Change8

v2.11.4

📦 caddyView on GitHub →
1 features🐛 16 fixes🔧 9 symbols

Summary

This release focuses on patching security and security-adjacent bugs, alongside various general fixes and enhancements contributed by the community. Key fixes include improved path matching on Windows and better handling of request bodies and TLS states.

✨ New Features

  • Encode module now prioritizes zstd and br over gzip in content negotiation.

🐛 Bug Fixes

  • caddyhttp: Normalized Windows backslashes in path matcher.
  • rewrite: Prevented placeholder re-expansion in injected query.
  • templates: Improved stripHTML action to more reliably remove malformed HTML.
  • caddyhttp: Ignored header fields with underscores to prevent collisions.
  • reverseproxy: Further prevented body closes from dial errors.
  • caddytls: Fixed client authentication issues.
  • caddyhttp: Omitted Last-Modified header for unusable modification times.
  • caddytls: Fixed TLS state races and ECH rotation retry logic.
  • caddyauth: Added candidate placeholders for rejected identities.
  • cmd: Added support for starting Caddy on IPv6-only hosts.
  • caddyfile: Preserved implicit TLS issuer semantics.
  • reverseproxy: Wrapped request body to prevent closing if not read.
  • caddytls: Matched IDN SNI in connection policies.
  • caddytls: Skipped idna.ToASCII for pure ASCII SNI values.
  • httpcaddyfile: Fixed incorrect error message on duplicate matchers.
  • Applied patch for GHSA-vcc4-2c75-vc9v.

Affected Symbols