From: Keith Henderson Jr Subject: update + security cvs fixes: caddy -> 2.11.2 To: "ports@openbsd.org" Date: Wed, 11 Mar 2026 04:48:53 +0000 Per upstream: >Reverse proxy got a lot of love with certain edge cases related to PROXY protocol, health check port, and closing body on retries. Dynamic upstreams are now tracked which enables passive health checking. >Performance improvements for metrics. >New tls_resolvers global option to control DNS resolvers for all sites when using the ACME DNS challenge. >Log rolling now supports zstd compression; deprecated roll_gzip, which will be removed in the future. Use roll_compression instead. >Refined logging and some error messages. >Fixed a bug in rewrite handler that could cause some URIs to not be rewritten when URI path is an escaped form of target path. Thanks to @MaherAzzouzi for the report. >Security fixes >This release fixes two CVEs. >@NucleiAv reported a bug in the forward_auth directive that could permit identity injection and potential privilege escalation. >@sammiee5311 reported that vars_regexp double-expanded placeholders, allowing some unusual configs to reveal secrets. Please find diff attached. OK?