Current 2.8.4 image contain critical security vulnerability

[shahar-davidson]

As of today, the latest Caddy 2.8.4 for Alpine contains a security vulnerability that is ranked as Critical: CVE-2024-24790⁠ (published on June 4, 2024)

This vulnerability appears to have been fixed already in the latest golang:1.22 for Alpine image.

Therefore, caddy image needs to be recreated with the latest Golang image (1.22.4 or later)

[ethankore]

Having the exact same issue

[francislavoie]

IMO that CVE is way overclassified. It's not that severe at all. It's just a minor bug. I'm pretty sure it's not a problem for any Caddy users, we don't check if an IP is loopback in security sensitive contexts. If someone can show a case where that can happen, then it would be more of a concern.

[shahar-davidson]

That's true - it's seems overclassified for Caddy.
But if a newer Caddy image can be created with a bumped Golang version then that would be nice.

[JinChin24]

That's true - it's seems overclassified for Caddy. But if a newer Caddy image can be created with a bumped Golang version then that would be nice.

Somebody know where is a good tutorial for build this ?

[jdvorak001]

Also dependabot is suggesting a new release: caddyserver/caddy#365 and caddyserver/caddy#366. See also #367.