Hi,

The following vulnerability was published for golang-github-xenolf-lego.

CVE-2026-40611[0]:
| Let's Encrypt client and ACME library written in Go (Lego). Prior to
| 4.34.0, the webroot HTTP-01 challenge provider in lego is vulnerable
| to arbitrary file write and deletion via path traversal. A malicious
| ACME server can supply a crafted challenge token containing ../
| sequences, causing lego to write attacker-influenced content to any
| path writable by the lego process. This vulnerability is fixed in
| 4.34.0.

https://github.com/go-acme/lego/security/advisories/GHSA-qqx8-2xmm-jrv8


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40611
https://www.cve.org/CVERecord?id=CVE-2026-40611

Please adjust the affected versions in the BTS as needed.

We believe that the bug you reported is fixed in the latest version of
golang-github-xenolf-lego, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1134643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathias Gibbens <gibmat@debian.org> (supplier of updated golang-github-xenolf-lego package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 03 Jun 2026 22:23:39 +0000
Source: golang-github-xenolf-lego
Architecture: source
Version: 4.35.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Mathias Gibbens <gibmat@debian.org>
Closes: 1110531 1134643
Changes:
 golang-github-xenolf-lego (4.35.2-1) unstable; urgency=medium
 .
   * Update to latest v4 release:
     - Includes fixes for the following security issues:
       * CVE-2025-54799 (Closes: #1110531)
       * CVE-2026-40611 (Closes: #1134643)
     - Enable the HTTP memcached provider
     - Drop patch applied upstream
     - Regenerate patch to skip tests that attempt network access
   * d/control:
     - Update Standards-Version to 4.7.4, drop Priority field
     - Add myself to Uploaders
     - Update Build-Depends and Depends
   * d/rules:
     - Update DH_GOLANG_INSTALL_EXTRA
     - Update list of skipped DNS providers
     - Add workaround for GO111MODULE=on breaking net/http mux
     - Set proper binary version during build
     - Remove unneeded overrides
   * Update d/not-installed
Checksums-Sha1:
 60a821d7bad158813a1d07c2e1f997e16f191464 3294 golang-github-xenolf-lego_4.35.2-1.dsc
 be17be4ab683f72c0f44ff214220e851932bcc24 1091892 golang-github-xenolf-lego_4.35.2.orig.tar.gz
 79a669bde5cfc786b605829dedf12c332c2f2cc5 9016 golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
 5063b35174544bd4b628600e821133e7dfb85631 17513 golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
Checksums-Sha256:
 7783555883bf5dfb217516e647b613c9cece469dfaa36e436875069d949cd5fc 3294 golang-github-xenolf-lego_4.35.2-1.dsc
 0afa5397dff24643ab34773518063432ed939788435a16305c92f2090a899c3b 1091892 golang-github-xenolf-lego_4.35.2.orig.tar.gz
 ede46b0860c3d4c00b58a0daac1bc5cf87aa7dcd4f4a8bb89c68432baf5a1b30 9016 golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
 c994c174cf0fed1cff9f8ef9ab37327aff6e25c6305ccffe2e3f55c25adb2635 17513 golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
Files:
 4aaa191a759965045dd044f0210004e2 3294 golang optional golang-github-xenolf-lego_4.35.2-1.dsc
 a641bc71e0185c88671e2bb5f1878108 1091892 golang optional golang-github-xenolf-lego_4.35.2.orig.tar.gz
 6aa4e5e7ba8ea427c462f441dff413ef 9016 golang optional golang-github-xenolf-lego_4.35.2-1.debian.tar.xz
 1493aeb16bbceccb4984ff6d3eec3eec 17513 golang optional golang-github-xenolf-lego_4.35.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmogqoISHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5szcQALM/bcZEHFjg0OT18fQAQ3MlblEzLEbC
qY/eTFApZy570su+idpn/Tbs5GRSDn95Dh1GJJQ/9pWBtrPAf7xtgW5bGNdP/Fw7
sofEbRhVlXz7exFZdS4o7DDrATQNx2LTgLMIaAkeD7TsSfKa/Zzvj9Vb0FTPEMY8
EfdYpyW6PcGXunKECPgw7JBAiXCuZzY8uqy4Bqt6MFr7rh7zDmEknIifGc/N8tY4
a4oYgD+60bna8uQEHHmtKDh55dplLh0zqE2YOGtgqSIx5y5XZyVYmGCV/YrlmTry
qNFR+BaayBFFAkKiKW/EB/D7ZINsX4dfMC6OCRJdEOZxeszKSZJjMaAHOm2KTE6H
bQdlss6TgjnbaA0kZ0acEe/6+nZRH9mwVU0BAexI2u1RBB49lt/2TgY4ZgCWEvMm
s28EoSueMniZXAwI9yOwuB3/CK0mX0SaUGE+l8WgaVT/IyJ7JvsNUF/23bi+dvh4
gVcWCBmwe8dM5JzxdVBZGZLXkTZ9x+GhCOcx9RCx7Kg/eyc/Qqh0Aova/+R4jEf1
jaKamYf/yJiJq9aLIBRXpb13HRl6b9PSEY4+Fvwol6vTPneIC6Mt+Afgbu/OkD+r
HnqjICpk1UNqEnM/SpLdUzHHZF7Q1IFEstf9zkJW+lcSs8gpBO1yuXvUN2bVLUbJ
e4Cq78XCrHiT
=DtcI
-----END PGP SIGNATURE-----