git: 6430f908f792 - main - security/vuxml: add security/acme.sh vuln
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 09 Jun 2023 18:21:44 UTC
The branch main has been updated by dvl:
URL: https://cgit.FreeBSD.org/ports/commit/?id=6430f908f7922aaa502c255d1cf26cc991102a51
commit 6430f908f7922aaa502c255d1cf26cc991102a51
Author: Dan Langille <dvl@FreeBSD.org>
AuthorDate: 2023-06-09 18:19:54 +0000
Commit: Dan Langille <dvl@FreeBSD.org>
CommitDate: 2023-06-09 18:21:40 +0000
security/vuxml: add security/acme.sh vuln
I didn't find a CVE.
https://github.com/acmesh-official/acme.sh/issues/4659
---
security/vuxml/vuln/2023.xml | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index bd571e356268..e98e30e6a66a 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,28 @@
+ <vuln vid="fdca9418-06f0-11ee-abe2-ecf4bbefc954">
+ <topic>acme.sh -- closes potential remote vuln</topic>
+ <affects>
+ <package>
+ <name>acme.sh</name>
+ <range><lt>3.0.6</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Neil Pang reports:</p>
+ <blockquote cite="https://github.com/acmesh-official/acme.sh/issues/4659">
+ <p>HiCA was injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/acmesh-official/acme.sh/issues/4665</url>
+ </references>
+ <dates>
+ <discovery>2023-06-08</discovery>
+ <entry>2023-06-09</entry>
+ </dates>
+ </vuln>
+
<vuln vid="d86becfe-05a4-11ee-9d4a-080027eda32c">
<topic>Python -- multiple vulnerabilities</topic>
<affects>