Merge branch 'master' into debian

1 files changed, 11 insertions, 2 deletions

diff --git a/Changelog b/Changelog
index 59d5153..0674c4a 100644
--- a/Changelog
+++ b/Changelog
@@ -4,7 +4,7 @@ lacme (0.3) upstream;
     lacme-certs.conf.d"), import the default section of files read earlier.
   + new-cert: create certificate files atomically.
   + webserver: allow listening to multiple addresses (useful when
-    dual-stack IPv4/IPv6 is not supported).  Listen to a UNIX-domain
+    dual IPv4/IPv6 stack is not supported).  Listen to a UNIX-domain
     socket by default </var/run/lacme.socket>.
   + webserver: don't install temporary iptables by default.  Hosts
     without a public HTTP daemon listening on port 80 need to set the
@@ -12,7 +12,7 @@ lacme (0.3) upstream;
     'iptables' option to Yes.
   + Change 'min-days' default from 10 to 21, to avoid expiration notices
     from Let's Encrypt when auto-renewal is done by a cronjob.
-  + Provide nginx configuration snippet.
+  + Provide nginx and apache2 configuration snippets.
   - Ensure lacme's config file descriptor is not passed to the accountd
     or webserver components.
   - new-cert: sort section names if not passed explicitely.
@@ -21,6 +21,15 @@ lacme (0.3) upstream;
   - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
     extensions as critical in the CSR, following upstream fix of
     Boulder's issue #565.
+  - webserver: refuse to follow symlink when serving ACME challenge
+    responses.  When dropping privileges to a dedicated UID
+    (recommended) only the ACME client could write to its current
+    directory anyway, so following symlinks was not a serious
+    vulnerability.
+  - lacme(1), lacme-accountd(1): fix version number shown with
+    --version.
+  - client: remove potential race when creating ACME challenge response
+    files.
 
  -- Guilhem Moulin <guilhem@guilhem.org>  Sun, 19 Feb 2017 13:08:41 +0100