opendev/system-config
Code Issues Proposed changes

Patch acme.sh/4659 for arbitrary command execution

Browse Source 
Temporarily cherry-pick the commits which fix "acme.sh runs
arbitrary commands from a remote server"
https://github.com/acmesh-official/acme.sh/issues/4659 as trivial
backports on top of their 3.0.5 release until such time as we can
upgrade. This addresses a remote code execution vulnerability (no
CVE assigned yet) which could be exploited by the ACME protocol
operator, in our case the admins of the Let's Encrypt certificate
authority.

Change-Id: Ib052901a7aa08a9fdbd01d623f4b5d3eee938401
This commit is contained in:
Jeremy Stanley 2023-06-11 18:56:54 +00:00
parent 55c6650179
commit 8500dcf394
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
View File

@ -2,12 +2,20 @@
git: git:
repo: https://github.com/acmesh-official/acme.sh repo: https://github.com/acmesh-official/acme.sh
dest: /opt/acme.sh dest: /opt/acme.sh
# Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
version: 3.0.5 version: 3.0.5
register: clone_acmesh_result register: clone_acmesh_result
until: clone_acmesh_result is not failed until: clone_acmesh_result is not failed
retries: 3 retries: 3
delay: 2 delay: 2
# Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
# until we can upgrade to 3.0.6 or later
- name: Patch for issue 4659
shell: |
git -C /opt/acme.sh cherry-pick 4c30250
git -C /opt/acme.sh cherry-pick 327e2fb
- name: Install letsencrypt group - name: Install letsencrypt group
group: group:
name: letsencrypt name: letsencrypt