openSUSE Local Security Checks : openSUSE Security Advisory (openSUSE-SU-2024:0220-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.18.1.2024.0220.1

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (openSUSE-SU-2024:0220-1)

Summary: The remote host is missing an update for the 'caddy' package(s) announced via the openSUSE-SU-2024:0220-1 advisory.

Description: Summary:
The remote host is missing an update for the 'caddy' package(s) announced via the openSUSE-SU-2024:0220-1 advisory.

Vulnerability Insight:
This update for caddy fixes the following issues:

- Update to version 2.8.4:

* cmd: fix regression in auto-detect of Caddyfile (#6362)
* Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped

- Update to version 2.8.2:

* cmd: fix auto-detetction of .caddyfile extension (#6356)
* caddyhttp: properly sanitize requests for root path (#6360)
* caddytls: Implement certmagic.RenewalInfoGetter
* build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)

- Update to version 2.8.1:

* caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350)
* core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)

- Update to version 2.8.0:

* acmeserver: Add `sign_with_root` for Caddyfile (#6345)
* caddyfile: Reject global request matchers earlier (#6339)
* core: Fix bug in AppIfConfigured (fix #6336)
* fix a typo (#6333)
* autohttps: Move log WARN to INFO, reduce confusion (#6185)
* reverseproxy: Support HTTP/3 transport to backend (#6312)
* context: AppIfConfigured returns error, consider not-yet-provisioned modules (#6292)
* Fix lint error about deprecated method in smallstep/certificates/authority
* go.mod: Upgrade dependencies
* caddytls: fix permission requirement with AutomationPolicy (#6328)
* caddytls: remove ClientHelloSNICtxKey (#6326)
* caddyhttp: Trace individual middleware handlers (#6313)
* templates: Add `pathEscape` template function and use it in file browser (#6278)
* caddytls: set server name in context (#6324)
* chore: downgrade minimum Go version in go.mod (#6318)
* caddytest: normalize the JSON config (#6316)
* caddyhttp: New experimental handler for intercepting responses (#6232)
* httpcaddyfile: Set challenge ports when http_port or https_port are used
* logging: Add support for additional logger filters other than hostname (#6082)
* caddyhttp: Log 4xx as INFO, 5xx as ERROR (close #6106)
* Second half of 6dce493
* caddyhttp: Alter log message when request is unhandled (close #5182)
* chore: Bump Go version in CI (#6310)
* go.mod: go 1.22.3
* Fix typos (#6311)
* reverseproxy: Pointer to struct when loading modules, remove LazyCertPool (#6307)
* tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308)
* go.mod: CertMagic v0.21.0
* reverseproxy: Implement health_follow_redirects (#6302)
* caddypki: Allow use of root CA without a key. Fixes #6290 (#6298)
* go.mod: Upgrade to quic-go v0.43.1
* reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301)
* caddytls: Ability to drop connections (close #6294)
* build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289)
* httpcaddyfile: Fix expression matcher shortcut in snippets (#6288)
* caddytls: Evict internal certs from cache based on issuer (#6266)
* chore: add warn logs when using deprecated fields (#6276)
* caddyhttp: Fix linter warning about deprecation
* go.mod: Upgrade to quic-go v0.43.0
* ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'caddy' package(s) on openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
7.8

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-45142
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/
https://github.com/advisories/GHSA-cg3q-j54f-5p7p
https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh
https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr
https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223
https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159
Common Vulnerability Exposure (CVE) ID: CVE-2024-22189
https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a
https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478
https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management
https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s

Copyright Copyright (C) 2025 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.18.1.2024.0220.1
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (openSUSE-SU-2024:0220-1)
Summary:	The remote host is missing an update for the 'caddy' package(s) announced via the openSUSE-SU-2024:0220-1 advisory.
Description:	Summary: The remote host is missing an update for the 'caddy' package(s) announced via the openSUSE-SU-2024:0220-1 advisory. Vulnerability Insight: This update for caddy fixes the following issues: - Update to version 2.8.4: * cmd: fix regression in auto-detect of Caddyfile (#6362) * Tag v2.8.3 was mistakenly made on the v2.8.2 commit and is skipped - Update to version 2.8.2: * cmd: fix auto-detetction of .caddyfile extension (#6356) * caddyhttp: properly sanitize requests for root path (#6360) * caddytls: Implement certmagic.RenewalInfoGetter * build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361) - Update to version 2.8.1: * caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350) * core: MkdirAll appDataDir in InstanceID with 0o700 (#6340) - Update to version 2.8.0: * acmeserver: Add `sign_with_root` for Caddyfile (#6345) * caddyfile: Reject global request matchers earlier (#6339) * core: Fix bug in AppIfConfigured (fix #6336) * fix a typo (#6333) * autohttps: Move log WARN to INFO, reduce confusion (#6185) * reverseproxy: Support HTTP/3 transport to backend (#6312) * context: AppIfConfigured returns error, consider not-yet-provisioned modules (#6292) * Fix lint error about deprecated method in smallstep/certificates/authority * go.mod: Upgrade dependencies * caddytls: fix permission requirement with AutomationPolicy (#6328) * caddytls: remove ClientHelloSNICtxKey (#6326) * caddyhttp: Trace individual middleware handlers (#6313) * templates: Add `pathEscape` template function and use it in file browser (#6278) * caddytls: set server name in context (#6324) * chore: downgrade minimum Go version in go.mod (#6318) * caddytest: normalize the JSON config (#6316) * caddyhttp: New experimental handler for intercepting responses (#6232) * httpcaddyfile: Set challenge ports when http_port or https_port are used * logging: Add support for additional logger filters other than hostname (#6082) * caddyhttp: Log 4xx as INFO, 5xx as ERROR (close #6106) * Second half of 6dce493 * caddyhttp: Alter log message when request is unhandled (close #5182) * chore: Bump Go version in CI (#6310) * go.mod: go 1.22.3 * Fix typos (#6311) * reverseproxy: Pointer to struct when loading modules, remove LazyCertPool (#6307) * tracing: add trace_id var (`http.vars.trace_id` placeholder) (#6308) * go.mod: CertMagic v0.21.0 * reverseproxy: Implement health_follow_redirects (#6302) * caddypki: Allow use of root CA without a key. Fixes #6290 (#6298) * go.mod: Upgrade to quic-go v0.43.1 * reverseproxy: HTTP transport: fix PROXY protocol initialization (#6301) * caddytls: Ability to drop connections (close #6294) * build(deps): bump golangci/golangci-lint-action from 4 to 5 (#6289) * httpcaddyfile: Fix expression matcher shortcut in snippets (#6288) * caddytls: Evict internal certs from cache based on issuer (#6266) * chore: add warn logs when using deprecated fields (#6276) * caddyhttp: Fix linter warning about deprecation * go.mod: Upgrade to quic-go v0.43.0 * ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'caddy' package(s) on openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-45142 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2UTRJ54INZG3OC2FTAN6AFB2RYNY2GAD/ https://github.com/advisories/GHSA-cg3q-j54f-5p7p https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65 https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277 https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0 https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-rcjv-mgp8-qvmr https://github.com/open-telemetry/opentelemetry-go/blob/38e1b499c3da3107694ad2660b3888eee9c8b896/semconv/internal/v2/http.go#L223 https://github.com/open-telemetry/opentelemetry-go/blob/v1.12.0/semconv/internal/v2/http.go#L159 Common Vulnerability Exposure (CVE) ID: CVE-2024-22189 https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management https://www.youtube.com/watch?v=JqXtYcZAtIA&t=3683s
Copyright	Copyright (C) 2025 Greenbone AG