Your message dated Wed, 03 Jun 2026 23:22:52 +0000
with message-id <[email protected]>
and subject line Bug#1110531: fixed in golang-github-xenolf-lego 4.35.2-1
has caused the Debian Bug report #1110531,
regarding golang-github-xenolf-lego: CVE-2025-54799
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110531: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110531
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-xenolf-lego
Version: 4.9.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 4.9.1-1
Hi,
The following vulnerability was published for golang-github-xenolf-lego.
CVE-2025-54799[0]:
| Let's Encrypt client and ACME library written in Go (Lego). In
| versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api
| package (thus the lego library and the lego cli as well) don't
| enforce HTTPS when talking to CAs as an ACME client. Unlike the
| http-01 challenge which solves an ACME challenge over unencrypted
| HTTP, the ACME protocol requires HTTPS when a client communicates
| with the CA to performs ACME functions. However, the library fails
| to enforce HTTPS both in the original discover URL (configured by
| the library user) and in the subsequent addresses returned by the
| CAs in the directory and order objects. If users input HTTP URLs or
| CAs misconfigure endpoints, protocol operations occur over HTTP
| instead of HTTPS. This compromises privacy by exposing
| request/response details like account and request identifiers to
| network attackers. This was fixed in version 4.25.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54799
https://www.cve.org/CVERecord?id=CVE-2025-54799
[1] https://github.com/go-acme/lego/security/advisories/GHSA-q82r-2j7m-9rv4
[2]
https://github.com/go-acme/lego/commit/238454b5f74f3cfcbb244ff0d0dc914a4ad44b96
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-xenolf-lego
Source-Version: 4.35.2-1
Done: Mathias Gibbens <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-xenolf-lego, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathias Gibbens <[email protected]> (supplier of updated
golang-github-xenolf-lego package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 Jun 2026 22:23:39 +0000
Source: golang-github-xenolf-lego
Architecture: source
Version: 4.35.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Mathias Gibbens <[email protected]>
Closes: 1110531 1134643
Changes:
golang-github-xenolf-lego (4.35.2-1) unstable; urgency=medium
.
* Update to latest v4 release:
- Includes fixes for the following security issues:
* CVE-2025-54799 (Closes: #1110531)
* CVE-2026-40611 (Closes: #1134643)
- Enable the HTTP memcached provider
- Drop patch applied upstream
- Regenerate patch to skip tests that attempt network access
* d/control:
- Update Standards-Version to 4.7.4, drop Priority field
- Add myself to Uploaders
- Update Build-Depends and Depends
* d/rules:
- Update DH_GOLANG_INSTALL_EXTRA
- Update list of skipped DNS providers
- Add workaround for GO111MODULE=on breaking net/http mux
- Set proper binary version during build
- Remove unneeded overrides
* Update d/not-installed
Checksums-Sha1:
60a821d7bad158813a1d07c2e1f997e16f191464 3294
golang-github-xenolf-lego_4.35.2-1.dsc
be17be4ab683f72c0f44ff214220e851932bcc24 1091892
golang-github-xenolf-lego_4.35.2.orig.tar.gz
79a669bde5cfc786b605829dedf12c332c2f2cc5 9016
golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
5063b35174544bd4b628600e821133e7dfb85631 17513
golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
Checksums-Sha256:
7783555883bf5dfb217516e647b613c9cece469dfaa36e436875069d949cd5fc 3294
golang-github-xenolf-lego_4.35.2-1.dsc
0afa5397dff24643ab34773518063432ed939788435a16305c92f2090a899c3b 1091892
golang-github-xenolf-lego_4.35.2.orig.tar.gz
ede46b0860c3d4c00b58a0daac1bc5cf87aa7dcd4f4a8bb89c68432baf5a1b30 9016
golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
c994c174cf0fed1cff9f8ef9ab37327aff6e25c6305ccffe2e3f55c25adb2635 17513
golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
Files:
4aaa191a759965045dd044f0210004e2 3294 golang optional
golang-github-xenolf-lego_4.35.2-1.dsc
a641bc71e0185c88671e2bb5f1878108 1091892 golang optional
golang-github-xenolf-lego_4.35.2.orig.tar.gz
6aa4e5e7ba8ea427c462f441dff413ef 9016 golang optional
golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
1493aeb16bbceccb4984ff6d3eec3eec 17513 golang optional
golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmogqoISHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5szcQALM/bcZEHFjg0OT18fQAQ3MlblEzLEbC
qY/eTFApZy570su+idpn/Tbs5GRSDn95Dh1GJJQ/9pWBtrPAf7xtgW5bGNdP/Fw7
sofEbRhVlXz7exFZdS4o7DDrATQNx2LTgLMIaAkeD7TsSfKa/Zzvj9Vb0FTPEMY8
EfdYpyW6PcGXunKECPgw7JBAiXCuZzY8uqy4Bqt6MFr7rh7zDmEknIifGc/N8tY4
a4oYgD+60bna8uQEHHmtKDh55dplLh0zqE2YOGtgqSIx5y5XZyVYmGCV/YrlmTry
qNFR+BaayBFFAkKiKW/EB/D7ZINsX4dfMC6OCRJdEOZxeszKSZJjMaAHOm2KTE6H
bQdlss6TgjnbaA0kZ0acEe/6+nZRH9mwVU0BAexI2u1RBB49lt/2TgY4ZgCWEvMm
s28EoSueMniZXAwI9yOwuB3/CK0mX0SaUGE+l8WgaVT/IyJ7JvsNUF/23bi+dvh4
gVcWCBmwe8dM5JzxdVBZGZLXkTZ9x+GhCOcx9RCx7Kg/eyc/Qqh0Aova/+R4jEf1
jaKamYf/yJiJq9aLIBRXpb13HRl6b9PSEY4+Fvwol6vTPneIC6Mt+Afgbu/OkD+r
HnqjICpk1UNqEnM/SpLdUzHHZF7Q1IFEstf9zkJW+lcSs8gpBO1yuXvUN2bVLUbJ
e4Cq78XCrHiT
=DtcI
-----END PGP SIGNATURE-----
pgpENwv_8gtmC.pgp
Description: PGP signature
--- End Message ---
