SUSE Package Hub - openSUSE-2025-105

Update Info

openSUSE-2025-105

Recommended update for caddy

Type: recommended
Severity: moderate
Issued: 2025-03-24
Description:
This update for caddy fixes the following issues:

- Update to version 2.9.1:

  * go.mod: UPgrade CertMagic to 0.21.6 (fix ARI handshake maintenance)
  * header: `match` subdirective for response matching (#6765)
  * log: Only chmod if permission bits differ; make log dir (#6761)
  * fix: disable h3 for unix domain socket (#6769)
  * reverseproxy: buffer requests for fastcgi by default (#6759)
  * core: Only initiate exit once (should fix #6707)

- Update to version 2.9.0:

  * go.mod: Upgrade CertMagic to v0.21.5
  * testing: sort force-automated hosts (#6756)
  * httpcaddyfile: Implement experimental `force_automate` option (#6712)
  * encode: try to use sendfile when compression is not used (#6749)
  * caddyhttp: Allow matching Transfer-Encoding, add to access logs (#6629)
  * go.mod: Upgrade ACMEz to v3; and upgrade CertMagic
  * cmd: Disable go1.23 tlskyber=1 experiment
  * Update SECURITY.md
  * fastcgi: check for CONTENT_LENGTH when sending requests (#6661)
  * reverseproxy: Set Content-Length when body is fully buffered (#6638)
  * core: Change ListenerFunc signature (#6651)
  * reverseproxy: Only handle websocket protocol (#6740)
  * encode: write status immediate for success response for CONNECT requests (#6738)
  * encode: good defaults (#6737)
  * fileserver: add a test for precompressed defaults (#6743)
  * fileserver: good default for precompressed (#6736)
  * chore: fix some typo in HTTPLoader comment (#6735)
  * reverseproxy: Rewrite requests and responses for websocket over http2 (#6567)
  * chore: bump golang.org/x/net to v0.32.0 (#6728)
  * fileserver: Fix policy `Validate()` oversight (#6727)
  * cmd: Reject multiple configs for fmt command (#6717)
  * fileserver: Add `first_exist_fallback` strategy for `try_files` (#6699)
  * caddyhttp: Add `{?query}` placeholder (#6714)
  * ci: prevent jobs running on PRs from forks (#6720)
  * go.mod: Upgrade quic-go to 0.48.2
  * metrics: add `go` and `process` collectors (#6704)
  * requestbody: Type-based error handling for `MaxBytesError` (#6701)
  * fastcgi: remove dir redirection when useless in php_fastcgi (#6698)
  * caddyhttp: Set default ReadHeaderTimeout (1 min)
  * cmd: ignore missing keys during storage export (#6697)
  * chore: make FastAbs comment more easy to understand (#6692)
  * chore: Add `provides` to `.deb` releases (#6691)
  * core: Implement FastAbs to avoid repeated os.Getwd calls (#6687)
  * reverseproxy: Revert #4952 - don't ignore context cancellation in stream mode
  * httpcaddyfile: Implement log `sampling` config (#6682)
  * reverseproxy: Allow `0` as weights for `weighted_round_robin` (#6681)
  * ci: use commit sha in goreleaser-check (#6677)
  * go.mod: Update certmagic
  * caddytls: Allow disabling storage cleaning, avoids writing two files (#6593)
  * rewrite: Don't add / in Caddyfile, do it after replacer (#6662)
  * fileserver: Add `file_limit` option for browse (to be experimental) (#6648)
  * go.mod: upgrade only some otel deps (#6676)
  * caddyhttp: Add `MatchWithError` to replace SetVar hack (#6596)
  * Fix tests
  * forwardauth: Skip copying missing response headers (#6608)
  * go.mod: Update dependencies
  * events: Use `WithLazy` to prevent eager serialization of the event data (#6671)
  * fileserver: Fix Caddyfile parsing
  * httpcaddyfile: Fixes for `prefer_wildcard` mode (#6636)
  * cmd: Allow `add-package` to select version of package (#6665)
  * chore: compile without nosql's support for Postgres and MySQL (#6655)
  * chore: Bump quic-go to 0.48.1, fixing a panic (#6654)
  * reverseproxy: Sync changes from stdlib for 1xx handling (#6656)
  * reverseproxy: Fix log message
  * tracing: Add `spanID` field to access logs and `http.vars.span_id` placeholder (#6646)
  * core: addresses.go funcs renames (#6622)
  * chore: fix some function names in comment (#6650)
  * fileserver: fix try_policy when instantiating file matcher from CEL (#6624)
  * sigtrap: always ignore SIGPIPE (#6645)
  * metrics: move `metrics`  up, outside `servers` (#6606)
  * caddyhttp: Close http3 server gracefully (#6213)
  * chore: update quic-go to v0.48.0 (#6627)
  * reverseproxy: Use correct cases for websocket related headers (#6621)
  * caddyfile: Fix comma edgecase in address parsing (#6616)
  * docs: expand proxy protocol docs (#6620)
  * tests: fix caddyfile adapt warnings (#6619)
  * caddytls: Drop `rate_limit` and `burst`, has been deprecated (#6611)
  * caddyhttp: Use internal issuer for IPs when no APs configured
  * go.mod: Upgrade some dependencies
  * ci: install xcaddy to fix release flow (#6602)
  * metrics: scope metrics to active config, add optional per-host metrics (#6531)
  * caddyhttp: Implement `auto_https prefer_wildcard` option (#6146)
  * caddyhttp: Escaping placeholders in CEL, add `vars` and `vars_regexp` (#6594)
  * cmd: Better error handling when reloading (#6601)
  * caddytls: Support new tls.context module (#6369)
  * http: ReponseWriter prefer ReadFrom if available (#6565)
  * chore: Adjust incorrect `reverse_proxy` Caddyfile comment (#6598)
  * caddyhttp: Fix listener wrapper regression from #6573 (#6599)
  * core: Implement socket activation listeners (#6573)
  * doc: remove docs of deprecated directives (#6566)
  * caddyhttp: Optimize logs using zap's WithLazy() (#6590)
  * chore: Use slices package where possible (#6585)
  * caddytls: Give a better error message when given encrypted private keys (#6591)
  * caddyhttp: enable qlog, controlled by QLOGDIR env (#6581)
  * update quic-go to v0.47.0 (#6582)
  * ci: update the linter action version (#6575)
  * perf: use zap's Check() to prevent useless allocs (#6560)
  * rewrite: Avoid panic on bad arg count for `uri` (#6571)
  * caddytls: Add sni_regexp matcher (#6569)
  * caddyhttp: Make route provisioning idempotent (#6558)
  * reverse_proxy: add placeholder http.reverse_proxy.retries (#6553)
  * fileserver: browse: Configurable default sort (#6502)
  * rewrite: Only serialize request if necessary (#6541)
  * ci: prepare syso files for windows embedding in release (#6406)
  * tls: use Go default kex for the moment that include PQC (#6542)
  * ci: build and test with Go 1.23 (#6526)
  * reverseproxy: allow user to define source address (#6504)
  * caddyhttp: run `error` (msg) through replacer (#6536)
  * chore: Fix a typo (#6534)
  * cmd: Use a factory to create the caddy root command (#6533)
  * reverseproxy: Change errors writing the response to warning. (#6532)
  * reverseproxy: Active health checks request body option (#6520)
  * ci: don't exit early on error in remote CI machine (#6519)
  * cmd: ignore exec.ErrDot when starting caddy in background (#6512)
  * Move PrivateRangesCIDR() back: add a pass-through function (#6514)
  * matchers: fix a regression in #6480 (#6510)
  * reverseproxy: Disable keep alive for h2c requests (#6343)
  * go.mod: update update golang/x/net (#6500)
  * replacer: `{file.*}` global placeholder strips trailing newline (#6411)
  * caddytls,caddyhttp: Placeholders for some TLS and HTTP matchers (#6480)
  * go.mod: update quic-go package (#6498)
  * browse: Customizable default sort options (#6468)
  * proxyprotocol: Update WrapListener to use ConnPolicyFunc for PROXY protocol (#6485)
  * encode: flush already compressed data from the encoder (#6471)
  * chore: update golangci config (#6479)
  * caddytls: Caddyfile support for TLS conn and cert sel policies (#6462)
  * caddytls: Caddyfile support for TLS handshake matchers (#6461)
  * ci: correct `-tags nobadger` on binary build (#6470)
  * reverseproxy: Fix panic when using header-related flags (fix #6464)
  * reverseproxy: add health_upstream subdirective (#6451)
  * reverseproxy: Caddyfile support for health_method (#6454)
  * reverseproxy: Configurable method for active health checks (#6453)
  * reverseproxy: Add placeholder for networkAddr in active health check headers (#6450)
  * fixed bug in resolving ip version in dynamic upstreams (#6448)
  * browse: Exclude symlink target size from total, show arrow on size (#6412)
  * browse: fix Content-Security-Policy warnings in Firefox (#6443)
  * browse: add Content-Security-Policy w/ nonce (#6425)
  * reverseproxy: Add placeholder for host in active health check headers (#6440)
  * caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying (#6427)
  * encode: Don't compress already-compressed fonts (#6432)
  * reverseproxy: Only log host is up status on change (fixes #6415) (#6419)
  * intercept: fix http.intercept.header.* placeholder (#6429)
  * reverseproxy: Wire up TLS options for H3 transport
  * fileserver: Remove newline characters from precomputed etags (#6394)
  * caddyhttp: Convert IDNs to ASCII when provisioning Host matcher
  * reverseproxy: add Max-Age option to sticky cookie (#6398)
  * caddyfile: Pass blocks to `import` for snippets (#6130)
  * logging: set file mode when the file already exist (#6391)
  * logging: Customizable zap cores (#6381)
  * go.mod: update tscert package (#6384)
  * logging: fix file mode configuration parsing (#6383)
  * caddyhttp: Write header if needed in responseRecorder.WriteResponse (#6380)
  * core: Split `run` into a public `ProvisionContext` and a private method (#6378)
  * logging: Customize log file permissions (#6314)
  * events: Getters for event info (close #6377)
  * ci: add version key for .goreleaser.yml (#6376)
  * cmd: remove zealous check of Caddyfile auto-detection (#6370)
  * caddyhttp: Add test cases to corpus (#6374)
  * Make it possible to configure the `DisableStorageCheck` setting for certmagic (#6368)
References

No references
Packages

caddy-2.9.1-bp156.3.6.1