HTTP/2 continuation flood (FYI)

[systemcrash]

https://nowotarski.info/http2-continuation-flood-technical-details/

[francislavoie]

My understanding is this is already fixed in Go, you just need to build Caddy with the latest Go version. Nothing for us to do here.

[makew0rld]

Is making a new release with prebuilt binaries that don't contain this bug an option? Currently I've installed Caddy through Caddy's Debian repos and I was hoping for there to be a solution that would just be apt upgrade caddy instead of building from source.

[bartekn]

My understanding is this is already fixed in Go, you just need to build Caddy with the latest Go version. Nothing for us to do here.

The issue is also in golang.org/x/net (actually it's only there, Golang just bundles it's http2 package to standard net/http as h2_bundle.go file) and Caddy imports it here:

caddy/modules/caddyhttp/http2listener.go

Line 12 in 45132c5

"golang.org/x/net/http2"

The version imported is 0.22:

caddy/go.mod

Line 41 in 45132c5

golang.org/x/net v0.22.0

and the security advisory includes this version as vulnerable.

[francislavoie]

You should be able to build from master now to have the fix.

[makew0rld]

Will there be a new release for this? Thanks for the quick response.