commit: eaf65747638e7864fc50d9149cde5271893a7365 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Fri Jun 9 11:49:12 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri Jun 9 11:49:15 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eaf65747
profiles: mask app-crypt/acme-sh Bug: https://github.com/acmesh-official/acme.sh/issues/4659 Bug: https://bugs.gentoo.org/908104 Signed-off-by: Sam James <sam <AT> gentoo.org> profiles/package.mask | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/profiles/package.mask b/profiles/package.mask index 8758bc0fa8d5..e1b9afaee296 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -33,6 +33,13 @@ #--- END OF EXAMPLES --- +# Sam James <s...@gentoo.org> (2023-06-09) +# Severe security vulnerability: executes arbitrary code returned in responses +# from the server. Appears a CA is abusing that acme-sh uses eval. +# Please see https://github.com/acmesh-official/acme.sh/issues/4659 and +# https://bugs.gentoo.org/908104. +app-crypt/acme-sh + # Georgy Yakovlev <gyakov...@gentoo.org> (2023-06-08) # May be broken on some arches due to weird LLVM interaction. # Masked for now.
