1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202501-04 ] Yubico pam-u2f: Partial Authentica

    From [email protected]@21:1/5 to All on Thu Jan 23 07:20:01 2025
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202501-04
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: Yubico pam-u2f: Partial Authentication Bypass
    Date: January 23, 2025
    Bugs: #948201
    ID: 202501-04

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in Yubico pam-u2f, which can lead to
    a partial authentication bypass.

    Background
    ==========

    Yubico pam-u2f is a PAM module for FIDO2 and U2F keys.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ---------------- ------------ ------------
    sys-auth/pam_u2f < 1.3.2 >= 1.3.2

    Description
    ===========

    Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please
    review the CVE identifiers referenced below for details.

    Impact
    ======

    Depending on specific settings and usage scenarios the result of the
    pam-u2f module may be altered or ignored.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Yubico pam-u2f users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-auth/pam_u2f-1.3.2"

    References
    ==========

    [ 1 ] CVE-2025-23013
    https://nvd.nist.gov/vuln/detail/CVE-2025-23013
    [ 2 ] YSA-2025-01
    https://www.yubico.com/support/security-advisories/YSA-2025-01

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202501-04

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to [email protected] or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2025 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmeR3oQACgkQFMQkOaVy +9mOCw//RFG38J7z9xTNSv449Bej4UKF9+4njUchNr2YAc2Ti/MZhd8AKY4PS/Km cC4snTqxpDh0s6z5KCQ7T0K+DeZRpTWFGJb+9WS4f2EwIzBREE/mNp5gGl7Y8OCu s5aDTjpF5qkl8hBywAiWkxYh3Kxp16jRi57T146sSzG+KtjqLG2iZocpGwhvpjxr s9Fl/zS2scPOCvMiha916XgeIPDZQTx9tD3gfcHIpDaVX+cRbOZJy/8xl9smFOeG WQW8PIxsT8osub8KB5VEc2Lv0x3Daz+oT1NUFhqEQf0aV3bvcPrLeJ6Ny7bXtRL9 FDwnidKrdBe0Pcw5JwhpasN3aHOnqlRNRs5uiDNmN7wYRtu5D0IEmHrdSjrYQNv/ jsWXSeiFkLvgSj2gH0MaBbOnCvU0sEdR3HBey3su/AYV73NIYxslOl+85azAlp98 6gvDSoU++tC6+yY1ywxWA6nrva877qnetpI0shwmklN63bjRGAC1nnWroaA/E+mK 6Io+jSXsS76TTFivzPMl9c/t1I9BlnLJdz6dDyb5xc9J/RQC/RAVIqpgwSUl7/TI 3UrFV17SmeKpYS2PlKBZCcF3hf6k0X4DNdF5VWkNO5+Fq2QPg2yLdhKeaXsGJyB4 R8NOziLvWPVG5NlWbTx+q6ktbIKL6ARJxGVq+js6eARLJDxoh50=
    =oaYl
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)