Hacker News new | ask | show | jobs
by programd 811 days ago
On Ubuntu 22.04 LTS caddy from the Ubuntu apt repo is shown as on version 2.7.6 and built with Go 1.21.5. That version of Go does not have a fix for this issue. Caddy 2.7.6 is also the latest version released on GitHub.

So no fix yet, but I think all that's needed is a recompile with the latest version of Go 1.22.2
1 comments
nelse 811 days ago
I think that recompiling with upgraded Go will not solve the issue. It seems Caddy imports `golang.org/x/net/http2` and pins it to v0.22.0 which is vulnerable: https://github.com/caddyserver/caddy/issues/6219#issuecommen....
link
thegeekpirate 811 days ago
Looks like it's been fixed if you recompile from master as of a few minutes ago
link