Bug 1831718 (CVE-2018-21246)

Summary: CVE-2018-21246 caddy: Does not have tls StrictHostMatching mode enabled which could result in client auth bypass
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carl, go-sig, gparvin, jramanat, jweiser, stcannon, tfister, thee
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: caddy 0.10.13 Doc Type: If docs needed, set a value
Doc Text:
When Caddy is configured to protect a resource with TLS Client Certificate Authentication, but the resource is served by QUIC, client certificates would not be validated and the protected resource would be served to unauthenticated visitors. This vulnerability was due to failing to carefully enable the StrictHostMatching flag, and applies specifically to configurations using Client Certificates and QUIC.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-06 07:27:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1831719, 1831721, 1837819    
Bug Blocks: 1831723    

Description Michael Kaplan 2020-05-05 14:21:27 UTC 
An issue was found in caddy, in versions before 0.10.13, tls: StrictHostMatching mode is not enabled which could result in client auth bypass.
Comment 1 Michael Kaplan 2020-05-05 14:21:49 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-7 [bug 1831721]
Affects: fedora-all [bug 1831719]
Comment 2 Michael Kaplan 2020-05-05 14:22:27 UTC 
Upstream Changelog:

https://github.com/caddyserver/caddy/releases/tag/v0.10.13
Comment 3 Carl George 🤠 2020-05-06 05:54:26 UTC 
This hasn't been an issue in Fedora or EPEL packages in 2 years.  See the respective tracking bugs for more details.
Comment 6 Michael Kaplan 2020-06-18 13:04:08 UTC 
References:

https://bugs.gentoo.org/715214
Comment 7 Doran Moppert 2020-07-06 07:06:55 UTC 
Upsteam ticket:

https://github.com/caddyserver/caddy/issues/2095
Comment 8 Product Security DevOps Team 2020-07-06 07:27:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-21246