Skip to content

caddy-0.9.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 01 Apr 19:13
caddy-0.9.2
10522bd

Security

  • CVE-2026-30836 (CRITICAL) — upgraded github.com/smallstep/certificates from v0.30.0-rc3 to v0.30.0 — unauthenticated certificate issuance via SCEP Update Request
  • CVE-2026-33186 (CRITICAL) — upgraded google.golang.org/grpc from v1.79.1 to v1.79.3 — authorization bypass via improper HTTP/2 path validation
  • CVE-2026-22184 (HIGH) — added apk upgrade --no-cache in Docker final stage to patch zlib 1.3.1-r21.3.2-r0 (buffer overflow in untgz utility)

Helm chart: 0.9.2

Bug Fixes

  • WAF: OWASP CRS rules were never loadedwafHandler() in caddy-k8s was missing the three mandatory Include directives (@coraza.conf-recommended, @crs-setup.conf.example, @owasp_crs/*.conf). load_owasp_crs: true only makes the virtual paths available; without the Includes, zero CRS rules were evaluated on any Ingress with caddy.ingress/waf: on.
  • WAF: SecRuleEngine ordering fixed — In both caddy-k8s and the Helm Caddyfile snippet, SecRuleEngine was placed before the CRS Includes. Since @coraza.conf-recommended resets it to DetectionOnly, our On override must come after all Includes.

Helm chart: 0.9.1

Versions track the ingress-caddy image. The Helm chart version is independent
but its appVersion always matches the image version.

Full diff: caddy-0.9.1...caddy-0.9.2

Assets 3
Loading