From nobody Fri Jun 09 19:41:49 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QdBL05vhnz4cJBY for ; Fri, 9 Jun 2023 19:42:00 +0000 (UTC) (envelope-from SRS0=10FM=B5=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4QdBKz0FB1z4Fj0 for ; Fri, 9 Jun 2023 19:41:58 +0000 (UTC) (envelope-from SRS0=10FM=B5=quip.cz=000.fbsd@elsa.codelab.cz) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of "SRS0=10FM=B5=quip.cz=000.fbsd@elsa.codelab.cz" has no SPF policy when checking 94.124.105.4) smtp.mailfrom="SRS0=10FM=B5=quip.cz=000.fbsd@elsa.codelab.cz"; dmarc=none Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 54EFFD7893 for ; Fri, 9 Jun 2023 21:41:51 +0200 (CEST) Received: from [192.168.145.49] (ip-89-177-27-225.bb.vodafone.cz [89.177.27.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 6EC2CD7892 for ; Fri, 9 Jun 2023 21:41:50 +0200 (CEST) Message-ID: <5291cba9-bc27-a577-1eda-83ff0486f098@quip.cz> Date: Fri, 9 Jun 2023 21:41:49 +0200 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 To: freebsd-security Content-Language: cs-Cestina, en-US From: Miroslav Lachman <000.fbsd@quip.cz> Subject: acme.sh remote code execution vulnerability Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-0.06 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-0.99)[-0.988]; NEURAL_HAM_SHORT(-0.33)[-0.328]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=10FM=B5=quip.cz=000.fbsd@elsa.codelab.cz]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_MEDIUM(0.05)[0.051]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; R_SPF_NA(0.00)[no SPF record]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; MIME_TRACE(0.00)[0:+]; BLOCKLISTDE_FAIL(0.00)[94.124.105.4:server fail,89.177.27.225:server fail]; RCVD_COUNT_THREE(0.00)[3]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=10FM=B5=quip.cz=000.fbsd@elsa.codelab.cz]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[quip.cz]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4QdBKz0FB1z4Fj0 X-Spamd-Bar: / X-ThisMailContainsUnwantedMimeParts: N As far as I know FreeBSD uses acme.sh for Let's Encrypt certificates. It was discovered yesterday there is a remote code execution vulnerability mainly used by HiCA. https://github.com/acmesh-official/acme.sh/issues/4659 It is recommended to upgrade acme.sh (fixed today) and mark acme.sh vulnerable in VuXML database. Kind regards Miroslav Lachman