Your message dated Wed, 03 Jun 2026 23:22:52 +0000
with message-id <[email protected]>
and subject line Bug#1134643: fixed in golang-github-xenolf-lego 4.35.2-1
has caused the Debian Bug report #1134643,
regarding golang-github-xenolf-lego: CVE-2026-40611
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134643: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134643
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-xenolf-lego
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for golang-github-xenolf-lego.
CVE-2026-40611[0]:
| Let's Encrypt client and ACME library written in Go (Lego). Prior to
| 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable
| to arbitrary file write and deletion via path traversal. A malicious
| ACME server can supply a crafted challenge token containing ../
| sequences, causing lego to write attacker-influenced content to any
| path writable by the lego process. This vulnerability is fixed in
| 4.34.0.
https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40611
https://www.cve.org/CVERecord?id=CVE-2026-40611
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: golang-github-xenolf-lego
Source-Version: 4.35.2-1
Done: Mathias Gibbens <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-xenolf-lego, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathias Gibbens <[email protected]> (supplier of updated
golang-github-xenolf-lego package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 03 Jun 2026 22:23:39 +0000
Source: golang-github-xenolf-lego
Architecture: source
Version: 4.35.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Mathias Gibbens <[email protected]>
Closes: 1110531 1134643
Changes:
golang-github-xenolf-lego (4.35.2-1) unstable; urgency=medium
.
* Update to latest v4 release:
- Includes fixes for the following security issues:
* CVE-2025-54799 (Closes: #1110531)
* CVE-2026-40611 (Closes: #1134643)
- Enable the HTTP memcached provider
- Drop patch applied upstream
- Regenerate patch to skip tests that attempt network access
* d/control:
- Update Standards-Version to 4.7.4, drop Priority field
- Add myself to Uploaders
- Update Build-Depends and Depends
* d/rules:
- Update DH_GOLANG_INSTALL_EXTRA
- Update list of skipped DNS providers
- Add workaround for GO111MODULE=on breaking net/http mux
- Set proper binary version during build
- Remove unneeded overrides
* Update d/not-installed
Checksums-Sha1:
60a821d7bad158813a1d07c2e1f997e16f191464 3294
golang-github-xenolf-lego_4.35.2-1.dsc
be17be4ab683f72c0f44ff214220e851932bcc24 1091892
golang-github-xenolf-lego_4.35.2.orig.tar.gz
79a669bde5cfc786b605829dedf12c332c2f2cc5 9016
golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
5063b35174544bd4b628600e821133e7dfb85631 17513
golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
Checksums-Sha256:
7783555883bf5dfb217516e647b613c9cece469dfaa36e436875069d949cd5fc 3294
golang-github-xenolf-lego_4.35.2-1.dsc
0afa5397dff24643ab34773518063432ed939788435a16305c92f2090a899c3b 1091892
golang-github-xenolf-lego_4.35.2.orig.tar.gz
ede46b0860c3d4c00b58a0daac1bc5cf87aa7dcd4f4a8bb89c68432baf5a1b30 9016
golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
c994c174cf0fed1cff9f8ef9ab37327aff6e25c6305ccffe2e3f55c25adb2635 17513
golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
Files:
4aaa191a759965045dd044f0210004e2 3294 golang optional
golang-github-xenolf-lego_4.35.2-1.dsc
a641bc71e0185c88671e2bb5f1878108 1091892 golang optional
golang-github-xenolf-lego_4.35.2.orig.tar.gz
6aa4e5e7ba8ea427c462f441dff413ef 9016 golang optional
golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
1493aeb16bbceccb4984ff6d3eec3eec 17513 golang optional
golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmogqoISHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5szcQALM/bcZEHFjg0OT18fQAQ3MlblEzLEbC
qY/eTFApZy570su+idpn/Tbs5GRSDn95Dh1GJJQ/9pWBtrPAf7xtgW5bGNdP/Fw7
sofEbRhVlXz7exFZdS4o7DDrATQNx2LTgLMIaAkeD7TsSfKa/Zzvj9Vb0FTPEMY8
EfdYpyW6PcGXunKECPgw7JBAiXCuZzY8uqy4Bqt6MFr7rh7zDmEknIifGc/N8tY4
a4oYgD+60bna8uQEHHmtKDh55dplLh0zqE2YOGtgqSIx5y5XZyVYmGCV/YrlmTry
qNFR+BaayBFFAkKiKW/EB/D7ZINsX4dfMC6OCRJdEOZxeszKSZJjMaAHOm2KTE6H
bQdlss6TgjnbaA0kZ0acEe/6+nZRH9mwVU0BAexI2u1RBB49lt/2TgY4ZgCWEvMm
s28EoSueMniZXAwI9yOwuB3/CK0mX0SaUGE+l8WgaVT/IyJ7JvsNUF/23bi+dvh4
gVcWCBmwe8dM5JzxdVBZGZLXkTZ9x+GhCOcx9RCx7Kg/eyc/Qqh0Aova/+R4jEf1
jaKamYf/yJiJq9aLIBRXpb13HRl6b9PSEY4+Fvwol6vTPneIC6Mt+Afgbu/OkD+r
HnqjICpk1UNqEnM/SpLdUzHHZF7Q1IFEstf9zkJW+lcSs8gpBO1yuXvUN2bVLUbJ
e4Cq78XCrHiT
=DtcI
-----END PGP SIGNATURE-----
pgpzf1ClUu0tw.pgp
Description: PGP signature
--- End Message ---
