Upgrade Caddy container to 2.11.2 on demo server

[josecelano]

Summary

The demo server is running caddy:2.10.2, which contains 4 CRITICAL CVEs in its
upstream binary dependencies. Upgrading to caddy:2.11.2 (released 2026-04-14)
reduces the count to 2 CRITICAL and 10 HIGH.

torrust/torrust-tracker-deployer PR #455
updates the deployer's default Caddy image to 2.11.2 for future deployments,
but the already-running demo server must be updated separately by pulling the new
image and restarting the container.

Background — CVE analysis

Scanned with Trivy 0.69.3 (DB updated 2026-04-14).

Version	HIGH	CRITICAL
2.10	18	6
2.10.2	14	4
2.11.2	10	2

Remaining CRITICAL CVEs in 2.11.2 (upstream binary — cannot be fixed without a new Caddy release)

CVE	Library	Fix	Notes
CVE-2026-30836	smallstep/certificates	0.30.0	Unauthenticated SCEP cert issuance
CVE-2026-33186	google.golang.org/grpc	1.79.3	Authorization bypass via HTTP/2 path ⚠️ network-accessible

Both CVEs are in upstream Caddy binary dependencies and require a new Caddy release
to fix. Upgrading to 2.11.2 is still recommended as the best available remediation.

Steps to upgrade on the demo server

SSH into the demo server and run:

cd /opt/torrust
docker compose pull caddy
docker compose up -d caddy
docker compose ps caddy

Verify the new version:

docker inspect caddy --format '{{.Config.Image}}'
# Expected: caddy:2.11.2

Check Caddy is healthy:

curl -s https://tracker.torrust-tracker-demo.com/health_check
# Expected: healthy response from the tracker via Caddy proxy

References

• Deployer PR that updates the default image: chore: [#432] upgrade Caddy to 2.11.2 and document CVE analysis torrust-tracker-deployer#455
• Deployer issue with full CVE analysis: Investigate unresolved Caddy CVEs after upgrade to 2.10.2 torrust-tracker-deployer#432