From 15639f5b1aa607ccb4fec1a41643a3b916e0e44a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 10:48:35 +0200 Subject: webserver: refuse to follow symlink when serving ACME challenge responses. --- Changelog | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 59d5153..9b13c44 100644 --- a/Changelog +++ b/Changelog @@ -4,7 +4,7 @@ lacme (0.3) upstream; lacme-certs.conf.d"), import the default section of files read earlier. + new-cert: create certificate files atomically. + webserver: allow listening to multiple addresses (useful when - dual-stack IPv4/IPv6 is not supported). Listen to a UNIX-domain + dual IPv4/IPv6 stack is not supported). Listen to a UNIX-domain socket by default . + webserver: don't install temporary iptables by default. Hosts without a public HTTP daemon listening on port 80 need to set the @@ -21,6 +21,11 @@ lacme (0.3) upstream; - new-cert: mark the basicConstraints (CA:FALSE) and keyUsage x509v3 extensions as critical in the CSR, following upstream fix of Boulder's issue #565. + - webserver: refuse to follow symlink when serving ACME challenge + responses. When dropping privileges to a dedicated UID + (recommended) only the ACME client could write to its current + directory anyway, so following symlinks was not a serious + vulnerability. -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 -- cgit v1.2.3 From a528bcffe2480245185a3b8d6e6c51307635a4ea Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 10:52:01 +0200 Subject: lacme(1), lacme-accountd(1): fix version number. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 9b13c44..1fd6762 100644 --- a/Changelog +++ b/Changelog @@ -26,6 +26,8 @@ lacme (0.3) upstream; (recommended) only the ACME client could write to its current directory anyway, so following symlinks was not a serious vulnerability. + - lacme(1), lacme-accountd(1): fix version number shown with + --version. -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 -- cgit v1.2.3 From 7c7e01fa8d8623145078cc352c3617ad43ebe326 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 10:52:01 +0200 Subject: Remove potential race when creating ACME challenge response files. --- Changelog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 1fd6762..5252fd2 100644 --- a/Changelog +++ b/Changelog @@ -28,6 +28,8 @@ lacme (0.3) upstream; vulnerability. - lacme(1), lacme-accountd(1): fix version number shown with --version. + - client: remove potential race when creating ACME challenge response + files. -- Guilhem Moulin Sun, 19 Feb 2017 13:08:41 +0100 -- cgit v1.2.3 From 96dc4add445c5a48632bef6f8a4f0440c70f03d0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 29 Jun 2017 22:23:38 +0200 Subject: Provide apache2 configuration snippet. --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Changelog') diff --git a/Changelog b/Changelog index 5252fd2..0674c4a 100644 --- a/Changelog +++ b/Changelog @@ -12,7 +12,7 @@ lacme (0.3) upstream; 'iptables' option to Yes. + Change 'min-days' default from 10 to 21, to avoid expiration notices from Let's Encrypt when auto-renewal is done by a cronjob. - + Provide nginx configuration snippet. + + Provide nginx and apache2 configuration snippets. - Ensure lacme's config file descriptor is not passed to the accountd or webserver components. - new-cert: sort section names if not passed explicitely. -- cgit v1.2.3