Security update for caddy SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:10080-1 Final 1 1 2022-08-06T12:01:12Z current 2022-08-06T12:01:12Z 2022-08-06T12:01:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for caddy This update for caddy fixes the following issues: Update to version 2.5.2: * admin: expect quoted ETags (#4879) * headers: Only replace known placeholders (#4880) * reverseproxy: Err 503 if all upstreams unavailable * reverseproxy: Adjust new TLS Caddyfile directive names (#4872) * fileserver: Use safe redirects in file browser * admin: support ETag on config endpoints (#4579) * caddytls: Reuse issuer between PreCheck and Issue (#4866) * admin: Implement /adapt endpoint (close #4465) (#4846) * forwardauth: Fix case when `copy_headers` is omitted (#4856) * Expose several Caddy HTTP Matchers to the CEL Matcher (#4715) * reverseproxy: Fix double headers in response handlers (#4847) * reverseproxy: Fix panic when TLS is not configured (#4848) * reverseproxy: Skip TLS for certain configured ports (#4843) * forwardauth: Support renaming copied headers, block support (#4783) * Add comment about xcaddy to main * headers: Support wildcards for delete ops (close #4830) (#4831) * reverseproxy: Dynamic ServerName for TLS upstreams (#4836) * reverseproxy: Make TLS renegotiation optional * reverseproxy: Add renegotiation param in TLS client (#4784) * caddyhttp: Log error from CEL evaluation (fix #4832) * reverseproxy: Correct the `tls_server_name` docs (#4827) * reverseproxy: HTTP 504 for upstream timeouts (#4824) * caddytls: Make peer certificate verification pluggable (#4389) * reverseproxy: api: Remove misleading 'healthy' value * Fix #4822 and fix #4779 * reverseproxy: Add --internal-certs CLI flag #3589 (#4817) * ci: Fix build caching on Windows (#4811) * templates: Add `humanize` function (#4767) * core: Micro-optim in run() (#4810) * httpcaddyfile: Add `{err.*}` placeholder shortcut (#4798) * templates: Documentation consistency (#4796) * chore: Bump quic-go to v0.27.0 (#4782) * reverseproxy: Support http1.1>h2c (close #4777) (#4778) * rewrite: Handle fragment before query (fix #4775) [boo#1201822, CVE-2022-34037] * httpcaddyfile: Support multiple values for `default_bind` (#4774) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2022-10080 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GQURFVT45F4OXOLLGP52CDBSBPTC2M4G/ E-Mail link for openSUSE-SU-2022:10080-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1201822 SUSE Bug 1201822 https://www.suse.com/security/cve/CVE-2022-34037/ SUSE CVE CVE-2022-34037 page SUSE Package Hub 15 SP4 openSUSE Leap 15.4 caddy-2.5.2-bp154.2.8.1 caddy-2.5.2-bp154.2.8.1 as a component of SUSE Package Hub 15 SP4 caddy-2.5.2-bp154.2.8.1 as a component of openSUSE Leap 15.4 An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. CVE-2022-34037 SUSE Package Hub 15 SP4:caddy-2.5.2-bp154.2.8.1 openSUSE Leap 15.4:caddy-2.5.2-bp154.2.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/GQURFVT45F4OXOLLGP52CDBSBPTC2M4G/ https://www.suse.com/security/cve/CVE-2022-34037.html CVE-2022-34037 https://bugzilla.suse.com/1201822 SUSE Bug 1201822