-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Current 2.8.4 image contain critical security vulnerability #361
Comments
Having the exact same issue |
IMO that CVE is way overclassified. It's not that severe at all. It's just a minor bug. I'm pretty sure it's not a problem for any Caddy users, we don't check if an IP is loopback in security sensitive contexts. If someone can show a case where that can happen, then it would be more of a concern. |
That's true - it's seems overclassified for Caddy. |
Somebody know where is a good tutorial for build this ? |
Also dependabot is suggesting a new release: caddyserver/caddy#365 and caddyserver/caddy#366. See also #367. |
As of today, the latest Caddy 2.8.4 for Alpine contains a security vulnerability that is ranked as Critical: CVE-2024-24790 (published on June 4, 2024)
This vulnerability appears to have been fixed already in the latest golang:1.22 for Alpine image.
Therefore, caddy image needs to be recreated with the latest Golang image (1.22.4 or later)
The text was updated successfully, but these errors were encountered: