akanealw
eec8c28fb3
Some checks are pending
Go Benchmark / Performance Regression Check (push) Waiting to run
Cerberus Integration / Cerberus Security Stack Integration (push) Waiting to run
Upload Coverage to Codecov / Backend Codecov Upload (push) Waiting to run
Upload Coverage to Codecov / Frontend Codecov Upload (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (go) (push) Waiting to run
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Waiting to run
CrowdSec Integration / CrowdSec Bouncer Integration (push) Waiting to run
Docker Build, Publish & Test / build-and-push (push) Waiting to run
Docker Build, Publish & Test / Security Scan PR Image (push) Blocked by required conditions
Quality Checks / Auth Route Protection Contract (push) Waiting to run
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Waiting to run
Quality Checks / Backend (Go) (push) Waiting to run
Quality Checks / Frontend (React) (push) Waiting to run
Rate Limit integration / Rate Limiting Integration (push) Waiting to run
Security Scan (PR) / Trivy Binary Scan (push) Waiting to run
Supply Chain Verification (PR) / Verify Supply Chain (push) Waiting to run
WAF integration / Coraza WAF Integration (push) Waiting to run
4.4 KiB
Executable File
4.4 KiB
Executable File
PR-2 Security Patch Posture and Advisory Disposition
- Date: 2026-02-23
- Scope: PR-2 only (security patch posture + xcaddy patch retirement decision)
- Upstream target: Caddy 2.11.x line (
2.11.2candidate in this repository) - Inputs:
- PR-1 compatibility matrix:
docs/reports/caddy-compatibility-matrix.md - Plan authority:
docs/plans/current_spec.md - Runtime and bootstrap assumptions:
.docker/docker-entrypoint.sh,.docker/compose/docker-compose.yml
- PR-1 compatibility matrix:
1) Final patch disposition
| Patch target | Decision | Rationale (evidence-backed) | Rollback path |
|---|---|---|---|
github.com/expr-lang/expr@v1.17.7 |
Retain | Enforced by current builder patching and CI dependency checks. | Keep current pin. |
github.com/hslatman/ipstore@v0.4.0 |
Retain | No PR-2 evidence supports safe retirement. | Keep current pin. |
github.com/slackhq/nebula@v1.9.7 |
Retire by default | Matrix evidence supports scenario B/C; default moved to B with rollback preserved. |
Set CADDY_PATCH_SCENARIO=A. |
2) Caddy 2.11.x advisory disposition
| Advisory | Component summary | Exploitability | Evidence source | Owner | Recheck cadence |
|---|---|---|---|---|---|
GHSA-5r3v-vc8m-m96g (CVE-2026-27590) |
FastCGI split_path confusion |
Not affected | Upstream advisory + Charon runtime path review (no FastCGI transport in default generated config path) | QA_Security | weekly |
GHSA-879p-475x-rqh2 (CVE-2026-27589) |
Admin API cross-origin no-cors | Mitigated | Upstream advisory + local controls: CHARON_CADDY_ADMIN_API now validated against internal allowlist and expected port 2019; production compose does not publish 2019 by default |
QA_Security | weekly |
GHSA-x76f-jf84-rqj8 (CVE-2026-27588) |
Host matcher case bypass | Mitigated | Upstream advisory + PR-1 Caddy 2.11.x matrix compatibility evidence and Charon route/security test reliance on upgraded line | QA_Security | release-candidate |
GHSA-g7pc-pc7g-h8jh (CVE-2026-27587) |
Path matcher escaped-case bypass | Mitigated | Upstream advisory + PR-1 matrix evidence and maintained security enforcement suite coverage | QA_Security | release-candidate |
GHSA-hffm-g8v7-wrv7 (CVE-2026-27586) |
mTLS client-auth fail-open | Not affected | Upstream advisory + Charon default deployment model does not enable mTLS client-auth CA pool configuration by default | QA_Security | on-upstream-change |
GHSA-4xrr-hq4w-6vf4 (CVE-2026-27585) |
File matcher glob sanitization bypass | Not affected | Upstream advisory + no default Charon generated config dependency on vulnerable matcher pattern | QA_Security | on-upstream-change |
3) Admin API exposure assumptions and hardening status
- Assumption: only internal Caddy admin endpoints are valid management targets.
- PR-2 enforcement:
- validate and normalize
CHARON_CADDY_ADMIN_API/CPM_CADDY_ADMIN_API - host allowlist + expected port
2019 - fail-fast startup on invalid/non-allowlisted endpoint
- validate and normalize
- Exposure check: production compose defaults do not publish port
2019.
4) Runtime safety and rollback preservation
- Runtime defaults keep
exprandipstorepinned. nebulapin retirement is controlled by scenario switch, not hard deletion.- Emergency rollback remains one-step:
CADDY_PATCH_SCENARIO=A.
Validation executed for PR-2
| Command / Task | Outcome |
|---|---|
cd /projects/Charon/backend && go test ./internal/config |
PASS |
VS Code task Security: Caddy PR-1 Compatibility Matrix |
PASS (A/B/C scenarios pass on linux/amd64 and linux/arm64; promotion gate PASS) |
Relevant generated artifacts:
docs/reports/caddy-compatibility-matrix.mdtest-results/caddy-compat/matrix-summary.csvtest-results/caddy-compat/module-inventory-*-go-version-m.txttest-results/caddy-compat/module-inventory-*-modules.txt
Residual risks / follow-up watch
- Caddy advisories with reserved or evolving CVE enrichment may change exploitability interpretation; recheck cadence remains active.
- Caddy bootstrap still binds admin listener to container interface (
0.0.0.0:2019) for compatibility, so operator misconfiguration that publishes port2019can expand attack surface; production compose defaults avoid publishing this port.
PR-2 closure statement
PR-2 posture decisions are review-ready: patch disposition is explicit, admin API assumptions are enforced, and rollback remains deterministic. No PR-3 scope is included.