Request: Cut new Go caddy version to address quic-go <0.42.0 CVE #6210
Comments
BBKolton
changed the title
|
We're planning on cutting a release soon, though not specifically for this dep upgrade. Users who cannot wait for the release can build Caddy from HEAD or the commit 32f7dd4 using |
LeSuisse
pushed a commit
to Enalean/tuleap
that referenced
this issue
Apr 3, 2024
There is nothing we can do on our and, we have to wait for Caddy releases: caddyserver/caddy#6210 Silent for a week to keep it under scrutinity. Part of: request #37550 github.com/quic-go/quic-go 0.40.1 -> 0.42 Change-Id: Idf6d1af4ba83b0a1941c2a7c67e2bf42773058f4
|
Thank you for the quick response! I'll use the commit you listed in the meantime. Do you have a rough estimate for when the release might be made? |
|
See #6209 (comment) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An older version of quic-go has a CVE issued for versions <0.42.0 GHSA-c33x-xqrf-c478
Thanks to 32f7dd4, caddy is already up-to-date with the latest quic-go, 0.42.0. However, it's not possible to upgrade quic-go in consumers of caddy, as the new quic-go version breaks caddy @v2.7.6.
I humbly request that the maintainers cut a new version of caddy ASAP that includes the above referenced commit so that consumers of this repo can fix our CVE warnings :)
The text was updated successfully, but these errors were encountered: