Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 38: FEDORA-2023-74e5545901 Critical: Caddy Request Smuggling

fedora
Calendar Grey August 27, 2023
Dist Fedora Esm H88
Notable Caddy upgrade in Fedora 38 addresses FTBFS issues and CVE-2022-41721, introducing a host of new functionalities and improvements.
This update takes caddy from 2.5.2 to 2.6.4

Summary

Caddy is the web server with automatic HTTPS.

Update Information:

This update takes caddy from 2.5.2 to 2.6.4. The primary purpose is to resolve a long standing FTBFS related to golang 1.20. The current F38 package is actually a carried-foward F37 build because of that reason. It also resolves CVE-2022-41721. This is a fairly significant upgrade with lots of new features and fixes, but after reviewing the upstream release notes I believe it should comply with the Fedora updates policy. The upgrade warnings in the release notes are described as either backwards compatible, marking a directive as deprecated without removing it, or changes to features that are marked as experimental. - https://github.com/caddyserver/caddy/releases/tag/v2.6.0 - https://github.com/caddyserver/caddy/releases/tag/v2.6.1 - https://github.com/caddyserver/caddy/releases/tag/v2.6.2 - https://github.com/caddyserver/caddy/releases/tag/v2.6.3 - https://github.com/caddyserver/caddy/releases/tag/v2.6.4

Topics%20covered

Topics Covered

security advisory critical software update Fedora security fix request smuggling Caddy

Change Log

* Tue Aug 15 2023 Carl George - 2.6.4-1 - Update to version 2.6.4 - Add man pages - Use generated shell completion files instead of static ones - Add fish shell completions * Wed Jul 19 2023 Fedora Release Engineering - 2.5.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Tue Jan 24 2023 Carl George - 2.5.2-3 - Rebuild for CVE-2022-41717 in golang * Wed Jan 18 2023 Fedora Release Engineering - 2.5.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

References


[ 1 ] Bug #2171455 - caddy: FTBFS in Fedora rawhide/f38 https://bugzilla.redhat.com/show_bug.cgi?id=2171455 [ 2 ] Bug #2232707 - CVE-2022-41721 caddy: x/net/http2/h2c: request smuggling [fedora-38] https://bugzilla.redhat.com/show_bug.cgi?id=2232707

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-74e5545901' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html

Severity
critical
Lowest
Low
Medium
High
Critical

Name: caddy
Product: Fedora 38
Version: 2.6.4
Release: 1.fc38
URL: https://caddyserver.com
Summary: Web server with automatic HTTPS

Topics%20covered

Topics Covered

security advisory critical software update Fedora security fix request smuggling Caddy

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here