From nobody Fri Jun 09 18:21:44 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qd8YP22Glz4c3HP; Fri, 9 Jun 2023 18:21:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qd8YP1W8qz42kY; Fri, 9 Jun 2023 18:21:45 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1686334905; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Wxp7ipzu8Gm20FK9MlCoGH1jUluZsGLjsXcYkEuwRmE=; b=eW42I1VTPoQGhj9YPqMHESKJoLwQbKD/SppxQXmOIzMpvVbjOwrgF3i3LUrMK7z5HLxWRc f1LZrlkfV8vcWrV8xWlu/4gU2i+I+cipj8tN1I+RfGC1Z5g7Oaz6ukuXX2iYfEl8cdNMDP /k8K/iWwv8nLAGRAnwyOlS1a2QVHpgaqGZLp1Ld6Qx+7E1KraAUmMKQVFQaR578wGCG7NW +A8rzlxBsqlSAJVljQzTCUUQCL2ljPFLZv3tMTD8i7qzaEO9Xv5eIrUf6nnxmvraLKU4pE wYmD12MNZELNuxjjYwIDOCi3OReaIkgj9Oo+G/MTicjLFLCf7jb8LApnMVWlUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1686334905; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Wxp7ipzu8Gm20FK9MlCoGH1jUluZsGLjsXcYkEuwRmE=; b=dwaKzK2cVXDXe+PBEmtCUnO9IZ6Q+gHpi1eoeVJyB3w16O4xN6jAurEo/XyESAh/CeCod7 16nmvT9/IpohLxVb3Hfw+ltgdzmxsMxxIkydLAzqq4vZzGZU6gu2/7qvlDUupxEaT2XW9E HqxyxpiafPcvo2lHnvjNTxDpLN8zeph5a+GuT9MnyD8CrjuYzaZj5DQ/wQ0Eobi0XiZ8wk S9tgKCA2pkc5/SHoqjtTOdwDY+xW/p8Ct+jlyVvOHLLH/oAJiveZIG99ASAGY4s9Aww3IC 1RyHNkHskHZ/JN1B2n43eE9DpL741fBDvw/F3cguyqIrGmzjBNaUehtsCS7xlg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1686334905; a=rsa-sha256; cv=none; b=j48Z+tPJxY6PoP0hWRWuPIKV/yvhzdyLqe5wjPc6oC5H87krnAKoW8Syd5JFo7jF+bO7ZZ TDOHB50u8YObTIiJ40/ZRGzhakZEYqmTfoQ4UlrdpKDiVucXg9cSNaiY4+0zhnDOj+Lcof isHAH0Z8em7ETQfervlqmMsZOK1XUvRTw0Sg8CqWa3LmA4Y6e/IY7/WMQVm5hMwKhNAF+B bLtLy5nT0ySBxe/2lEcG4mfE3D8Wh7lAZ3UkapkrISbt9p2i/1xknK8Eg7QUYkMvFS4Zev rvsx29l8QFIjYQiwGIzdhjPH+/pZp9vb+8d8u4EoX9bogaFlJl5pEMOsqlkzKA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qd8YP0RyczlcG; Fri, 9 Jun 2023 18:21:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 359ILikP018761; Fri, 9 Jun 2023 18:21:44 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 359ILi9O018760; Fri, 9 Jun 2023 18:21:44 GMT (envelope-from git) Date: Fri, 9 Jun 2023 18:21:44 GMT Message-Id: <202306091821.359ILi9O018760@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Dan Langille Subject: git: 6430f908f792 - main - security/vuxml: add security/acme.sh vuln List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: dvl X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6430f908f7922aaa502c255d1cf26cc991102a51 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by dvl: URL: https://cgit.FreeBSD.org/ports/commit/?id=6430f908f7922aaa502c255d1cf26cc991102a51 commit 6430f908f7922aaa502c255d1cf26cc991102a51 Author: Dan Langille AuthorDate: 2023-06-09 18:19:54 +0000 Commit: Dan Langille CommitDate: 2023-06-09 18:21:40 +0000 security/vuxml: add security/acme.sh vuln I didn't find a CVE. https://github.com/acmesh-official/acme.sh/issues/4659 --- security/vuxml/vuln/2023.xml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index bd571e356268..e98e30e6a66a 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,28 @@ + + acme.sh -- closes potential remote vuln + + + acme.sh + 3.0.6 + + + + +

Neil Pang reports:

+
+

HiCA was injecting arbitrary code/commands into the certificate obtaining process and acme.sh is running them on the client machine.

+
+ + + + https://github.com/acmesh-official/acme.sh/issues/4665 + + + 2023-06-08 + 2023-06-09 + + + Python -- multiple vulnerabilities