mirror of
https://github.com/certbot/certbot.git
synced 2026-01-26 07:41:33 +03:00
78cf8ec4de
With current code, the certbot-auto self-upgrade process can make it actually to downgrade itself, because the comparison done is an equality test between local certbot-auto version and the remote one. This is a flaw for attackers, that could make certbot-auto break itself by falsely advertising it about an old version as the latest one available. A function is added to make a more advanced comparison between version. Certbot-auto will upgrade itself only if the local version is strictly inferior to the latest one available. For instance, a version 0.28.0 will not upgrade itself if the latest one available on internet is 0.27.1. Similarly, non-official versions like 0.28.0.dev0 will never trigger a self-upgrade, to help development workflows. This implementation relies only on the Python distribution installed by certbot-auto (supporting 2.7+) and basic shell operations, to be compatible with any UNIX-based system. * Check version with protection again downgrade * Create a stable version of letsencrypt-auto to use correctly self-upgrade functionality * Update letsencrypt-auto-source/letsencrypt-auto.template