drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Rechteprüfung in Yubico pam-u2f
| Name: |
Mangelnde Rechteprüfung in Yubico pam-u2f |
|
| ID: |
202501-04 |
|
| Distribution: |
Gentoo |
|
| Plattformen: |
Keine Angabe |
|
| Datum: |
Fr, 24. Januar 2025, 06:46 |
|
| Referenzen: |
https://www.yubico.com/support/security-advisories/YSA-2025-01
https://nvd.nist.gov/vuln/detail/CVE-2025-23013 |
|
| Applikationen: |
pam-u2f |
|
Originalnachricht |
--===============1003924502000177710==
Content-Type: text/plain; charset="utf-8"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202501-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Yubico pam-u2f: Partial Authentication Bypass
Date: January 23, 2025
Bugs: #948201
ID: 202501-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A vulnerability has been discovered in Yubico pam-u2f, which can lead to
a partial authentication bypass.
Background
==========
Yubico pam-u2f is a PAM module for FIDO2 and U2F keys.
Affected packages
=================
Package Vulnerable Unaffected
---------------- ------------ ------------
sys-auth/pam_u2f < 1.3.2 >= 1.3.2
Description
===========
Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please
review the CVE identifiers referenced below for details.
Impact
======
Depending on specific settings and usage scenarios the result of the
pam-u2f module may be altered or ignored.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Yubico pam-u2f users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-auth/pam_u2f-1.3.2"
References
==========
[ 1 ] CVE-2025-23013
https://nvd.nist.gov/vuln/detail/CVE-2025-23013
[ 2 ] YSA-2025-01
https://www.yubico.com/support/security-advisories/YSA-2025-01
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-04
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2025 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
--===============1003924502000177710==
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmeR3oQACgkQFMQkOaVy
+9mOCw//RFG38J7z9xTNSv449Bej4UKF9+4njUchNr2YAc2Ti/MZhd8AKY4PS/Km
cC4snTqxpDh0s6z5KCQ7T0K+DeZRpTWFGJb+9WS4f2EwIzBREE/mNp5gGl7Y8OCu
s5aDTjpF5qkl8hBywAiWkxYh3Kxp16jRi57T146sSzG+KtjqLG2iZocpGwhvpjxr
s9Fl/zS2scPOCvMiha916XgeIPDZQTx9tD3gfcHIpDaVX+cRbOZJy/8xl9smFOeG
WQW8PIxsT8osub8KB5VEc2Lv0x3Daz+oT1NUFhqEQf0aV3bvcPrLeJ6Ny7bXtRL9
FDwnidKrdBe0Pcw5JwhpasN3aHOnqlRNRs5uiDNmN7wYRtu5D0IEmHrdSjrYQNv/
jsWXSeiFkLvgSj2gH0MaBbOnCvU0sEdR3HBey3su/AYV73NIYxslOl+85azAlp98
6gvDSoU++tC6+yY1ywxWA6nrva877qnetpI0shwmklN63bjRGAC1nnWroaA/E+mK
6Io+jSXsS76TTFivzPMl9c/t1I9BlnLJdz6dDyb5xc9J/RQC/RAVIqpgwSUl7/TI
3UrFV17SmeKpYS2PlKBZCcF3hf6k0X4DNdF5VWkNO5+Fq2QPg2yLdhKeaXsGJyB4
R8NOziLvWPVG5NlWbTx+q6ktbIKL6ARJxGVq+js6eARLJDxoh50=
=oaYl
-----END PGP SIGNATURE-----
--===============1003924502000177710==--
|
|
|
|
