Affected appcd versions: 1.6.0, 1.6.1, 1.6.2
This vulnerability related to the new Let's Encrypt implementation. Due to a race condition, a carefully crafted symlink, written at exactly the right moment, could cause the acme challenge file to be written outside of the user's home directory.
The vulnerability was patched in appcd 1.7.0.
This vulnerability was reported by an external security researcher and there are no reports of this having been actively exploited.