Source: golang-github-xenolf-lego Version: 4.9.1-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 4.9.1-1
Hi, The following vulnerability was published for golang-github-xenolf-lego. CVE-2025-54799[0]: | Let's Encrypt client and ACME library written in Go (Lego). In | versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api | package (thus the lego library and the lego cli as well) don't | enforce HTTPS when talking to CAs as an ACME client. Unlike the | http-01 challenge which solves an ACME challenge over unencrypted | HTTP, the ACME protocol requires HTTPS when a client communicates | with the CA to performs ACME functions. However, the library fails | to enforce HTTPS both in the original discover URL (configured by | the library user) and in the subsequent addresses returned by the | CAs in the directory and order objects. If users input HTTP URLs or | CAs misconfigure endpoints, protocol operations occur over HTTP | instead of HTTPS. This compromises privacy by exposing | request/response details like account and request identifiers to | network attackers. This was fixed in version 4.25.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-54799 https://www.cve.org/CVERecord?id=CVE-2025-54799 [1] https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4 [2] https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96 Regards, Salvatore

