caddy - Debian Package Tracker

general

source: caddy (main)
version: 2.11.2-1
maintainer: Debian Go Packaging Team (DMD)
uploaders: Peymaneh [DMD] [DM]
arch: any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.6.2-5
stable: 2.6.2-12
testing: 2.11.2-1
unstable: 2.11.2-1

versioned links

2.6.2-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.6.2-12: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.11.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

caddy (1 bugs: 0, 0, 1, 0)

action needed

6 security issues in trixie high

There are 6 open security issues in trixie.

6 important issues:

CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.
CVE-2026-27587: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.

Created: 2026-02-25 Last update: 2026-04-30 16:49

6 security issues in bookworm high

There are 6 open security issues in bookworm.

6 important issues:

CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.
CVE-2026-27587: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-origin requests (e.g., from attacker-controlled web content in a victim browser) and applies an attacker-supplied JSON config. This can change the admin listener settings and alter HTTP server behavior without user intent. Version 2.11.1 contains a fix for the issue.
CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.

Created: 2026-02-25 Last update: 2026-04-30 16:49

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-27 Last update: 2026-04-27 23:00

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 5a76ab8ddcfdf644ffac6349ca8b26c7d6b012e5
Author: Nilesh Patra <nilesh@debian.org>
Date:   Mon Apr 27 18:55:47 2026 +0530

    Switch to regular salsa CI

Created: 2026-04-26 Last update: 2026-04-27 15:31

debian/patches: 4 patches to forward upstream low

Among the 7 debian patches available in version 2.11.2-1 of the package, we noticed the following issues:

4 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-27 20:30

news

[rss feed]

[2026-05-01] caddy 2.11.2-1 MIGRATED to testing (Debian testing watch)
[2026-04-27] Accepted caddy 2.11.2-1 (source) into unstable (Nilesh Patra)
[2026-01-09] caddy REMOVED from testing (Debian testing watch)
[2025-12-24] caddy 2.6.2-14 MIGRATED to testing (Debian testing watch)
[2025-10-18] Accepted caddy 2.6.2-14 (source) into unstable (Nilesh Patra)
[2025-10-18] Accepted caddy 2.6.2-13 (source) into unstable (Nilesh Patra)
[2025-09-07] caddy REMOVED from testing (Debian testing watch)
[2025-05-30] caddy 2.6.2-12 MIGRATED to testing (Debian testing watch)
[2025-05-10] Accepted caddy 2.6.2-12 (source) into unstable (Jérémy Lal)
[2025-04-12] caddy 2.6.2-11 MIGRATED to testing (Debian testing watch)
[2025-04-09] Accepted caddy 2.6.2-11 (source) into unstable (Jérémy Lal)
[2025-04-06] Accepted caddy 2.6.2-10 (source) into unstable (Jérémy Lal)
[2025-03-19] caddy REMOVED from testing (Debian testing watch)
[2025-03-18] Accepted caddy 2.6.2-9 (source) into unstable (Jérémy Lal)
[2024-11-12] caddy 2.6.2-8 MIGRATED to testing (Debian testing watch)
[2024-09-27] caddy REMOVED from testing (Debian testing watch)
[2024-08-22] caddy 2.6.2-8 MIGRATED to testing (Debian testing watch)
[2024-08-13] Accepted caddy 2.6.2-8 (source) into unstable (Shengjing Zhu)
[2024-08-07] caddy 2.6.2-7 MIGRATED to testing (Debian testing watch)
[2024-08-02] Accepted caddy 2.6.2-7 (source) into unstable (Mathias Gibbens)
[2024-05-04] caddy 2.6.2-6.1 MIGRATED to testing (Debian testing watch)
[2024-05-02] Accepted caddy 2.6.2-6.1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
[2023-08-26] caddy 2.6.2-6 MIGRATED to testing (Debian testing watch)
[2023-08-26] caddy 2.6.2-6 MIGRATED to testing (Debian testing watch)
[2023-08-23] Accepted caddy 2.6.2-6 (source) into unstable (Shengjing Zhu)
[2023-04-25] caddy 2.6.2-5 MIGRATED to testing (Debian testing watch)
[2023-04-17] Accepted caddy 2.6.2-5 (source) into unstable (Peymaneh)
[2023-01-20] caddy 2.6.2-4 MIGRATED to testing (Debian testing watch)
[2023-01-15] Accepted caddy 2.6.2-4 (source) into unstable (Peymaneh)
[2023-01-14] Accepted caddy 2.6.2-3 (source) into unstable (Peymaneh)

bugs [bug history graph]

all: 1
RC: 0
I&N: 0
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.6.2-14