Source: golang-github-xenolf-lego
Version: 4.9.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 4.9.1-1

Hi,

The following vulnerability was published for golang-github-xenolf-lego.

CVE-2025-54799[0]:
| Let's Encrypt client and ACME library written in Go (Lego). In
| versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api
| package (thus the lego library and the lego cli as well) don't
| enforce HTTPS when talking to CAs as an ACME client. Unlike the
| http-01 challenge which solves an ACME challenge over unencrypted
| HTTP, the ACME protocol requires HTTPS when a client communicates
| with the CA to performs ACME functions. However, the library fails
| to enforce HTTPS both in the original discover URL (configured by
| the library user) and in the subsequent addresses returned by the
| CAs in the directory and order objects. If users input HTTP URLs or
| CAs misconfigure endpoints, protocol operations occur over HTTP
| instead of HTTPS. This compromises privacy by exposing
| request/response details like account and request identifiers to
| network attackers. This was fixed in version 4.25.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-54799
    https://www.cve.org/CVERecord?id=CVE-2025-54799
[1] https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4
[2] 
https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96

Regards,
Salvatore

Reply via email to