#5769) * go.mod: Update quic-go to v0.38.0 (#5772) * chore: Appease gosec linter (#5777) * replacer: change timezone to UTC for "time.now.http" placeholders (#5774) * caddyfile: Adjust error formatting (#5765) * update quic-go to v0.37.6 (#5767) * httpcaddyfile: Stricter errors for site and upstream address schemes (#5757) * caddyfile: Loosen heredoc parsing (#5761) * fileserver: docs: clarify the ability to produce JSON array with `browse` (#5751) * fix package typo (#5764) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2024-220=1 Package List: - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): caddy-2.8.4-bp156.3.3.1 - openSUSE Backports SLE-15-SP6 (noarch): caddy-bash-completion-2.8.4-bp156.3.3.1 caddy-fish-completion-2.8.4-bp156.3.3.1 caddy-zsh-completion-2.8.4-bp156.3.3.1 References: https://www.suse.com/security/cve/CVE-2023-45142.html https://www.suse.com/security/cve/CVE-2024-22189.html https://bugzilla.suse.com/1222468