openSUSE-SU-2024:0212-1: important: Security update for chromium
openSUSE-SU-2024:0211-1: moderate: Security update for caddy
openSUSE-SU-2024:0210-1: important: Security update for global
openSUSE-SU-2024:0212-1: important: Security update for chromium
openSUSE Security Update: Security update for chromium
_______________________________
Announcement ID: openSUSE-SU-2024:0212-1
Rating: important
References: #1227979
Cross-References: CVE-2024-6772 CVE-2024-6773 CVE-2024-6774
CVE-2024-6775 CVE-2024-6776 CVE-2024-6777
CVE-2024-6778 CVE-2024-6779
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________
An update that fixes 8 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
Chromium 126.0.6478.182 (boo#1227979):
- CVE-2024-6772: Inappropriate implementation in V8
- CVE-2024-6773: Type Confusion in V8
- CVE-2024-6774: Use after free in Screen Capture
- CVE-2024-6775: Use after free in Media Stream
- CVE-2024-6776: Use after free in Audio
- CVE-2024-6777: Use after free in Navigation
- CVE-2024-6778: Race in DevTools
- CVE-2024-6779: Out of bounds memory access in V8
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP5:
zypper in -t patch openSUSE-2024-212=1
Package List:
- openSUSE Backports SLE-15-SP5 (aarch64 x86_64):
chromedriver-126.0.6478.182-bp155.2.99.1
chromium-126.0.6478.182-bp155.2.99.1
References:
https://www.suse.com/security/cve/CVE-2024-6772.html
https://www.suse.com/security/cve/CVE-2024-6773.html
https://www.suse.com/security/cve/CVE-2024-6774.html
https://www.suse.com/security/cve/CVE-2024-6775.html
https://www.suse.com/security/cve/CVE-2024-6776.html
https://www.suse.com/security/cve/CVE-2024-6777.html
https://www.suse.com/security/cve/CVE-2024-6778.html
https://www.suse.com/security/cve/CVE-2024-6779.html
https://bugzilla.suse.com/1227979
openSUSE-SU-2024:0211-1: moderate: Security update for caddy
openSUSE Security Update: Security update for caddy
_______________________________
Announcement ID: openSUSE-SU-2024:0211-1
Rating: moderate
References: #1222468
Cross-References: CVE-2023-45142 CVE-2024-22189
CVSS scores:
CVE-2023-45142 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2024-22189 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________
An update that fixes two vulnerabilities is now available.
Description:
This update for caddy fixes the following issues:
Update to version 2.8.4:
* cmd: fix regression in auto-detect of Caddyfile (#6362)
* Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped
Update to version 2.8.2:
* cmd: fix auto-detetction of .caddyfile extension (#6356)
* caddyhttp: properly sanitize requests for root path (#6360)
* caddytls: Implement certmagic.RenewalInfoGetter
Update to version 2.8.1:
* caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers
(#6350)
* core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)
Update to version 2.8.0:
* acmeserver: Add `sign_with_root` for Caddyfile (#6345)
* caddyfile: Reject global request matchers earlier (#6339)
* core: Fix bug in AppIfConfigured (fix #6336)
* fix a typo (#6333)
* autohttps: Move log WARN to INFO, reduce confusion (#6185)
* reverseproxy: Support HTTP/3 transport to backend (#6312)
* context: AppIfConfigured returns error; consider not-yet-provisioned
modules (#6292)
* Fix lint error about deprecated method in
smallstep/certificates/authority
* go.mod: Upgrade dependencies
* caddytls: fix permission requirement with AutomationPolicy (#6328)
* caddytls: remove ClientHelloSNICtxKey (#6326)
* caddyhttp: Trace individual middleware handlers (#6313)
* templates: Add `pathEscape` template function and use it in file
browser (#6278)
* caddytls: set server name in context (#6324)
* chore: downgrade minimum Go version in go.mod (#6318)
* caddytest: normalize the JSON config (#6316)
* caddyhttp: New experimental handler for intercepting responses (#6232)
* httpcaddyfile: Set challenge ports when http_port or https_port are
used
* logging: Add support for additional logger filters other than hostname
(#6082)
* caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106)
* caddyhttp: Alter log message when request is unhandled (close #5182)
* reverseproxy: Pointer to struct when loading modules; remove
LazyCertPool (#6307)
* tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)
* go.mod: CertMagic v0.21.0
* reverseproxy: Implement health_follow_redirects (#6302)
* caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
* go.mod: Upgrade to quic-go v0.43.1
* reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
* caddytls: Ability to drop connections (close #6294)
* httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
* caddytls: Evict internal certs from cache based on issuer (#6266)
* chore: add warn logs when using deprecated fields (#6276)
* caddyhttp: Fix linter warning about deprecation
* go.mod: Upgrade to quic-go v0.43.0
* fileserver: Set "Vary: Accept-Encoding" header (see #5849)
* events: Add debug log
* reverseproxy: handle buffered data during hijack (#6274)
* ci: remove `android` and `plan9` from cross-build workflow (#6268)
* run `golangci-lint run --fix --fast` (#6270)
* caddytls: Option to configure certificate lifetime (#6253)
* replacer: Implement `file.*` global replacements (#5463)
* caddyhttp: Address some Go 1.20 features (#6252)
* Quell linter (false positive)
* reverse_proxy: Add grace_period for SRV upstreams to Caddyfile (#6264)
* doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc
(#6263)
* caddytls: Add Caddyfile support for on-demand permission module (close
#6260)
* reverseproxy: Remove long-deprecated buffering properties
* reverseproxy: Reuse buffered request body even if partially drained
* reverseproxy: Accept EOF when buffering
* logging: Fix default access logger (#6251)
* fileserver: Improve Vary handling (#5849)
* cmd: Only validate config is proper JSON if config slice has data
(#6250)
* staticresp: Use the evaluated response body for sniffing JSON
content-type (#6249)
* encode: Slight fix for the previous commit
* encode: Improve Etag handling (fix #5849)
* httpcaddyfile: Skip automate loader if disable_certs is specified (fix
#6148)
* caddyfile: Populate regexp matcher names by default (#6145)
* caddyhttp: record num. bytes read when response writer is hijacked
(#6173)
* caddyhttp: Support multiple logger names per host (#6088)
* chore: fix some typos in comments (#6243)
* encode: Configurable compression level for zstd (#6140)
* caddytls: Remove shim code supporting deprecated lego-dns (#6231)
* connection policy: add `local_ip` matcher (#6074)
* reverseproxy: Wait for both ends of websocket to close (#6175)
* caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes
(#6229)
* caddytls: Still provision permission module if ask is specified
* fileserver: read etags from precomputed files (#6222)
* fileserver: Escape # and ? in img src (fix #6237)
* reverseproxy: Implement modular CA provider for TLS transport (#6065)
* caddyhttp: Apply auto HTTPS redir to all interfaces (fix #6226)
* cmd: Fix panic related to config filename (fix #5919)
* cmd: Assume Caddyfile based on filename prefix and suffix (#5919)
* admin: Make `Etag` a header, not a trailer (#6208)
* caddyhttp: remove duplicate strings.Count in path matcher (fixes
#6233) (#6234)
* caddyconfig: Use empty struct instead of bool in map (close #6224)
(#6227)
* gitignore: Add rule for caddyfile.go (#6225)
* chore: Fix broken links in README.md (#6223)
* chore: Upgrade some dependencies (#6221)
* caddyhttp: Add plaintext response to `file_server browse` (#6093)
* admin: Use xxhash for etag (#6207)
* modules: fix some typo in conments (#6206)
* caddyhttp: Replace sensitive headers with REDACTED (close #5669)
* caddyhttp: close quic connections when server closes (#6202)
* reverseproxy: Use xxhash instead of fnv32 for LB (#6203)
* caddyhttp: add http.request.local{,.host,.port} placeholder (#6182)
* chore: remove repetitive word (#6193)
* Added a null check to avoid segfault on rewrite query ops (#6191)
* rewrite: `uri query` replace operation (#6165)
* logging: support `ms` duration format and add docs (#6187)
* replacer: use RWMutex to protect static provider (#6184)
* caddyhttp: Allow `header` replacement with empty string (#6163)
* vars: Make nil values act as empty string instead of `""` (#6174)
* chore: Update quic-go to v0.42.0 (#6176)
* caddyhttp: Accept XFF header values with ports, when parsing client IP
(#6183)
* reverseproxy: configurable active health_passes and health_fails
(#6154)
* reverseproxy: Configurable forward proxy URL (#6114)
* caddyhttp: upgrade to cel v0.20.0 (#6161)
* chore: Bump Chroma to v2.13.0, includes new Caddyfile lexer (#6169)
* caddyhttp: suppress flushing if the response is being buffered (#6150)
* chore: encode: use FlushError instead of Flush (#6168)
* encode: write status immediately when status code is informational
(#6164)
* httpcaddyfile: Keep deprecated `skip_log` in directive order (#6153)
* httpcaddyfile: Add `RegisterDirectiveOrder` function for plugin
authors (#5865)
* rewrite: Implement `uri query` operations (#6120)
* fix struct names (#6151)
* fileserver: Preserve query during canonicalization redirect (#6109)
* logging: Implement `log_append` handler (#6066)
* httpcaddyfile: Allow nameless regexp placeholder shorthand (#6113)
* logging: Implement `append` encoder, allow flatter filters config
(#6069)
* ci: fix the integration test `TestLeafCertLoaders` (#6149)
* vars: Allow overriding `http.auth.user.id` in replacer as a special
case (#6108)
* caddytls: clientauth: leaf verifier: make trusted leaf certs source
pluggable (#6050)
* cmd: Adjust config load logs/errors (#6032)
* reverseproxy: SRV dynamic upstream failover (#5832)
* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)
* core: OnExit hooks (#6128)
* cmd: fix the output of the `Usage` section (#6138)
* caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* acmeserver: add policy field to define allow/deny rules (#5796)
* reverseproxy: cookie should be Secure and SameSite=None when TLS
(#6115)
* caddytest: Rename adapt tests to `*.caddyfiletest` extension (#6119)
* tests: uses testing.TB interface for helper to be able to use test
server in benchmarks. (#6103)
* caddyfile: Assert having a space after heredoc marker to simply check
(#6117)
* chore: Update Chroma to get the new Caddyfile lexer (#6118)
* reverseproxy: use context.WithoutCancel (#6116)
* caddyfile: Reject directives in the place of site addresses (#6104)
* caddyhttp: Register post-shutdown callbacks (#5948)
* caddyhttp: Only attempt to enable full duplex for HTTP/1.x (#6102)
* caddyauth: Drop support for `scrypt` (#6091)
* Revert "caddyfile: Reject long heredoc markers (#6098)" (#6100)
* caddyauth: Rename `basicauth` to `basic_auth` (#6092)
* logging: Inline Caddyfile syntax for `ip_mask` filter (#6094)
* caddyfile: Reject long heredoc markers (#6098)
* chore: Rename CI jobs, run on M1 mac (#6089)
* fix: add back text/*
* fix: add more media types to the compressed by default list
* acmeserver: support specifying the allowed challenge types (#5794)
* matchers: Drop `forwarded` option from `remote_ip` matcher (#6085)
* caddyhttp: Test cases for `%2F` and `%252F` (#6084)
* fileserver: Browse can show symlink target if enabled (#5973)
* core: Support NO_COLOR env var to disable log coloring (#6078)
* Update comment in setcap helper script
* caddytls: Make on-demand 'ask' permission modular (#6055)
* core: Add `ctx.Slogger()` which returns an `slog` logger (#5945)
* chore: Update quic-go to v0.41.0, bump Go minimum to 1.21 (#6043)
* chore: enabling a few more linters (#5961)
* caddyfile: Correctly close the heredoc when the closing marker appears
immediately (#6062)
* caddyfile: Switch to slices.Equal for better performance (#6061)
* tls: modularize trusted CA providers (#5784)
* logging: Automatic `wrap` default for `filter` encoder (#5980)
* caddyhttp: Fix panic when request missing ClientIPVarKey (#6040)
* caddyfile: Normalize & flatten all unmarshalers (#6037)
* cmd: reverseproxy: log: use caddy logger (#6042)
* matchers: `query` now ANDs multiple keys (#6054)
* caddyfile: Add heredoc support to `fmt` command (#6056)
* refactor: move automaxprocs init in caddycmd.Main()
* caddyfile: Allow heredoc blank lines (#6051)
* httpcaddyfile: Add optional status code argument to `handle_errors`
directive (#5965)
* httpcaddyfile: Rewrite `root` and `rewrite` parsing to allow omitting
matcher (#5844)
* fileserver: Implement caddyfile.Unmarshaler interface (#5850)
* reverseproxy: Add `tls_curves` option to HTTP transport (#5851)
* caddyhttp: Security enhancements for client IP parsing (#5805)
* replacer: Fix escaped closing braces (#5995)
* filesystem: Globally declared filesystems, `fs` directive (#5833)
* ci/cd: use the build tag `nobadger` to exclude badgerdb (#6031)
* httpcaddyfile: Fix redir html (#6001)
* httpcaddyfile: Support client auth verifiers (#6022)
* tls: add reuse_private_keys (#6025)
* reverseproxy: Only change Content-Length when full request is buffered
(#5830)
* Switch Solaris-derivatives away from listen_unix (#6021)
* chore: check against errors of `io/fs` instead of `os` (#6011)
* caddyhttp: support unix sockets in `caddy respond` command (#6010)
* fileserver: Add total file size to directory listing (#6003)
* httpcaddyfile: Fix cert file decoding to load multiple PEM in one file
(#5997)
* cmd: use automaxprocs for better perf in containers (#5711)
* logging: Add `zap.Option` support (#5944)
* httpcaddyfile: Sort skip_hosts for deterministic JSON (#5990)
* metrics: Record request metrics on HTTP errors (#5979)
* go.mod: Updated quic-go to v0.40.1 (#5983)
* fileserver: Enable compression for command by default (#5855)
* fileserver: New --precompressed flag (#5880)
* caddyhttp: Add `uuid` to access logs when used (#5859)
* proxyprotocol: use github.com/pires/go-proxyproto (#5915)
* cmd: Preserve LastModified date when exporting storage (#5968)
* core: Always make AppDataDir for InstanceID (#5976)
* chore: cross-build for AIX (#5971)
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders
(#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error
(#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP
(#5917)
* fileserver: Add .m4v for browse template icon
* Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations
(#5848)" (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate
(#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate
(#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains
`:` (#5883)
- CVEs:
* CVE-2024-22189 (boo#1222468)
* CVE-2023-45142
- Remove the manual user/group provides: the package uses sysusers.d; the
auto-provides were not working due to the broken go_provides.
- Provide user and group (due to RPM 4.19)
- Update caddy.sysusers to also create a group
- Update to version 2.7.6:
* caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Context to DecisionFunc (#5923)
* tls: accept placeholders in string values of certificate loaders
(#5963)
* templates: Offically make templates extensible (#5939)
* http2 uses new round-robin scheduler (#5946)
* panic when reading from backend failed to propagate stream error
(#5952)
* chore: Bump otel to v1.21.0. (#5949)
* httpredirectlistener: Only set read limit for when request is HTTP
(#5917)
* fileserver: Add .m4v for browse template icon
* Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations
(#5848)" (#5924)
* go.mod: update quic-go version to v0.40.0 (#5922)
* update quic-go to v0.39.3 (#5918)
* chore: Fix usage pool comment (#5916)
* test: acmeserver: add smoke test for the ACME server directory (#5914)
* Upgrade acmeserver to github.com/go-chi/chi/v5 (#5913)
* caddyhttp: Adjust `scheme` placeholder docs (#5910)
* go.mod: Upgrade quic-go to v0.39.1
* go.mod: CVE-2023-45142 Update opentelemetry (#5908)
* templates: Delete headers on `httpError` to reset to clean slate
(#5905)
* httpcaddyfile: Remove port from logger names (#5881)
* core: Apply SO_REUSEPORT to UDP sockets (#5725)
* caddyhttp: Use sync.Pool to reduce lengthReader allocations (#5848)
* cmd: Add newline character to version string in CLI output (#5895)
* core: quic listener will manage the underlying socket by itself (#5749)
* templates: Clarify `include` args docs, add `.ClientIP` (#5898)
* httpcaddyfile: Fix TLS automation policy merging with get_certificate
(#5896)
* cmd: upgrade: resolve symlink of the executable (#5891)
* caddyfile: Fix variadic placeholder false positive when token contains
`:` (#5883)
- Update to version 2.7.5:
* admin: Respond with 4xx on non-existing config path (#5870)
* ci: Force the Go version for govulncheck (#5879)
* fileserver: Set canonical URL on browse template (#5867)
* tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852)
* reverseproxy: Add more debug logs (#5793)
* reverseproxy: Fix `least_conn` policy regression (#5862)
* reverseproxy: Add logging for dynamic A upstreams (#5857)
* reverseproxy: Replace health header placeholders (#5861)
* httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output
(#5860)
* cmd: Fix exiting with custom status code, add `caddy -v` (#5874)
* reverseproxy: fix parsing Caddyfile fails for unlimited
request/response buffers (#5828)
* reverseproxy: Fix retries on "upstreams unavailable" error (#5841)
* httpcaddyfile: Enable TLS for catch-all site if `tls` directive is
specified (#5808)
* encode: Add `application/wasm*` to the default content types (#5869)
* fileserver: Add command shortcuts `-l` and `-a` (#5854)
* go.mod: Upgrade dependencies incl. x/net/http
* templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy
compatibility (#5845)
* reverseproxy: Allow fallthrough for response handlers without routes
(#5780)
* fix: caddytest.AssertResponseCode error message (#5853)
* caddyhttp: Use LimitedReader for HTTPRedirectListener
* fileserver: browse template SVG icons and UI tweaks (#5812)
* reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams
(#5811)
* httpcaddyfile: fix placeholder shorthands in named routes (#5791)
* cmd: Prevent overwriting existing env vars with `--envfile` (#5803)
* ci: Run govulncheck (#5790)
* logging: query filter for array of strings (#5779)
* logging: Clone array on log filters, prevent side-effects (#5786)
* fileserver: Export BrowseTemplate
* ci: ensure short-sha is exported correctly on all platforms (#5781)
* caddyfile: Fix case where heredoc marker is empty after newline (#5769)
* go.mod: Update quic-go to v0.38.0 (#5772)
* chore: Appease gosec linter (#5777)
* replacer: change timezone to UTC for "time.now.http" placeholders
(#5774)
* caddyfile: Adjust error formatting (#5765)
* update quic-go to v0.37.6 (#5767)
* httpcaddyfile: Stricter errors for site and upstream address schemes
(#5757)
* caddyfile: Loosen heredoc parsing (#5761)
* fileserver: docs: clarify the ability to produce JSON array with
`browse` (#5751)
* fix package typo (#5764)
- Switch to sysuser for user setup
Update to version 2.7.4:
* go.mod: Upgrade CertMagic and quic-go
* reverseproxy: Always return new upstreams (fix #5736) (#5752)
* ci: use gci linter (#5708)
* fileserver: Slightly more fitting icons
* cmd: Require config for caddy validate (fix #5612) (#5614)
* caddytls: Update docs for on-demand config
* fileserver: Don't repeat error for invalid method inside error context
(#5705)
* ci: Update to Go 1.21 (#5719)
* ci: Add riscv64 (64-bit RISC-V) to goreleaser (#5720)
* go.mod: Upgrade golang.org/x/net to 0.14.0 (#5718)
* ci: Use gofumpt to format code (#5707)
* templates: Fix httpInclude (fix #5698)
Update to version 2.7.3:
* go.mod: Upgrade to quic-go v0.37.3
* cmd: Split unix sockets for admin endpoint addresses (#5696)
* reverseproxy: do not parse upstream address too early if it contains
replaceble parts (#5695)
* caddyfile: check that matched key is not a substring of the
replacement key (#5685)
* chore: use `--clean` instead of `--rm-dist` for goreleaser (#5691)
* go.mod: Upgrade quic-go to v0.37.2 (fix #5680)
* fileserver: browse: Render SVG images in grid
- Update to version 2.7.2:
* reverseproxy: Fix hijack ordering which broke websockets (#5679)
* httpcaddyfile: Fix `string does not match ~[]E` error (#5675)
* encode: Fix infinite recursion (#5672)
* caddyhttp: Make use of `http.ResponseController` (#5654)
* go.mod: Upgrade dependencies esp. smallstep/certificates
* core: Allow loopback hosts for admin endpoint (fix #5650) (#5664)
* httpcaddyfile: Allow `hostnames` & logger name overrides for log
directive (#5643)
* reverseproxy: Connection termination cleanup (#5663)
* go.mod: Use quic-go 0.37.1
* reverseproxy: Export ipVersions type (#5648)
* go.mod: Use latest CertMagic (v0.19.1)
* caddyhttp: Preserve original error (fix #5652)
* fileserver: add lazy image loading (#5646)
* go.mod: Update quic-go to v0.37.0, bump to Go 1.20 minimum (#5644)
* core: Refine mutex during reloads (fix #5628) (#5645)
* go.mod: update quic-go to v0.36.2 (#5636)
* fileserver: Tweak grid view of browse template
* fileserver: add `export-template` sub-command to `file-server` (#5630)
* caddyfile: Fix comparing if two tokens are on the same line (#5626)
* caddytls: Reuse certificate cache through reloads (#5623)
* Minor tweaks to security.md
* reverseproxy: Pointer receiver
* caddyhttp: Trim dot/space only on Windows (fix #5613)
* update quic-go to v0.36.1 (#5611)
* caddyconfig: Specify config adapter for HTTP loader (close #5607)
* core: Embed net.UDPConn to gain optimizations (#5606)
* chore: remove deprecated property `rlcp` in goreleaser config (#5608)
* core: Skip `chmod` for abstract unix sockets (#5596)
* core: Add optional unix socket file permissions (#4741)
* reverseproxy: Honor `tls_except_port` for active health checks (#5591)
* Appease linter
* Fix compile on Windows, hopefully
* core: Properly preserve unix sockets (fix #5568)
* go.mod: Upgrade CertMagic for hotfix
* go.mod: Upgrade some dependencies
* chore: upgrade otel (#5586)
* go.mod: Update quic-go to v0.36.0 (#5584)
* reverseproxy: weighted_round_robin load balancing policy (#5579)
* reverseproxy: Experimental streaming timeouts (#5567)
* chore: remove refs of deprecated io/ioutil (#5576)
* headers: Allow `>` to defer shortcut for replacements (#5574)
* caddyhttp: Support custom network for HTTP/3 (#5573)
* reverseproxy: Fix parsing of source IP in case it's an ipv6 address
(#5569)
* fileserver: browse: Better grid layout (#5564)
* caddytls: Clarify some JSON config docs
* cmd: Implement storage import/export (#5532)
* go.mod: Upgrade quic-go to 0.35.1
* update quic-go to v0.35.0 (#5560)
* templates: Add `readFile` action that does not evaluate templates
(#5553)
* caddyfile: Track import name instead of modifying filename (#5540)
* core: Use SO_REUSEPORT_LB on FreeBSD (#5554)
* caddyfile: Do not replace import tokens if they are part of a snippet
(#5539)
* fileserver: Don't set Etag if mtime is 0 or 1 (close #5548) (#5550)
* fileserver: browse: minor tweaks for grid view, dark mode (#5545)
* fileserver: Only set Etag if not already set (fix #5546) (#5547)
* fileserver: Fix file browser breadcrumb font (#5543)
* caddyhttp: Fix h3 shutdown (#5541)
* fileserver: More filetypes for browse icons
* fileserver: Fix file browser footer in grid mode (#5536)
* cmd: Avoid spammy log messages (fix #5538)
* httpcaddyfile: Sort Caddyfile slice
* caddyhttp: Implement named routes, `invoke` directive (#5107)
* rewrite: use escaped path, fix #5278 (#5504)
* headers: Add > Caddyfile shortcut for enabling defer (#5535)
* go.mod: Upgrade several dependencies
* reverseproxy: Expand port ranges to multiple upstreams in CLI +
Caddyfile (#5494)
* fileserver: Use EscapedPath for browse (#5534)
* caddyhttp: Refactor cert Managers (fix #5415) (#5533)
* Slightly more helpful error message
* caddytls: Check for nil ALPN; close #5470 (#5473)
* cmd: Reduce spammy logs from --watch
* caddyhttp: Add a getter for Server.name (#5531)
* caddytls: Configurable fallback SNI (#5527)
* caddyhttp: Update quic's TLS configs after reload (#5517) (fix #4849)
* Add doc comment about changing admin endpoint
* feature: watch include directory (#5521)
* chore: remove deprecated linters (#5525)
* go.mod: Upgrade CertMagic again
* go.mod: Upgrade CertMagic
* reverseproxy: Optimize base case for least_conn and random_choose
policies (#5487)
* reverseproxy: Fix active health check header canonicalization,
refactor (#5446)
* reverseproxy: Add `fallback` for some policies, instead of always
random (#5488)
* logging: Actually honor the SoftStart parameter
* logging: Soft start for net writer (close #5520)
* fastcgi: Fix `capture_stderr` (#5515)
* acmeserver: Configurable `resolvers`, fix smallstep deprecations
(#5500)
* go.mod: Update some dependencies
* logging: Add traceID field to access logs when tracing is active
(#5507)
* caddyhttp: Impl `ResponseWriter.Unwrap()`, prep for Go 1.20's
`ResponseController` (#5509)
* reverseproxy: Fix reinitialize upstream healthy metrics (#5498)
* fix some comments (#5508)
* templates: Add `fileStat` function (#5497)
* caddyfile: Stricter parsing, error for brace on new line (#5505)
* core: Return default logger if no modules loaded
* celmatcher: Implement `pkix.Name` conversion to string (#5492)
* chore: Adjustments to CI caching (#5495)
* reverseproxy: Remove deprecated `lookup_srv` (#5396)
* cmd: Support `'` quotes in envfile parsing (#5437)
* Update contributing guidelines (#5466)
* caddyhttp: Serve http2 when listener wrapper doesn't return *tls.Conn
(#4929)
* reverseproxy: Add `query` and `client_ip_hash` lb policies (#5468)
* cmd: Create pidfile before config load (close #5477)
* fileserver: Add color-scheme meta tag (#5475)
* proxyprotocol: Add PROXY protocol support to `reverse_proxy`, add HTTP
listener wrapper (#5424)
* reverseproxy: Add mention of which half a copyBuffer err comes from
(#5472)
* caddyhttp: Log request body bytes read (#5461)
* log: Make sink logs encodable (#5441)
* caddytls: Eval replacer on automation policy subjects (#5459)
* headers: Support deleting all headers as first op (#5464)
* replacer: Add HTTP time format (#5458)
* reverseproxy: Header up/down support for CLI command (#5460)
* caddyhttp: Determine real client IP if trusted proxies configured
(#5104)
* httpcaddyfile: Adjust path matcher sorting to solve for specificity
(#5462)
* caddytls: Zero out throttle window first (#5443)
* ci: add `--yes` to cosign arguments (#5440)
* reverseproxy: Reset Content-Length to prevent FastCGI from hanging
(#5435)
* caddytls: Allow on-demand w/o ask for internal-only
* caddytls: Require 'ask' endpoint for on-demand TLS
* fileserver: New file browse template (#5427)
* go.mod: Upgrade dependencies
* tracing: Support autoprop from OTEL_PROPAGATORS (#5147)
* caddyhttp: Enable 0-RTT QUIC (#5425)
* encode: flush status code when hijacked. (#5419)
* fileserver: Remove trailing slash on fs filenames (#5417)
* core: Eliminate unnecessary shutdown delay on Unix (#5413)
* caddyhttp: Fix `vars_regexp` matcher with placeholders (#5408)
* context: Rename func to `AppIfConfigured` (#5397)
* reverseproxy: allow specifying ip version for dynamic `a` upstream
(#5401)
* caddyfile: Fix heredoc fuzz crasher, drop trailing newline (#5404)
* caddyfile: Implement heredoc support (#5385)
* cmd: Expand cobra support, add short flags (#5379)
* ci: Update minimum Go version to 1.19
* go.mod: Upgrade quic-go to v0.33.0 (Go 1.19 min)
* reverseproxy: refactor HTTP transport layer (#5369)
* caddytls: Relax the warning for on-demand (#5384)
* cmd: Strict unmarshal for validate (#5383)
* caddyfile: Implement variadics for import args placeholders (#5249)
* cmd: make `caddy fmt` hints more clear (#5378)
* cmd: Adjust documentation for commands (#5377)
- Update to version 2.6.4:
* reverseproxy: Don't buffer chunked requests (fix #5366) (#5367)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP5:
zypper in -t patch openSUSE-2024-211=1
Package List:
- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):
caddy-2.8.4-bp155.2.3.1
- openSUSE Backports SLE-15-SP5 (noarch):
caddy-bash-completion-2.8.4-bp155.2.3.1
caddy-fish-completion-2.8.4-bp155.2.3.1
caddy-zsh-completion-2.8.4-bp155.2.3.1
References:
https://www.suse.com/security/cve/CVE-2023-45142.html
https://www.suse.com/security/cve/CVE-2024-22189.html
https://bugzilla.suse.com/1222468
openSUSE-SU-2024:0210-1: important: Security update for global
openSUSE Security Update: Security update for global
_______________________________
Announcement ID: openSUSE-SU-2024:0210-1
Rating: important
References: #1226420
Cross-References: CVE-2024-38448
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________
An update that fixes one vulnerability is now available.
Description:
This update for global fixes the following issues:
- CVE-2024-38448: htags may allow code execution via untrusted dbpath
(boo#1226420)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP5:
zypper in -t patch openSUSE-2024-210=1
Package List:
- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):
global-6.6.9-bp155.2.3.1
References:
https://www.suse.com/security/cve/CVE-2024-38448.html
https://bugzilla.suse.com/1226420