chore(deps): bump github.com/slackhq/nebula from 1.9.7 to 1.10.3 in /caddy

[dependabot]

Bumps github.com/slackhq/nebula from 1.9.7 to 1.10.3.

Release notes

Sourced from github.com/slackhq/nebula's releases.

Release v1.10.3

No release notes provided.

Release v1.10.2

Fixed

• Fix panic when using use_system_route_table that was introduced in v1.10.1. (#1580)

Changed

• Fix some typos in comments. (#1582)
• Dependency updates. (#1581)

Release v1.10.1

See the v1.10.1 milestone for a complete list of changes.

Fixed

• Fix a bug where an unsafe route derived from the system route table could be lost on a config reload. (#1573)
• Fix the PEM banner for ECDSA P256 public keys. (#1552)
• Fix a regression on Windows from 1.9.x where nebula could fall back to a less performant UDP listener if non-critical ioctls failed. (#1568)
• Fix a bug in handshake processing when a peer sends an unexpected public key. (#1566)

Added

• Add a config option to control accepting recv_error packets which defaults to always. (#1569)

Changed

• Various dependency updates. (#1541, #1549, #1550, #1557, #1558, #1560, #1561, #1570, #1571)

Release v1.10.0

See the v1.10.0 milestone for a complete list of changes.

NOTE: If you use unsafe_routes, please read the note in the Changed section about default_local_cidr_any. You may need to update your firewall rules in order to maintain connectivity.

Added

• Support for ipv6 and multiple ipv4/6 addresses in the overlay. A new v2 ASN.1 based certificate format. Certificates now have a unified interface for external implementations. (#1212, #1216, #1345, #1359, #1381, #1419, #1464, #1466, #1451, #1476, #1467, #1481, #1399, #1488, #1492, #1495, #1468, #1521, #1535, #1538)
• Add the ability to mark packets on linux to better target nebula packets in iptables/nftables. (#1331)
• Add ECMP support for unsafe_routes. (#1332)
• PKCS11 support for P256 keys when built with pkcs11 tag (#1153, #1482)

Changed

• NOTE: default_local_cidr_any now defaults to false, meaning that any firewall rule

... (truncated)

Changelog

Sourced from github.com/slackhq/nebula's changelog.

[1.10.3] - 2026-02-06

Security

• Fix an issue where blocklist bypass is possible when using curve P256 since the signature can have 2 valid representations. Both fingerprint representations will be tested against the blocklist. Any newly issued P256 based certificates will have their signature clamped to the low-s form. Nebula will assert the low-s signature form when validating certificates in a future version. GHSA-69x3-g4r3-p962

Changed

• Improve error reporting if nebula fails to start due to a tun device naming issue. (#1588)

[1.10.2] - 2026-01-21

Fixed

• Fix panic when using use_system_route_table that was introduced in v1.10.1. (#1580)

Changed

• Fix some typos in comments. (#1582)
• Dependency updates. (#1581)

[1.10.1] - 2026-01-16

See the v1.10.1 milestone for a complete list of changes.

Fixed

• Fix a bug where an unsafe route derived from the system route table could be lost on a config reload. (#1573)
• Fix the PEM banner for ECDSA P256 public keys. (#1552)
• Fix a regression on Windows from 1.9.x where nebula could fall back to a less performant UDP listener if non-critical ioctls failed. (#1568)
• Fix a bug in handshake processing when a peer sends an unexpected public key. (#1566)

Added

• Add a config option to control accepting recv_error packets which defaults to always. (#1569)

Changed

• Various dependency updates. (#1541, #1549, #1550, #1557, #1558, #1560, #1561, #1570, #1571)

[1.10.0] - 2025-12-04

See the v1.10.0 milestone for a complete list of changes.

Added

... (truncated)

Commits

• f573e8a Merge commit from fork
• 42bee7c Report if Nebula start fails because of tun device name (#1588)
• 02d8bca Remove lighthouse goroutine leaks in lighthouse_test.go (#1589)
• 0b02d98 v1.10.2 (#1584)
• e1e92f0 initialize routesFromSystem (#1580)
• e5f60fa chore: fix some typos in comments (#1582)
• bf49e78 Bump github.com/sirupsen/logrus from 1.9.3 to 1.9.4 (#1581)
• 72a4000 v1.10.1 (#1575)
• ac3bd9c Avoid losing system originated unsafe routes on reload (#1573)
• 88379b8 Bump golang.org/x/net in the golang-x-dependencies group (#1571)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.