Merge branch 'feature/beta-release' into renovate/feature/beta-release-actions-deploy-pages-5.x

.grype.yaml

@@ -284,6 +284,133 @@ ignore:
     # 4. If not yet migrated: Extend expiry by 30 days and update the review comment above
     # 5. If extended 3+ times: Open an upstream issue on crowdsecurity/crowdsec requesting pgx/v5 migration
 
+  # GHSA-x744-4wpc-v9h2 / CVE-2026-34040: Docker AuthZ plugin bypass via oversized request body
+  # Severity: HIGH (CVSS 8.8)
+  # CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+  # CWE: CWE-863 (Incorrect Authorization)
+  # Package: github.com/docker/docker v28.5.2+incompatible (go-module)
+  # Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path
+  #
+  # Vulnerability Details:
+  # - Incomplete fix for Docker AuthZ plugin bypass (CVE-2024-41110). An attacker can send an
+  #   oversized request body to the Docker daemon, causing it to forward the request to the AuthZ
+  #   plugin without the body, allowing unauthorized approvals.
+  #
+  # Root Cause (No Fix Available for Import Path):
+  # - The fix exists in moby/moby v29.3.1, but not for the docker/docker import path that Charon uses.
+  # - Migration to moby/moby/v2 is not practical: currently beta with breaking changes.
+  # - Fix path: once docker/docker publishes a patched version or moby/moby/v2 stabilizes,
+  #   update the dependency and remove this suppression.
+  #
+  # Risk Assessment: ACCEPTED (Not exploitable in Charon context)
+  # - Charon uses the Docker client SDK only (list containers). The vulnerability is server-side
+  #   in the Docker daemon's AuthZ plugin handler.
+  # - Charon does not run a Docker daemon or use AuthZ plugins.
+  # - The attack vector requires local access to the Docker daemon socket with AuthZ plugins enabled.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor docker/docker releases: https://github.com/moby/moby/releases
+  # - Monitor moby/moby/v2 stabilization: https://github.com/moby/moby
+  # - Weekly CI security rebuild flags the moment a fixed version ships.
+  #
+  # Review:
+  # - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review.
+  # - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path.
+  #
+  # Removal Criteria:
+  # - docker/docker publishes a patched version OR moby/moby/v2 stabilizes and migration is feasible
+  # - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved
+  # - Remove this entry, the GHSA-pxq6-2prw-chj9 entry, and the corresponding .trivyignore entries simultaneously
+  #
+  # References:
+  # - GHSA-x744-4wpc-v9h2: https://github.com/advisories/GHSA-x744-4wpc-v9h2
+  # - CVE-2026-34040: https://nvd.nist.gov/vuln/detail/CVE-2026-34040
+  # - CVE-2024-41110 (original): https://nvd.nist.gov/vuln/detail/CVE-2024-41110
+  # - moby/moby releases: https://github.com/moby/moby/releases
+  - vulnerability: GHSA-x744-4wpc-v9h2
+    package:
+      name: github.com/docker/docker
+      version: "v28.5.2+incompatible"
+      type: go-module
+    reason: |
+      HIGH — Docker AuthZ plugin bypass via oversized request body in docker/docker v28.5.2+incompatible.
+      Incomplete fix for CVE-2024-41110. Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
+      Charon uses Docker client SDK only (list containers); the vulnerability is server-side in the Docker
+      daemon's AuthZ plugin handler. Charon does not run a Docker daemon or use AuthZ plugins.
+      Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes.
+      Reviewed 2026-03-30: no patched release available for docker/docker import path.
+    expiry: "2026-04-30"  # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification.
+
+    # Action items when this suppression expires:
+    # 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases
+    # 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby
+    # 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable:
+    #    a. Update the dependency and rebuild Docker image
+    #    b. Run local security-scan-docker-image and confirm finding is resolved
+    #    c. Remove this entry, GHSA-pxq6-2prw-chj9 entry, and all corresponding .trivyignore entries
+    # 4. If no fix yet: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility
+
+  # GHSA-pxq6-2prw-chj9 / CVE-2026-33997: Moby off-by-one error in plugin privilege validation
+  # Severity: MEDIUM (CVSS 6.8)
+  # Package: github.com/docker/docker v28.5.2+incompatible (go-module)
+  # Status: Fixed in moby/moby v29.3.1 — NO fix available for docker/docker import path
+  #
+  # Vulnerability Details:
+  # - Off-by-one error in Moby's plugin privilege validation allows potential privilege escalation
+  #   via crafted plugin configurations.
+  #
+  # Root Cause (No Fix Available for Import Path):
+  # - Same import path issue as GHSA-x744-4wpc-v9h2. The fix exists in moby/moby v29.3.1 but not
+  #   for the docker/docker import path that Charon uses.
+  # - Fix path: same as GHSA-x744-4wpc-v9h2 — wait for docker/docker patch or moby/moby/v2 stabilization.
+  #
+  # Risk Assessment: ACCEPTED (Not exploitable in Charon context)
+  # - Charon uses the Docker client SDK only (list containers). The vulnerability is in Docker's
+  #   plugin privilege validation, which is server-side functionality.
+  # - Charon does not run a Docker daemon, install Docker plugins, or interact with plugin privileges.
+  #
+  # Mitigation (active while suppression is in effect):
+  # - Monitor docker/docker releases: https://github.com/moby/moby/releases
+  # - Weekly CI security rebuild flags the moment a fixed version ships.
+  #
+  # Review:
+  # - Reviewed 2026-03-30 (initial suppression): no fix for docker/docker import path. Set 30-day review.
+  # - Next review: 2026-04-30. Remove suppression once a fix is available for the docker/docker import path.
+  #
+  # Removal Criteria:
+  # - Same as GHSA-x744-4wpc-v9h2: docker/docker publishes a patched version OR moby/moby/v2 stabilizes
+  # - Update dependency, rebuild, run security-scan-docker-image, confirm finding is resolved
+  # - Remove this entry, GHSA-x744-4wpc-v9h2 entry, and all corresponding .trivyignore entries simultaneously
+  #
+  # References:
+  # - GHSA-pxq6-2prw-chj9: https://github.com/advisories/GHSA-pxq6-2prw-chj9
+  # - CVE-2026-33997: https://nvd.nist.gov/vuln/detail/CVE-2026-33997
+  # - moby/moby releases: https://github.com/moby/moby/releases
+  - vulnerability: GHSA-pxq6-2prw-chj9
+    package:
+      name: github.com/docker/docker
+      version: "v28.5.2+incompatible"
+      type: go-module
+    reason: |
+      MEDIUM — Off-by-one error in Moby plugin privilege validation in docker/docker v28.5.2+incompatible.
+      Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
+      Charon uses Docker client SDK only (list containers); the vulnerability is in Docker's server-side
+      plugin privilege validation. Charon does not run a Docker daemon or install Docker plugins.
+      Risk accepted; no remediation path until docker/docker publishes a fix or moby/moby/v2 stabilizes.
+      Reviewed 2026-03-30: no patched release available for docker/docker import path.
+    expiry: "2026-04-30"  # 30-day review: no fix for docker/docker import path. Extend in 30-day increments with documented justification.
+
+    # Action items when this suppression expires:
+    # 1. Check docker/docker and moby/moby releases: https://github.com/moby/moby/releases
+    # 2. Check if moby/moby/v2 has stabilized: https://github.com/moby/moby
+    # 3. If a fix has shipped for docker/docker import path OR moby/moby/v2 is stable:
+    #    a. Update the dependency and rebuild Docker image
+    #    b. Run local security-scan-docker-image and confirm finding is resolved
+    #    c. Remove this entry, GHSA-x744-4wpc-v9h2 entry, and all corresponding .trivyignore entries
+    # 4. If no fix yet: Extend expiry by 30 days and update the review comment above
+    # 5. If extended 3+ times: Open an issue to track moby/moby/v2 migration feasibility
+
 # Match exclusions (patterns to ignore during scanning)
 # Use sparingly - prefer specific CVE suppressions above
 match:

.trivyignore

@@ -78,3 +78,37 @@ GHSA-jqcq-xjh3-6g23
 # See also: .grype.yaml for full justification
 # exp: 2026-04-21
 GHSA-x6gf-mpr2-68h6
+
+# CVE-2026-34040 / GHSA-x744-4wpc-v9h2: Docker AuthZ plugin bypass via oversized request body
+# Severity: HIGH (CVSS 8.8) — Package: github.com/docker/docker v28.5.2+incompatible
+# Incomplete fix for CVE-2024-41110. Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
+# Charon uses Docker client SDK only (list containers); the vulnerability is server-side in the Docker daemon.
+# Review by: 2026-04-30
+# See also: .grype.yaml for full justification
+# exp: 2026-04-30
+CVE-2026-34040
+
+# GHSA-x744-4wpc-v9h2: Docker AuthZ plugin bypass via oversized request body (GHSA alias)
+# Severity: HIGH (CVSS 8.8) — Package: github.com/docker/docker v28.5.2+incompatible
+# GHSA alias for CVE-2026-34040. See CVE-2026-34040 entry above for full details.
+# Review by: 2026-04-30
+# See also: .grype.yaml for full justification
+# exp: 2026-04-30
+GHSA-x744-4wpc-v9h2
+
+# CVE-2026-33997 / GHSA-pxq6-2prw-chj9: Moby off-by-one error in plugin privilege validation
+# Severity: MEDIUM (CVSS 6.8) — Package: github.com/docker/docker v28.5.2+incompatible
+# Fixed in moby/moby v29.3.1 but no fix for docker/docker import path.
+# Charon uses Docker client SDK only (list containers); plugin privilege validation is server-side.
+# Review by: 2026-04-30
+# See also: .grype.yaml for full justification
+# exp: 2026-04-30
+CVE-2026-33997
+
+# GHSA-pxq6-2prw-chj9: Moby off-by-one error in plugin privilege validation (GHSA alias)
+# Severity: MEDIUM (CVSS 6.8) — Package: github.com/docker/docker v28.5.2+incompatible
+# GHSA alias for CVE-2026-33997. See CVE-2026-33997 entry above for full details.
+# Review by: 2026-04-30
+# See also: .grype.yaml for full justification
+# exp: 2026-04-30
+GHSA-pxq6-2prw-chj9

Dockerfile

@@ -17,7 +17,7 @@ ARG ALPINE_IMAGE=alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e
 
 # ---- Shared CrowdSec Version ----
 # renovate: datasource=github-releases depName=crowdsecurity/crowdsec
-ARG CROWDSEC_VERSION=1.7.6
+ARG CROWDSEC_VERSION=1.7.7
 # CrowdSec fallback tarball checksum (v${CROWDSEC_VERSION})
 ARG CROWDSEC_RELEASE_SHA256=704e37121e7ac215991441cef0d8732e33fa3b1a2b2b88b53a0bfe5e38f863bd
 
@@ -43,9 +43,9 @@ ARG CADDY_CANDIDATE_VERSION=2.11.2
 ARG CADDY_USE_CANDIDATE=0
 ARG CADDY_PATCH_SCENARIO=B
 # renovate: datasource=go depName=github.com/greenpau/caddy-security
-ARG CADDY_SECURITY_VERSION=1.1.53
+ARG CADDY_SECURITY_VERSION=1.1.57
 # renovate: datasource=go depName=github.com/corazawaf/coraza-caddy
-ARG CORAZA_CADDY_VERSION=2.2.0
+ARG CORAZA_CADDY_VERSION=2.3.0
 ## When an official caddy image tag isn't available on the host, use a
 ## plain Alpine base image and overwrite its caddy binary with our
 ## xcaddy-built binary in the later COPY step. This avoids relying on