diff --git a/SPECS/caddy/CVE-2024-45339.patch b/SPECS/caddy/CVE-2024-45339.patch deleted file mode 100644 index 8b2ea2fa4..000000000 --- a/SPECS/caddy/CVE-2024-45339.patch +++ /dev/null @@ -1,120 +0,0 @@ -From afd4339ec8682b92eb6bcc870d138106ffd5f58d Mon Sep 17 00:00:00 2001 -From: kavyasree -Date: Fri, 31 Jan 2025 21:16:51 +0530 -Subject: [PATCH] Patch CVE-2024-45339 - -Reference: https://github.com/golang/glog/pull/74 - ---- - vendor/github.com/golang/glog/glog_file.go | 60 ++++++++++++++++------ - 1 file changed, 44 insertions(+), 16 deletions(-) - -diff --git a/vendor/github.com/golang/glog/glog_file.go b/vendor/github.com/golang/glog/glog_file.go -index e7d125c..6d239fa 100644 ---- a/vendor/github.com/golang/glog/glog_file.go -+++ b/vendor/github.com/golang/glog/glog_file.go -@@ -118,32 +118,53 @@ var onceLogDirs sync.Once - // contains tag ("INFO", "FATAL", etc.) and t. If the file is created - // successfully, create also attempts to update the symlink for that tag, ignoring - // errors. --func create(tag string, t time.Time) (f *os.File, filename string, err error) { -+func create(tag string, t time.Time, dir string) (f *os.File, filename string, err error) { -+ if dir != "" { -+ f, name, err := createInDir(dir, tag, t) -+ if err == nil { -+ return f, name, err -+ } -+ return nil, "", fmt.Errorf("log: cannot create log: %v", err) -+ } -+ - onceLogDirs.Do(createLogDirs) - if len(logDirs) == 0 { - return nil, "", errors.New("log: no log dirs") - } -- name, link := logName(tag, t) - var lastErr error - for _, dir := range logDirs { -- fname := filepath.Join(dir, name) -- f, err := os.Create(fname) -+ f, name, err := createInDir(dir, tag, t) - if err == nil { -- symlink := filepath.Join(dir, link) -- os.Remove(symlink) // ignore err -- os.Symlink(name, symlink) // ignore err -- if *logLink != "" { -- lsymlink := filepath.Join(*logLink, link) -- os.Remove(lsymlink) // ignore err -- os.Symlink(fname, lsymlink) // ignore err -- } -- return f, fname, nil -+ return f, name, err - } - lastErr = err - } - return nil, "", fmt.Errorf("log: cannot create log: %v", lastErr) - } - -+func createInDir(dir, tag string, t time.Time) (f *os.File, name string, err error) { -+ name, link := logName(tag, t) -+ fname := filepath.Join(dir, name) -+ // O_EXCL is important here, as it prevents a vulnerability. The general idea is that logs often -+ // live in an insecure directory (like /tmp), so an unprivileged attacker could create fname in -+ // advance as a symlink to a file the logging process can access, but the attacker cannot. O_EXCL -+ // fails the open if it already exists, thus prevent our this code from opening the existing file -+ // the attacker points us to. -+ f, err = os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) -+ if err == nil { -+ symlink := filepath.Join(dir, link) -+ os.Remove(symlink) // ignore err -+ os.Symlink(name, symlink) // ignore err -+ if *logLink != "" { -+ lsymlink := filepath.Join(*logLink, link) -+ os.Remove(lsymlink) // ignore err -+ os.Symlink(fname, lsymlink) // ignore err -+ } -+ return f, fname, nil -+ } -+ return nil, "", err -+} -+ - // flushSyncWriter is the interface satisfied by logging destinations. - type flushSyncWriter interface { - Flush() error -@@ -247,6 +268,7 @@ type syncBuffer struct { - names []string - sev logsink.Severity - nbytes uint64 // The number of bytes written to this file -+ madeAt time.Time - } - - func (sb *syncBuffer) Sync() error { -@@ -254,9 +276,14 @@ func (sb *syncBuffer) Sync() error { - } - - func (sb *syncBuffer) Write(p []byte) (n int, err error) { -+ // Rotate the file if it is too large, but ensure we only do so, -+ // if rotate doesn't create a conflicting filename. - if sb.nbytes+uint64(len(p)) >= MaxSize { -- if err := sb.rotateFile(time.Now()); err != nil { -- return 0, err -+ now := timeNow() -+ if now.After(sb.madeAt.Add(1*time.Second)) || now.Second() != sb.madeAt.Second() { -+ if err := sb.rotateFile(now); err != nil { -+ return 0, err -+ } - } - } - n, err = sb.Writer.Write(p) -@@ -274,7 +301,8 @@ const footer = "\nCONTINUED IN NEXT FILE\n" - func (sb *syncBuffer) rotateFile(now time.Time) error { - var err error - pn := "" -- file, name, err := create(sb.sev.String(), now) -+ file, name, err := create(sb.sev.String(), now, "") -+ sb.madeAt = now - - if sb.file != nil { - // The current log file becomes the previous log at the end of --- -2.34.1 - diff --git a/SPECS/caddy/CVE-2025-22869.patch b/SPECS/caddy/CVE-2025-22869.patch deleted file mode 100644 index 8c80028d4..000000000 --- a/SPECS/caddy/CVE-2025-22869.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 041b89a18f81265899e42e6801f830c101a96120 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Sun, 2 Mar 2025 13:46:00 +0000 -Subject: [PATCH] CVE-2025-22869 - -Upstream Reference : https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22 - -ssh: limit the size of the internal packet queue while waiting for KEX - -In the SSH protocol, clients and servers execute the key exchange to -generate one-time session keys used for encryption and authentication. -The key exchange is performed initially after the connection is -established and then periodically after a configurable amount of data. -While a key exchange is in progress, we add the received packets to an -internal queue until we receive SSH_MSG_KEXINIT from the other side. -This can result in high memory usage if the other party is slow to -respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a -malicious client never responds to an SSH_MSG_KEXINIT packet during a -large file transfer. -We now limit the internal queue to 64 packets: this means 2MB with the -typical 32KB packet size. -When the internal queue is full we block further writes until the -pending key exchange is completed or there is a read or write error. - -Thanks to Yuichi Watanabe for reporting this issue. - -Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135 -Reviewed-by: Neal Patel -Auto-Submit: Gopher Robot -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI - ---- - vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++----- - 1 file changed, 37 insertions(+), 10 deletions(-) - -diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go -index 70a7369..e14eb6c 100644 ---- a/vendor/golang.org/x/crypto/ssh/handshake.go -+++ b/vendor/golang.org/x/crypto/ssh/handshake.go -@@ -24,6 +24,11 @@ const debugHandshake = false - // quickly. - const chanSize = 16 - -+// maxPendingPackets sets the maximum number of packets to queue while waiting -+// for KEX to complete. This limits the total pending data to maxPendingPackets -+// * maxPacket bytes, which is ~16.8MB. -+const maxPendingPackets = 64 -+ - // keyingTransport is a packet based transport that supports key - // changes. It need not be thread-safe. It should pass through - // msgNewKeys in both directions. -@@ -58,11 +63,19 @@ type handshakeTransport struct { - incoming chan []byte - readError error - -- mu sync.Mutex -- writeError error -- sentInitPacket []byte -- sentInitMsg *kexInitMsg -- pendingPackets [][]byte // Used when a key exchange is in progress. -+ mu sync.Mutex -+ // Condition for the above mutex. It is used to notify a completed key -+ // exchange or a write failure. Writes can wait for this condition while a -+ // key exchange is in progress. -+ writeCond *sync.Cond -+ writeError error -+ sentInitPacket []byte -+ sentInitMsg *kexInitMsg -+ // Used to queue writes when a key exchange is in progress. The length is -+ // limited by pendingPacketsSize. Once full, writes will block until the key -+ // exchange is completed or an error occurs. If not empty, it is emptied -+ // all at once when the key exchange is completed in kexLoop. -+ pendingPackets [][]byte - writePacketsLeft uint32 - writeBytesLeft int64 - -@@ -114,6 +127,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, - - config: config, - } -+ t.writeCond = sync.NewCond(&t.mu) - t.resetReadThresholds() - t.resetWriteThresholds() - -@@ -236,6 +250,7 @@ func (t *handshakeTransport) recordWriteError(err error) { - defer t.mu.Unlock() - if t.writeError == nil && err != nil { - t.writeError = err -+ t.writeCond.Broadcast() - } - } - -@@ -339,6 +354,8 @@ write: - } - } - t.pendingPackets = t.pendingPackets[:0] -+ // Unblock writePacket if waiting for KEX. -+ t.writeCond.Broadcast() - t.mu.Unlock() - } - -@@ -526,11 +543,20 @@ func (t *handshakeTransport) writePacket(p []byte) error { - } - - if t.sentInitMsg != nil { -- // Copy the packet so the writer can reuse the buffer. -- cp := make([]byte, len(p)) -- copy(cp, p) -- t.pendingPackets = append(t.pendingPackets, cp) -- return nil -+ if len(t.pendingPackets) < maxPendingPackets { -+ // Copy the packet so the writer can reuse the buffer. -+ cp := make([]byte, len(p)) -+ copy(cp, p) -+ t.pendingPackets = append(t.pendingPackets, cp) -+ return nil -+ } -+ for t.sentInitMsg != nil { -+ // Block and wait for KEX to complete or an error. -+ t.writeCond.Wait() -+ if t.writeError != nil { -+ return t.writeError -+ } -+ } - } - - if t.writeBytesLeft > 0 { -@@ -547,6 +573,7 @@ func (t *handshakeTransport) writePacket(p []byte) error { - - if err := t.pushPacket(p); err != nil { - t.writeError = err -+ t.writeCond.Broadcast() - } - - return nil --- -2.45.2 \ No newline at end of file diff --git a/SPECS/caddy/CVE-2025-22872.patch b/SPECS/caddy/CVE-2025-22872.patch deleted file mode 100644 index e520d0aa3..000000000 --- a/SPECS/caddy/CVE-2025-22872.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 9ba151b580e96d9fe4f9a400f91e726119546fff Mon Sep 17 00:00:00 2001 -From: Roland Shoemaker -Date: Mon, 24 Feb 2025 11:18:31 -0800 -Subject: [PATCH] html: properly handle trailing solidus in unquoted attribute - value in foreign content - -The parser properly treats tags like

as

, but the -tokenizer emits the SelfClosingTagToken token incorrectly. When the -parser is used to parse foreign content, this results in an incorrect -DOM. - -Thanks to Sean Ng (https://ensy.zip) for reporting this issue. - -Fixes golang/go#73070 -Fixes CVE-2025-22872 - -Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f -Reviewed-on: https://go-review.googlesource.com/c/net/+/661256 -Reviewed-by: Neal Patel -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Gopher Robot ---- - vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go -index 3c57880..6598c1f 100644 ---- a/vendor/golang.org/x/net/html/token.go -+++ b/vendor/golang.org/x/net/html/token.go -@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { - if raw { - z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) - } -- // Look for a self-closing token like "
". -- if z.err == nil && z.buf[z.raw.end-2] == '/' { -+ // Look for a self-closing token (e.g.
). -+ // -+ // Originally, we did this by just checking that the last character of the -+ // tag (ignoring the closing bracket) was a solidus (/) character, but this -+ // is not always accurate. -+ // -+ // We need to be careful that we don't misinterpret a non-self-closing tag -+ // as self-closing, as can happen if the tag contains unquoted attribute -+ // values (i.e.

). -+ // -+ // To avoid this, we check that the last non-bracket character of the tag -+ // (z.raw.end-2) isn't the same character as the last non-quote character of -+ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has -+ // attributes. -+ nAttrs := len(z.attr) -+ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { - return SelfClosingTagToken - } - return StartTagToken --- -2.34.1 - diff --git a/SPECS/caddy/CVE-2025-47911.patch b/SPECS/caddy/CVE-2025-47911.patch deleted file mode 100644 index 7456902a1..000000000 --- a/SPECS/caddy/CVE-2025-47911.patch +++ /dev/null @@ -1,92 +0,0 @@ -commit 59706cdaa8f95502fdec64b67b4c61d6ca58727d -Author: Roland Shoemaker -Date: Mon Sep 29 16:33:18 2025 -0700 - - html: impose open element stack size limit - - The HTML specification contains a number of algorithms which are - quadratic in complexity by design. Instead of adding complicated - workarounds to prevent these cases from becoming extremely expensive in - pathological cases, we impose a limit of 512 to the size of the stack of - open elements. It is extremely unlikely that non-adversarial HTML - documents will ever hit this limit (but if we see cases of this, we may - want to make the limit configurable via a ParseOption). - - Thanks to Guido Vranken and Jakub Ciolek for both independently - reporting this issue. - - Fixes CVE-2025-47911 - Fixes golang/go#75682 - - Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad - Reviewed-on: https://go-review.googlesource.com/c/net/+/709876 - Reviewed-by: Damien Neil - LUCI-TryBot-Result: Go LUCI - -diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go -index 04c6bec..12f2273 100644 ---- a/vendor/golang.org/x/net/html/escape.go -+++ b/vendor/golang.org/x/net/html/escape.go -@@ -299,7 +299,7 @@ func escape(w writer, s string) error { - case '\r': - esc = " " - default: -- panic("unrecognized escape character") -+ panic("html: unrecognized escape character") - } - s = s[i+1:] - if _, err := w.WriteString(esc); err != nil { -diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 722e927..88fc005 100644 ---- a/vendor/golang.org/x/net/html/parse.go -+++ b/vendor/golang.org/x/net/html/parse.go -@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) { - } - - if n.Type == ElementNode { -- p.oe = append(p.oe, n) -+ p.insertOpenElement(n) -+ } -+} -+ -+func (p *parser) insertOpenElement(n *Node) { -+ p.oe = append(p.oe, n) -+ if len(p.oe) > 512 { -+ panic("html: open stack of elements exceeds 512 nodes") - } - } - -@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool { - p.im = inFramesetIM - return true - case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: -- p.oe = append(p.oe, p.head) -+ p.insertOpenElement(p.head) - defer p.oe.remove(p.head) - return inHeadIM(p) - case a.Head: -@@ -2324,9 +2331,13 @@ func (p *parser) parseCurrentToken() { - } - } - --func (p *parser) parse() error { -+func (p *parser) parse() (err error) { -+ defer func() { -+ if panicErr := recover(); panicErr != nil { -+ err = fmt.Errorf("%s", panicErr) -+ } -+ }() - // Iterate until EOF. Any other error will cause an early return. -- var err error - for err != io.EOF { - // CDATA sections are allowed only in foreign content. - n := p.oe.top() -@@ -2355,6 +2366,8 @@ func (p *parser) parse() error { - // s. Conversely, explicit s in r's data can be silently dropped, - // with no corresponding node in the resulting tree. - // -+// Parse will reject HTML that is nested deeper than 512 elements. -+// - // The input is assumed to be UTF-8 encoded. - func Parse(r io.Reader) (*Node, error) { - return ParseWithOptions(r) diff --git a/SPECS/caddy/CVE-2025-47913.patch b/SPECS/caddy/CVE-2025-47913.patch deleted file mode 100644 index c3c7a2760..000000000 --- a/SPECS/caddy/CVE-2025-47913.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 559e062ce8bfd6a39925294620b50906ca2a6f95 Mon Sep 17 00:00:00 2001 -From: Nicola Murino -Date: Sun, 31 Aug 2025 20:07:32 +0200 -Subject: [PATCH] ssh/agent: return an error for unexpected message types - -Previously, receiving an unexpected message type in response to a key -listing or a signing request could cause a panic due to a failed type -assertion. - -This change adds a default case to the type switch in order to detect -and explicitly handle unknown or invalid message types, returning a -descriptive error instead of crashing. - -Fixes golang/go#75178 - -Change-Id: Icbc3432adc79fe3c56b1ff23c6724d7a6f710f3a -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/700295 -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI -Reviewed-by: Michael Pratt -Reviewed-by: Jakub Ciolek ---- - vendor/golang.org/x/crypto/ssh/agent/client.go | 6 +++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go -index 37525e1a18..b357e18b0a 100644 ---- a/vendor/golang.org/x/crypto/ssh/agent/client.go -+++ b/vendor/golang.org/x/crypto/ssh/agent/client.go -@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) { - return keys, nil - case *failureAgentMsg: - return nil, errors.New("agent: failed to list keys") -+ default: -+ return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg) - } -- panic("unreachable") - } - - // Sign has the agent sign the data using a protocol 2 key as defined -@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl - return &sig, nil - case *failureAgentMsg: - return nil, errors.New("agent: failed to sign challenge") -+ default: -+ return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg) - } -- panic("unreachable") - } - - // unmarshal parses an agent message in packet, returning the parsed diff --git a/SPECS/caddy/CVE-2025-47914.patch b/SPECS/caddy/CVE-2025-47914.patch deleted file mode 100644 index 11e2027d2..000000000 --- a/SPECS/caddy/CVE-2025-47914.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f91f7a7c31bf90b39c1de895ad116a2bacc88748 Mon Sep 17 00:00:00 2001 -From: Neal Patel -Date: Wed, 10 Sep 2025 14:27:42 -0400 -Subject: [PATCH] ssh/agent: prevent panic on malformed constraint - -An attacker could supply a malformed Constraint that -would trigger a panic in a serving agent, effectively -causing denial of service. - -Thank you to Jakub Ciolek for reporting this issue. - -Fixes CVE-2025-47914 -Fixes golang/go#76364 - -Change-Id: I195bbc68b1560d4f04897722a6a653a7cbf086eb -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721960 -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Roland Shoemaker -Reviewed-by: Damien Neil ---- - vendor/golang.org/x/crypto/ssh/agent/server.go | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go -index 88ce4da6c4..4e8ff86b61 100644 ---- a/vendor/golang.org/x/crypto/ssh/agent/server.go -+++ b/vendor/golang.org/x/crypto/ssh/agent/server.go -@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse - for len(constraints) != 0 { - switch constraints[0] { - case agentConstrainLifetime: -+ if len(constraints) < 5 { -+ return 0, false, nil, io.ErrUnexpectedEOF -+ } - lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5]) - constraints = constraints[5:] - case agentConstrainConfirm: diff --git a/SPECS/caddy/CVE-2025-58181.patch b/SPECS/caddy/CVE-2025-58181.patch deleted file mode 100644 index 76b17efad..000000000 --- a/SPECS/caddy/CVE-2025-58181.patch +++ /dev/null @@ -1,53 +0,0 @@ -From e79546e28b85ea53dd37afe1c4102746ef553b9c Mon Sep 17 00:00:00 2001 -From: Neal Patel -Date: Wed, 19 Nov 2025 13:35:12 -0500 -Subject: [PATCH] ssh: curb GSSAPI DoS risk by limiting number of specified - OIDs - -Previously, an attacker could specify an integer up to 0xFFFFFFFF -that would directly allocate memory despite the observability of -the rest of the payload. This change places a hard cap on the -amount of mechanisms that can be specified and encoded in the -payload. Additionally, it performs a small sanity check to deny -payloads whose stated size is contradictory to the observed payload. - -Thank you to Jakub Ciolek for reporting this issue. - -Fixes CVE-2025-58181 -Fixes golang/go#76363 - -Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485 -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961 -Auto-Submit: Roland Shoemaker -Reviewed-by: Damien Neil -LUCI-TryBot-Result: Go LUCI ---- - vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++- - 1 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/vendor/golang.org/x/crypto//ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go -index 24bd7c8e83..a6249a1227 100644 ---- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go -+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go -@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { - if !ok { - return nil, errors.New("parse uint32 failed") - } -+ // Each ASN.1 encoded OID must have a minimum -+ // of 2 bytes; 64 maximum mechanisms is an -+ // arbitrary, but reasonable ceiling. -+ const maxMechs = 64 -+ if n > maxMechs || int(n)*2 > len(rest) { -+ return nil, errors.New("invalid mechanism count") -+ } - s := &userAuthRequestGSSAPI{ - N: n, - OIDS: make([]asn1.ObjectIdentifier, n), -@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { - if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil { - return nil, err - } -- - } - return s, nil - } diff --git a/SPECS/caddy/CVE-2025-58190.patch b/SPECS/caddy/CVE-2025-58190.patch deleted file mode 100644 index 9cc3618c2..000000000 --- a/SPECS/caddy/CVE-2025-58190.patch +++ /dev/null @@ -1,119 +0,0 @@ -commit 6ec8895aa5f6594da7356da7d341b98133629009 -Author: Roland Shoemaker -Date: Mon Sep 29 19:38:24 2025 -0700 - - html: align in row insertion mode with spec - - Update inRowIM to match the HTML specification. This fixes an issue - where a specific HTML document could cause the parser to enter an - infinite loop when trying to parse a and implied next to - each other. - - Fixes CVE-2025-58190 - Fixes golang/go#70179 - - Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea - Reviewed-on: https://go-review.googlesource.com/c/net/+/709875 - LUCI-TryBot-Result: Go LUCI - Reviewed-by: Damien Neil - -diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 518ee4c..722e927 100644 ---- a/vendor/golang.org/x/net/html/parse.go -+++ b/vendor/golang.org/x/net/html/parse.go -@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int { - return -1 - } - default: -- panic("unreachable") -+ panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s)) - } - } - switch s { -@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) { - return - } - default: -- panic("unreachable") -+ panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s)) - } - } - } -@@ -1678,7 +1678,7 @@ func inTableBodyIM(p *parser) bool { - return inTableIM(p) - } - --// Section 12.2.6.4.14. -+// Section 13.2.6.4.14. - func inRowIM(p *parser) bool { - switch p.tok.Type { - case StartTagToken: -@@ -1690,7 +1690,9 @@ func inRowIM(p *parser) bool { - p.im = inCellIM - return true - case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr: -- if p.popUntil(tableScope, a.Tr) { -+ if p.elementInScope(tableScope, a.Tr) { -+ p.clearStackToContext(tableRowScope) -+ p.oe.pop() - p.im = inTableBodyIM - return false - } -@@ -1700,22 +1702,28 @@ func inRowIM(p *parser) bool { - case EndTagToken: - switch p.tok.DataAtom { - case a.Tr: -- if p.popUntil(tableScope, a.Tr) { -+ if p.elementInScope(tableScope, a.Tr) { -+ p.clearStackToContext(tableRowScope) -+ p.oe.pop() - p.im = inTableBodyIM - return true - } - // Ignore the token. - return true - case a.Table: -- if p.popUntil(tableScope, a.Tr) { -+ if p.elementInScope(tableScope, a.Tr) { -+ p.clearStackToContext(tableRowScope) -+ p.oe.pop() - p.im = inTableBodyIM - return false - } - // Ignore the token. - return true - case a.Tbody, a.Tfoot, a.Thead: -- if p.elementInScope(tableScope, p.tok.DataAtom) { -- p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String()) -+ if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) { -+ p.clearStackToContext(tableRowScope) -+ p.oe.pop() -+ p.im = inTableBodyIM - return false - } - // Ignore the token. -@@ -2222,16 +2230,20 @@ func parseForeignContent(p *parser) bool { - p.acknowledgeSelfClosingTag() - } - case EndTagToken: -+ if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) { -+ p.oe = p.oe[:len(p.oe)-1] -+ return true -+ } - for i := len(p.oe) - 1; i >= 0; i-- { -- if p.oe[i].Namespace == "" { -- return p.im(p) -- } - if strings.EqualFold(p.oe[i].Data, p.tok.Data) { - p.oe = p.oe[:i] -+ return true -+ } -+ if i > 0 && p.oe[i-1].Namespace == "" { - break - } - } -- return true -+ return p.im(p) - default: - // Ignore the token. - } diff --git a/SPECS/caddy/caddy.signatures.json b/SPECS/caddy/caddy.signatures.json index da8730e8a..358757a22 100644 --- a/SPECS/caddy/caddy.signatures.json +++ b/SPECS/caddy/caddy.signatures.json @@ -8,7 +8,7 @@ "poweredby-black.png": "4691c0d3bd2156db97b76d12f0c98662fe8869f30fe2c07631ffb43bda09e6a1", "poweredby-white.png": "e128419a13a91428ea9985fd54c91b8e80061c4d72b4ee913e616b3c823fcdd6", "0001-Disable-commands-that-can-alter-the-binary.patch": "1ef152b99af5a3a549254c845145ea9142abd571fb92c370acb3604dc77a1415", - "caddy-2.9.1.tar.gz": "beb52478dfb34ad29407003520d94ee0baccbf210d1af72cebf430d6d7dd7b63", - "caddy-2.9.1-vendor.tar.gz": "3a7bc2b669f1cc55273d9486fd651473ca5de02131c4de292bffac0aaab82837" + "caddy-2.11.2.tar.gz": "ee12f7b5f97308708de5067deebb3d3322fc24f6d54f906a47a0a4e8db799122", + "caddy-2.11.2-vendor.tar.gz": "d55b0526bfc42efb9f167b4ff24925916db0cc176d75abad07f6d6c85e12fea7" } } diff --git a/SPECS/caddy/caddy.spec b/SPECS/caddy/caddy.spec index 030f76e51..5816f9a7c 100644 --- a/SPECS/caddy/caddy.spec +++ b/SPECS/caddy/caddy.spec @@ -2,8 +2,8 @@ Summary: Web server with automatic HTTPS Name: caddy -Version: 2.9.1 -Release: 20%{?dist} +Version: 2.11.2 +Release: 1%{?dist} Distribution: Edge Microvisor Toolkit Vendor: Intel Corporation # main source code is Apache-2.0 @@ -27,16 +27,8 @@ Source31: poweredby-black.png # downstream only patch to disable commands that can alter the binary Patch1: 0001-Disable-commands-that-can-alter-the-binary.patch -Patch2: CVE-2025-22869.patch -Patch3: CVE-2024-45339.patch -Patch4: CVE-2025-22872.patch -Patch5: CVE-2025-58181.patch -Patch6: CVE-2025-61727.patch -Patch7: CVE-2025-61729.patch -Patch8: CVE-2025-47913.patch -Patch9: CVE-2025-47914.patch -Patch10: CVE-2025-58190.patch -Patch11: CVE-2025-47911.patch +Patch2: CVE-2025-61727.patch +Patch3: CVE-2025-61729.patch # https://github.com/caddyserver/caddy/commit/2028da4e74cd41f0f7f94222c6599da1a371d4b8 BuildRequires: golang >= 1.25.5 # dario.cat/mergo : BSD-3-Clause @@ -459,6 +451,9 @@ fi %{_datadir}/fish/vendor_completions.d/caddy.fish %changelog +* Fri Mar 20 2026 Shalini Singhal - 2.11.2-1 +- Version upgrade from 2.9.1 to 2.11.2. + * Fri Feb 13 2026 Rajesh Shanmugam - 2.9.1-20 - Add patch for CVE-2025-47911 and CVE-2025-58190 diff --git a/cgmanifest.json b/cgmanifest.json index bc3a12fee..c922bdf98 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -1417,8 +1417,8 @@ "type": "other", "other": { "name": "caddy", - "version": "2.9.1", - "downloadUrl": "https://github.com/caddyserver/caddy/archive/v2.9.1/caddy-2.9.1.tar.gz" + "version": "2.11.2", + "downloadUrl": "https://github.com/caddyserver/caddy/archive/v2.11.2/caddy-2.11.2.tar.gz" } } },