Alerts This Week
Warning Icon 1 1,529
Alerts This Week
Warning Icon 1 1,529

Fedora 43 Caddy Important Security Update 22 CVEs Advisory 2026-3dc324bd9a

fedora
Calendar Grey July 1, 2026
Dist Fedora Esm H88
Fedora 43 security advisory updating Caddy addressing 22 CVEs with critical risks including DoS and information leaks.
Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

Summary

Caddy is an extensible server platform that uses TLS by default.

Update Information:

Security update resolving 22 CVEs across both caddy itself and its vendored libraries.

Change Log

* Tue Jun 23 2026 Carl George - 2.10.2-9 - Port to new golang packaging guidelines - Backport upstream fix for CVE-2026-27585 - Backport upstream fix for CVE-2026-27586 - Backport upstream fix for CVE-2026-27587 - Backport upstream fix for CVE-2026-27588 - Backport upstream fix for CVE-2026-27589 - Backport upstream fix for CVE-2026-27590 - Backport upstream fix for CVE-2026-30851 - Backport upstream fix for CVE-2026-30852 - Update vendored github.com/quic-go/quic-go to v0.57.0 for CVE-2025-64702 - Update vendored golang.org/x/crypto to v0.52.0 for CVE-2025-47913, CVE-2026-39828, CVE-2026-39829, and CVE-2026-39830 - Update vendored github.com/smallstep/certificates to v0.30.0 for CVE-2025-44005 and CVE-2026-40097 - Update vendored github.com/go-chi/chi/v5 to v5.2.5 for CVE-2025-69725 - Update vendored github.com/yuin/goldmark/renderer/html to v1.7.17 for CVE-2026-5160 * Mon Feb 2 2026 Maxwell G - 2.10.2-5 - Rebuild for https://fedoraproject.org/wiki/Changes/golang1.26 * Fri Jan 16 2026 Fedora Release Engineering - 2.10.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Jan 16 2026 Fedora Release Engineering - 2.10.2-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild * Fri Oct 10 2025 Alejandro Sáez - 2.10.2-2 - rebuild

References


[ 1 ] Bug #2488094 - CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488094 [ 2 ] Bug #2488095 - CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488095 [ 3 ] Bug #2488141 - CVE-2026-40097 caddy: Step CA: Denial of Service via crafted attestation key certificate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488141 [ 4 ] Bug #2488502 - CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488502 [ 5 ] Bug #2488503 - CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2488503 [ 6 ] Bug #2488514 - CVE-2026-27587 caddy: ...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-3dc324bd9a' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: caddy
Product: Fedora 43
Version: 2.10.2
Release: 9.fc43
Summary: Web server with automatic HTTPS

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here