openSUSE: 2022:10080-1 moderate: caddy | LinuxSecurity.com

Advisories


   openSUSE Security Update: Security update for caddy
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10080-1
Rating:             moderate
References:         #1201822 
Cross-References:   CVE-2022-34037
CVSS scores:
                    CVE-2022-34037 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for caddy fixes the following issues:

   Update to version 2.5.2:

   * admin: expect quoted ETags (#4879)
   * headers: Only replace known placeholders (#4880)
   * reverseproxy: Err 503 if all upstreams unavailable
   * reverseproxy: Adjust new TLS Caddyfile directive names (#4872)
   * fileserver: Use safe redirects in file browser
   * admin: support ETag on config endpoints (#4579)
   * caddytls: Reuse issuer between PreCheck and Issue (#4866)
   * admin: Implement /adapt endpoint (close #4465) (#4846)
   * forwardauth: Fix case when `copy_headers` is omitted (#4856)
   * Expose several Caddy HTTP Matchers to the CEL Matcher (#4715)
   * reverseproxy: Fix double headers in response handlers (#4847)
   * reverseproxy: Fix panic when TLS is not configured (#4848)
   * reverseproxy: Skip TLS for certain configured ports (#4843)
   * forwardauth: Support renaming copied headers, block support (#4783)
   * Add comment about xcaddy to main
   * headers: Support wildcards for delete ops (close #4830) (#4831)
   * reverseproxy: Dynamic ServerName for TLS upstreams (#4836)
   * reverseproxy: Make TLS renegotiation optional
   * reverseproxy: Add renegotiation param in TLS client (#4784)
   * caddyhttps: Log error from CEL evaluation (fix #4832)
   * reverseproxy: Correct the `tls_server_name` docs (#4827)
   * reverseproxy: HTTP 504 for upstream timeouts (#4824)
   * caddytls: Make peer certificate verification pluggable (#4389)
   * reverseproxy: api: Remove misleading 'healthy' value
   * Fix #4822 and fix #4779
   * reverseproxy: Add --internal-certs CLI flag #3589 (#4817)
   * ci: Fix build caching on Windows (#4811)
   * templates: Add `humanize` function (#4767)
   * core: Micro-optim in run() (#4810)
   * httpcaddyfile: Add `{err.*}` placeholder shortcut (#4798)
   * templates: Documentation consistency (#4796)
   * chore: Bump quic-go to v0.27.0 (#4782)
   * reverseproxy: Support http1.1>h2c (close #4777) (#4778)
   * rewrite: Handle fragment before query (fix #4775) [boo#1201822,
     CVE-2022-34037]
   * httpcaddyfile: Support multiple values for `default_bind` (#4774)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2022-10080=1



Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

      caddy-2.5.2-bp154.2.8.1


References:

   https://www.suse.com/security/cve/CVE-2022-34037.html
   https://bugzilla.suse.com/1201822

openSUSE: 2022:10080-1 moderate: caddy

August 6, 2022
An update that fixes one vulnerability is now available

Description

This update for caddy fixes the following issues: Update to version 2.5.2: * admin: expect quoted ETags (#4879) * headers: Only replace known placeholders (#4880) * reverseproxy: Err 503 if all upstreams unavailable * reverseproxy: Adjust new TLS Caddyfile directive names (#4872) * fileserver: Use safe redirects in file browser * admin: support ETag on config endpoints (#4579) * caddytls: Reuse issuer between PreCheck and Issue (#4866) * admin: Implement /adapt endpoint (close #4465) (#4846) * forwardauth: Fix case when `copy_headers` is omitted (#4856) * Expose several Caddy HTTP Matchers to the CEL Matcher (#4715) * reverseproxy: Fix double headers in response handlers (#4847) * reverseproxy: Fix panic when TLS is not configured (#4848) * reverseproxy: Skip TLS for certain configured ports (#4843) * forwardauth: Support renaming copied headers, block support (#4783) * Add comment about xcaddy to main * headers: Support wildcards for delete ops (close #4830) (#4831) * reverseproxy: Dynamic ServerName for TLS upstreams (#4836) * reverseproxy: Make TLS renegotiation optional * reverseproxy: Add renegotiation param in TLS client (#4784) * caddyhttps: Log error from CEL evaluation (fix #4832) * reverseproxy: Correct the `tls_server_name` docs (#4827) * reverseproxy: HTTP 504 for upstream timeouts (#4824) * caddytls: Make peer certificate verification pluggable (#4389) * reverseproxy: api: Remove misleading 'healthy' value * Fix #4822 and fix #4779 * reverseproxy: Add --internal-certs CLI flag #3589 (#4817) * ci: Fix build caching on Windows (#4811) * templates: Add `humanize` function (#4767) * core: Micro-optim in run() (#4810) * httpcaddyfile: Add `{err.*}` placeholder shortcut (#4798) * templates: Documentation consistency (#4796) * chore: Bump quic-go to v0.27.0 (#4782) * reverseproxy: Support http1.1>h2c (close #4777) (#4778) * rewrite: Handle fragment before query (fix #4775) [boo#1201822, CVE-2022-34037] * httpcaddyfile: Support multiple values for `default_bind` (#4774)

Patch

To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10080=1

Package List

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): caddy-2.5.2-bp154.2.8.1

References

https://www.suse.com/security/cve/CVE-2022-34037.html https://bugzilla.suse.com/1201822

Severity
Announcement ID: openSUSE-SU-2022:10080-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 .

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.