Per policy [0], this is an announcement that I would like to do an
incompatible update of the caddy package in EPEL 9.
The version in the EPEL 9 repo is currently 2.4.6. RHEL 8 currently
has golang 1.19. Based on my recent investigation of the EPEL 7
package [1], I've discovered just how sensitive caddy is to the
version of golang it is built with. Upstream caddy only ever tested
version 2.4.6 with golang 1.16 and 1.17 [2]. I did previously build
caddy 2.4.6 with golang 1.18, which required swapping out the bundled
quic library to work [3]. Thankfully that worked without patching the
caddy code, but updating the bundled quic further in order to build
with golang 1.19 would require significant patching, which isn't even
guaranteed to work. I do not believe that rebuilding caddy at the
current version in EPEL 9 is feasible, which prevents even attempting
to backport outstanding CVEs. I'm currently tracking two CVEs for the
EPEL 9 package that I would like to fix.
- CVE-2022-28923 [4][5][6]
- CVE-2022-41721 [7][8][9]
To resolve these CVEs, and to get compatible with RHEL 9's golang
1.19, I think the best version of caddy to update to is 2.6.4.
Updating caddy from 2.4.6 to 2.6.4 includes some
backwards-incompatible changes (hence this email). After review, I
believe these changes are on the milder side, and most users shouldn't
notice a difference. Here are the most notable removals/changes:
- Reverse proxy: Incoming X-Forwarded-* headers will no longer be
automatically trusted, to prevent spoofing.
- Logging: Removed the deprecated common_log field from HTTP access
logs, and the single_field encoder.
- Logging: The remote_addr field has been replaced by remote_ip and
remote_port fields in HTTP access logs, which split up the two parts
of the remote address.
- Caddyfile: The reverse_proxy directive's handle_response
subdirective has had its status replacement functionality moved to a
new replace_status subdirective.
There are also a few additional changes to features labeled as
experimental, and some deprecations (not yet removed). For a full
list, see the upstream release notes [10][11].
Finally, I'll note that RHEL 8 has the same version of golang as RHEL
9, so I also targeted caddy 2.6.4 for the initial EPEL 8 package that
is on its way to testing [12]. It will be nice to have the same
version of caddy in both EPEL 8 and EPEL 9.
[0] https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
[1]
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org/thread/JZRLEWOCX5QX3XZ7INLUZIB7LPAMDUZC/
[2]
https://github.com/caddyserver/caddy/blob/v2.4.6/.github/workflows/ci.yml#L22
[3]
https://src.fedoraproject.org/rpms/caddy/c/8a639d7060ef6ff610880429d161b5f0275deee1?branch=epel9
[4] https://bugzilla.redhat.com/show_bug.cgi?id=2226939
[5] https://access.redhat.com/security/cve/CVE-2022-28923
[6] https://nvd.nist.gov/vuln/detail/CVE-2022-28923
[7] https://bugzilla.redhat.com/show_bug.cgi?id=2232267
[8] https://access.redhat.com/security/cve/CVE-2022-41721
[9] https://nvd.nist.gov/vuln/detail/CVE-2022-41721
[10] https://github.com/caddyserver/caddy/releases/tag/v2.5.0
[11] https://github.com/caddyserver/caddy/releases/tag/v2.6.0
[12] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-0b57e19163
--
Carl George
___
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
