+++ This bug was initially created as a clone of Bug #2167572 +++ More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2167571 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. --- Additional comment from Sandipan Roy on 2023-02-07 04:39:43 UTC --- Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2167571,2167572 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new
https://lednerb.de/en/publications/responsible-disclosure/caddy-open-redirect-vulnerability/ > All versions v2.x up to v2.5.0-rc.1 were tested and it was confirmed that only version v2.4.6 is affected by the listed attack vector. EPEL 9 has version 2.4.6 and is affected.
I'm planning to address this by updating the package to version 2.6.4 via the EPEL Incompatible Upgrade process. https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org/thread/CDNDAKTIAQTFTNDHOIHKQJ4B2LAV5ZSS/