[bklyn11201]

What about Caddy? It's a great project that deserves it's own line ;)

[programd]

On Ubuntu 22.04 LTS caddy from the Ubuntu apt repo is shown as on version 2.7.6 and built with Go 1.21.5. That version of Go does not have a fix for this issue. Caddy 2.7.6 is also the latest version released on GitHub.

So no fix yet, but I think all that's needed is a recompile with the latest version of Go 1.22.2

[nelse]

I think that recompiling with upgraded Go will not solve the issue. It seems Caddy imports `golang.org/x/net/http2` and pins it to v0.22.0 which is vulnerable: https://github.com/caddyserver/caddy/issues/6219#issuecommen....

[thegeekpirate]

Looks like it's been fixed if you recompile from master as of a few minutes ago