Your message dated Tue, 14 Jul 2026 20:12:16 +0530
with message-id <[email protected]>
and subject line Re: caddy: CVE-2026-45135 CVE-2026-45692 CVE-2026-52844 
CVE-2026-52845 CVE-2026-52846
has caused the Debian Bug report #1140773,
regarding caddy: CVE-2026-45135 CVE-2026-45692 CVE-2026-52844 CVE-2026-52845 
CVE-2026-52846
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140773: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140773
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: caddy
Version: 2.11.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for caddy.

CVE-2026-45135[0]:
| Caddy is an extensible server platform that uses TLS by default.
| From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in
| modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses
| golang.org/x/text/search with search.IgnoreCase when the request
| path contains a non-ASCII byte. Two distinct flaws in that fallback
| let an attacker mislead Caddy's FastCGI splitting into treating a
| non-.php (or other configured split_path extension) file as a
| script. In any deployment where the attacker can place content into
| a file served via FastCGI (uploads, file storage, etc.), this can be
| escalated to remote code execution by crafting a URL whose path
| triggers either flaw. This vulnerability is fixed in 2.11.3.


CVE-2026-45692[1]:
| Caddy is an extensible server platform that uses TLS by default.
| From 2.4.0 until 2.11.3, the authorization layer and the /config
| traversal layer do not agree on what object the path refers to. In
| this case, a path authorized for one config object is accepted, but
| then resolves to a different config object during traversal. This
| happens because the authorization layer uses string prefix matching
| and the /config traversal layer parses array indices numerically
| using strconv.Atoi(). This vulnerability is fixed in 2.11.3.


CVE-2026-52844[2]:
| Caddy is an extensible server platform that uses TLS by default.
| Prior to 2.11.4, on Windows, Caddy path matchers treat
| /private\secret.txt as outside /private/*, but file_server later
| resolves the same request path as private\secret.txt on disk. An
| unauthenticated remote client can bypass Caddy path-scoped auth/deny
| routes protecting /private/*. This vulnerability is fixed in 2.11.4.


CVE-2026-52845[3]:
| Caddy is an extensible server platform that uses TLS by default.
| Prior to 2.11.4, forward_auth copy_headers deletes the exact client-
| supplied identity header before copying the trusted value from the
| auth gateway. But when the request later goes through php_fastcgi,
| Caddy normalizes HTTP headers into CGI variables by replacing - with
| _. This lets a client send an underscore alias that survives the
| forward_auth delete step but becomes the same PHP/FastCGI variable.
| Result: a remote client can inject or sometimes override
| identity/group headers trusted by PHP/FastCGI applications behind
| Caddy. This vulnerability is fixed in 2.11.4.


CVE-2026-52846[4]:
| Caddy is an extensible server platform that uses TLS by default.
| Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably
| remove all HTML tags from input strings. Certain malformed HTML,
| such as <<>img src=x onerror=alert()>, can bypass the tag-stripping
| logic, potentially leaving dangerous content in the output if it is
| later rendered as HTML. This may allow client-side XSS in cases
| where untrusted strings are rendered unsafely. This vulnerability is
| fixed in 2.11.4.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-45135
    https://www.cve.org/CVERecord?id=CVE-2026-45135
    https://github.com/caddyserver/caddy/security/advisories/GHSA-m675-2p33-xv9g
[1] https://security-tracker.debian.org/tracker/CVE-2026-45692
    https://www.cve.org/CVERecord?id=CVE-2026-45692
    https://github.com/caddyserver/caddy/security/advisories/GHSA-x5w9-xh9r-mvfc
[2] https://security-tracker.debian.org/tracker/CVE-2026-52844
    https://www.cve.org/CVERecord?id=CVE-2026-52844
    https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6
[3] https://security-tracker.debian.org/tracker/CVE-2026-52845
    https://www.cve.org/CVERecord?id=CVE-2026-52845
    https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g
[4] https://security-tracker.debian.org/tracker/CVE-2026-52846
    https://www.cve.org/CVERecord?id=CVE-2026-52846
    https://github.com/caddyserver/caddy/security/advisories/GHSA-vcc4-2c75-vc9v

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Version: 2.11.4-1

I just uploaded a new release but missed to see this bug report and hence did 
not
mention these CVEs and the bug number in the changelog. Closing manually.

--- End Message ---

Reply via email to