HTTP/2 continuation flood (FYI)

[systemcrash]

https://nowotarski.info/http2-continuation-flood-technical-details/

[francislavoie]

My understanding is this is already fixed in Go, you just need to build Caddy with the latest Go version. Nothing for us to do here.

[makew0rld]

Is making a new release with prebuilt binaries that don't contain this bug an option? Currently I've installed Caddy through Caddy's Debian repos and I was hoping for there to be a solution that would just be apt upgrade caddy instead of building from source.

[bartekn]

My understanding is this is already fixed in Go, you just need to build Caddy with the latest Go version. Nothing for us to do here.

The issue is also in golang.org/x/net (actually it's only there, Golang just bundles it's http2 package to standard net/http as h2_bundle.go file) and Caddy imports it here:

caddy/modules/caddyhttp/http2listener.go

Line 12 in 45132c5

"golang.org/x/net/http2"

The version imported is 0.22:

caddy/go.mod

Line 41 in 45132c5

golang.org/x/net v0.22.0

and the security advisory includes this version as vulnerable.

[francislavoie]

You should be able to build from master now to have the fix.

[makew0rld]

Will there be a new release for this? Thanks for the quick response.

[mvarendorff2]

@francislavoie As an outsider I have no insight into how much effort it takes to make a new release but building from source is not a great option for a lot of people because they don't just have Caddy installed on one but many systems. Carrying the binary around dozens or more servers is a pain. An official build with the fix easily installed through apt or the like would make this important fix much more accessible to a lot of servers and it would be appreciated by a lot of people!

[francislavoie]

@mvarendorff you can use v2.8.0-beta.2, right now. Use the "testing releases" apt repo: https://caddyserver.com/docs/install#debian-ubuntu-raspbian

[systemcrash]

When I reported this, I figured that this would warrant its own release. Dangling a beta for production usage to fix a specific vulnerability doesn't seem... right.

Anyway, thanks for the great product. <3