Date: Thu, 13 Jul 2023 12:26:38 -0400 From: Jan Schaumann <jschauma@...meister.org> To: oss-security@...ts.openwall.com Subject: Re: RCE in acme.sh < 3.0.6 Just closing the loop here: this has now been assigned CVE-2023-38198: https://www.cve.org/CVERecord?id=CVE-2023-38198 Jan Schaumann <jschauma@...meister.org> wrote: > Hi, > > I don't think this has been raised here: > > The acme.sh ACME client prior to version 3.0.6 has > an RCE vulnerability allowing a hostile server to > execute arbitrary commands on the client. > > I was unable to determine whether a CVE has been > requested for this issue; both the original discussion > and a second GitHub issue have been inconclusively > closed for comments (I've reached out to the author). > > The issue is also being discussed on Mozilla's > dev-security-policy. > > -Jan > >  https://github.com/acmesh-official/acme.sh >  https://github.com/acmesh-official/acme.sh/releases >  https://github.com/acmesh-official/acme.sh/issues/4659 >  https://github.com/acmesh-official/acme.sh/issues/4665 >  https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/heXVr8o83Ys
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.