aboutsummaryrefslogtreecommitdiffstats
path: root/Changelog
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2017-06-29 22:47:24 +0200
committerGuilhem Moulin <guilhem@fripost.org>2017-06-29 22:47:24 +0200
commit3a9a58b9556c4ccd07c10429c040e6c98781fd45 (patch)
tree7058ff1bfebb25d247111428d194a828e1cac253 /Changelog
parentc8e2cd230a90b58b7e962f658fafb2d1306a579d (diff)
parentd93660085ceba3f81631bba4744b23af7984cd9d (diff)
Merge branch 'master' into debian
Diffstat (limited to 'Changelog')
-rw-r--r--Changelog13
1 files changed, 11 insertions, 2 deletions
diff --git a/Changelog b/Changelog
index 59d5153..0674c4a 100644
--- a/Changelog
+++ b/Changelog
@@ -4,7 +4,7 @@ lacme (0.3) upstream;
lacme-certs.conf.d"), import the default section of files read earlier.
+ new-cert: create certificate files atomically.
+ webserver: allow listening to multiple addresses (useful when
- dual-stack IPv4/IPv6 is not supported). Listen to a UNIX-domain
+ dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain
socket by default </var/run/lacme.socket>.
+ webserver: don't install temporary iptables by default. Hosts
without a public HTTP daemon listening on port 80 need to set the
@@ -12,7 +12,7 @@ lacme (0.3) upstream;
'iptables' option to Yes.
+ Change 'min-days' default from 10 to 21, to avoid expiration notices
from Let's Encrypt when auto-renewal is done by a cronjob.
- + Provide nginx configuration snippet.
+ + Provide nginx and apache2 configuration snippets.
- Ensure lacme's config file descriptor is not passed to the accountd
or webserver components.
- new-cert: sort section names if not passed explicitely.
@@ -21,6 +21,15 @@ lacme (0.3) upstream;
- new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3
extensions as critical in the CSR, following upstream fix of
Boulder's issue #565.
+ - webserver: refuse to follow symlink when serving ACME challenge
+ responses. When dropping privileges to a dedicated UID
+ (recommended) only the ACME client could write to its current
+ directory anyway, so following symlinks was not a serious
+ vulnerability.
+ - lacme(1), lacme-accountd(1): fix version number shown with
+ --version.
+ - client: remove potential race when creating ACME challenge response
+ files.
-- Guilhem Moulin <guilhem@guilhem.org> Sun, 19 Feb 2017 13:08:41 +0100