[SECURITY] [DSA 5853-1] pam-u2f security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5853-1] pam-u2f security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 29 Jan 2025 21:32:46 +0000
Message-id: <[🔎] E1tdFfy-00AFOV-5G@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5853-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 29, 2025                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pam-u2f
CVE ID         : CVE-2025-23013

Matthias Gerstner reported that pam-u2f, a PAM module which allows to
use U2F (Universal 2nd Factor) devices in the PAM authentication stack,
does not properly handle PAM_IGNORE return values, allowing to bypass
the second factor or password-less login without inserting the proper
device.

For the stable distribution (bookworm), this problem has been fixed in
version 1.1.0-1.1+deb12u1.

We recommend that you upgrade your pam-u2f packages.

For the detailed security status of pam-u2f please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/pam-u2f

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmeanmlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SkzQ//Qx2NZhUCV8MLR00lyb3IvC0da9b0dWjmf4NJ+Upq9OzHQzm5wKK86nLs
rtKEyoeXd/JVnNbp+GwdanIl9k2nfXPBipJmoZ9MZyKozc/+AL2BFSRx4aDyu0ki
ecM5fMGdBdErXH3y7SE6UrnERXgIrYPRd7FA9dnA43d1+J/EXTbGgDVk1LeBgsKh
tXfjUZ7qAeqcLu0zSTlUAVD065zrWASyB5ZE9VDgsNL8a2a3XPzWeISggKQMVXQU
v/mwOPiaR2KWhn9YRbf2L/byAWY9IGxHJMHOfUPEf75/E63fA3JispCVK3f07lOd
utm7nIS62YPfWJYoYqaKfcTwLEAcQbBoqmlAgbq0PmlUe8hwT9xYpq5Gk7jCJ4cf
YkQzlq96GKB+qontQhRtSWiWtBwPUtTzNrG2i0wat9ruraNeFYZ3Y9q8f/5zwPL0
PeDoDu64aYnhDY6Sdvs/H1IG+/fAVosOR5qLmv+B9vD9qsCLqMBMqux5k1TF7Cv5
xssI3yt+pdXrdHt6cImeFS1YCneeSGpGTGCXj687GSagCDrkLinwvdR3EPOA3yP/
UIkU54IK5VQ3zGq14cOKM0+RUZrDyZB9nPqtZZ2DYp6oGwBwGoOHYIxADbXZwdcE
l0w5J6S9fcWVPBe6+Hf0hj/NM2hrlpJ/2haXGGKun2YKvnVwxd0=
=Mjns
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5851-1] pdns-recursor security update
Next by Date: [SECURITY] [DSA 5854-1] bind9 security update
Previous by thread: [SECURITY] [DSA 5851-1] pdns-recursor security update
Next by thread: [SECURITY] [DSA 5854-1] bind9 security update
Index(es):
- Date
- Thread