[Git][security-tracker-team/security-tracker][master] CVE-2025-54799/golang-github-xenolf-lego [bullseye]

Bastien Roucariès (@rouca) rouca at debian.org
Thu Aug 7 23:46:41 BST 2025 


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
22e1adee by Bastien Roucariès at 2025-08-08T00:45:10+02:00
CVE-2025-54799/golang-github-xenolf-lego [bullseye]

According to description:
However, the library fails to enforce HTTPS both in the original discover
URL (configured by the library user) and in the subsequent addresses
returned by the CAs in the directory and order objects.

If the library user accidentally inputs an HTTP URL, or the
CA similarly misconfigures its endpoints, this will cause the
relevant parts of the protocol to be performed over HTTP.

This can result, at the very least, in a lost of privacy of the
request/response details, such as account and request identifiers
(which could be intercepted by an attacker in a privileged network position).

Therefore:
- ignored because HTTPS MUST be enforced on CA endpoint

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -148,8 +148,10 @@ CVE-2025-54882 (Himmelblau is an interoperability suite for Microsoft Azure Entr
 	NOT-FOR-US: Himmelblau
 CVE-2025-54799 (Let's Encrypt client and ACME library written in Go (Lego). In version ...)
 	- golang-github-xenolf-lego <unfixed> (bug #1110531)
+	[bullseye] - golang-github-xenolf-lego <ignored> (minor; need both client and server misconfigured unlikely)
 	NOTE: https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4
 	NOTE: Fixed by: https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96 (v4.25.2)
+	NOTE: Workarround: CA endpoint should enforce HTTPS instead of HTTP.
 CVE-2025-54798 (tmp is a temporary file and directory creator for node.js. In versions ...)
 	- node-tmp <unfixed> (bug #1110532)
 	NOTE: https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22e1adeef8b28c08d021dc95d8ff9e49e45d2a8f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22e1adeef8b28c08d021dc95d8ff9e49e45d2a8f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250807/5ed2fab5/attachment.htm>

More information about the debian-security-tracker-commits mailing list