Per policy [0], this is an announcement that I would like to do an incompatible update of the caddy package in EPEL 9. The version in the EPEL 9 repo is currently 2.4.6. RHEL 8 currently has golang 1.19. Based on my recent investigation of the EPEL 7 package [1], I've discovered just how sensitive caddy is to the version of golang it is built with. Upstream caddy only ever tested version 2.4.6 with golang 1.16 and 1.17 [2]. I did previously build caddy 2.4.6 with golang 1.18, which required swapping out the bundled quic library to work [3]. Thankfully that worked without patching the caddy code, but updating the bundled quic further in order to build with golang 1.19 would require significant patching, which isn't even guaranteed to work. I do not believe that rebuilding caddy at the current version in EPEL 9 is feasible, which prevents even attempting to backport outstanding CVEs. I'm currently tracking two CVEs for the EPEL 9 package that I would like to fix. - CVE-2022-28923 [4][5][6] - CVE-2022-41721 [7][8][9] To resolve these CVEs, and to get compatible with RHEL 9's golang 1.19, I think the best version of caddy to update to is 2.6.4. Updating caddy from 2.4.6 to 2.6.4 includes some backwards-incompatible changes (hence this email). After review, I believe these changes are on the milder side, and most users shouldn't notice a difference. Here are the most notable removals/changes: - Reverse proxy: Incoming X-Forwarded-* headers will no longer be automatically trusted, to prevent spoofing. - Logging: Removed the deprecated common_log field from HTTP access logs, and the single_field encoder. - Logging: The remote_addr field has been replaced by remote_ip and remote_port fields in HTTP access logs, which split up the two parts of the remote address. - Caddyfile: The reverse_proxy directive's handle_response subdirective has had its status replacement functionality moved to a new replace_status subdirective. There are also a few additional changes to features labeled as experimental, and some deprecations (not yet removed). For a full list, see the upstream release notes [10][11]. Finally, I'll note that RHEL 8 has the same version of golang as RHEL 9, so I also targeted caddy 2.6.4 for the initial EPEL 8 package that is on its way to testing [12]. It will be nice to have the same version of caddy in both EPEL 8 and EPEL 9. [0] https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ [1] https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/JZRLEWOCX5QX3XZ7INLUZIB7LPAMDUZC/ [2] https://github.com/caddyserver/caddy/blob/v2.4.6/.github/workflows/ci.yml#L22 [3] https://src.fedoraproject.org/rpms/caddy/c/8a639d7060ef6ff610880429d161b5f0275deee1?branch=epel9 [4] https://bugzilla.redhat.com/show_bug.cgi?id=2226939 [5] https://access.redhat.com/security/cve/CVE-2022-28923 [6] https://nvd.nist.gov/vuln/detail/CVE-2022-28923 [7] https://bugzilla.redhat.com/show_bug.cgi?id=2232267 [8] https://access.redhat.com/security/cve/CVE-2022-41721 [9] https://nvd.nist.gov/vuln/detail/CVE-2022-41721 [10] https://github.com/caddyserver/caddy/releases/tag/v2.5.0 [11] https://github.com/caddyserver/caddy/releases/tag/v2.6.0 [12] https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-0b57e19163 -- Carl George _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
