Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package oath-toolkit for openSUSE:Factory checked in at 2026-02-05 17:56:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/oath-toolkit (Old) and /work/SRC/openSUSE:Factory/.oath-toolkit.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "oath-toolkit" Thu Feb 5 17:56:59 2026 rev:16 rq:1331047 version:2.6.14 Changes: -------- --- /work/SRC/openSUSE:Factory/oath-toolkit/oath-toolkit.changes 2024-10-18 15:51:50.401667827 +0200 +++ /work/SRC/openSUSE:Factory/.oath-toolkit.new.1670/oath-toolkit.changes 2026-02-05 17:57:50.385162554 +0100 @@ -1,0 +2,66 @@ +Tue Feb 3 08:23:19 UTC 2026 - Martin Hauke <[email protected]> + +- Update to version 2.6.14 + * pam_oath: Support null_usersfile_okay parameter. The argument + no_usersfile_okay forces the module to act as if the user is + not present in the config, if the config file does not exist. + This has security implications only use if you know what you + are doing. E.g. if the file is in a mount like home and that + fails to be mounted, then this will succeed even if the OTP if + configured for that user. Patch by Luna, Jan Zerebecki, and + Miika Alikirri; see + https://codeberg.org/oath-toolkit/oath-toolkit/pulls/94. + * pam_oath README: Suggest KbdInteractiveAuthentication. Instead + of deprecated ChallengeResponseAuthentication. + see https://codeberg.org/oath-toolkit/oath-toolkit/pulls/112. + * Various build fixes including updated gnulib files. Fixes + building with glibc 2.43. +- Update to version 2.6.13 + * liboath/libpskc: Fix _FORTIFY_SOURCE build problem and allow + configuration. + * liboath: Fix --with-openssl builds + * Git hosting moved from gitlab.com to codeberg.org. The new URL + is https://codeberg.org/oath-toolkit/oath-toolkit although the + old GitLab project will continue to be used for pipelines. + https://gitlab.com/oath-toolkit/oath-toolkit/-/pipelines + * Various build fixes including updated gnulib files. Gnulib + files are no longer stored in git version control. As a + consequence, gnulib is a required build dependency when + building from git, see CONTRIBUTING.md. +- Update to version 2.6.12 + * Reported by Fabian Vogt (SUSE), and associated with + CVE-2024-47191. + See https://codeberg.org/oath-toolkit/oath-toolkit/issues/43. + Security bug triggered by new feature in pam_oath v2.6.7 + released on 2021-05-01 with the USER/HOME placeholder strings, + https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12. + Quoting a writeup in an alternate patch by Matthias Gerstner + (SUSE): With the addition of the possibility to place a + usersfile also into a the usersfile= path specification, + security issues sneaked in. The PAM process usually runs with + root privileges. The file operations in an unprivileged user’s + home directory follow symlinks both when reading and creating + files, allowing for a potential local root exploit, because of + the fchown() performed on the newly created usersfile. + * We drop privileges to the user that is being logged into, + assuming it has the necessary permissions for the usersfile + belonging in their home directory. This restricts the ability + for non-root users to affect files beyond their control via + liboath. + * liboath: Don’t follow symbolic links for usersfile updates. + Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191. + See https://codeberg.org/oath-toolkit/oath-toolkit/issues/43. + Security bug triggered by new feature in pam_oath v2.6.7 + released on 2021-05-01 with the USER/HOME placeholder strings, see + https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12. + The fix is to open files for writing in exclusive mode (i.e., fail + if the file exists including if it is a symbolic link). + * oathtool: Fix test suite on 32-bit big-endian platforms. + * libpskc: Don’t call deprecated xmlMemoryDump. + * Various build fixes including updated gnulib files. +- Drop not longer needed patches (fixed upstream): + * 0001-usersfile-fix-potential-security-issues-in-PAM-modul.patch + * 42-null_usersfile_okay.patch +- Use %ldconfig_scriptlets macro. + +------------------------------------------------------------------- Old: ---- 0001-usersfile-fix-potential-security-issues-in-PAM-modul.patch 42-null_usersfile_okay.patch oath-toolkit-2.6.11.tar.gz oath-toolkit-2.6.11.tar.gz.sig New: ---- oath-toolkit-2.6.14.tar.gz oath-toolkit-2.6.14.tar.gz.sig ----------(Old B)---------- Old:- Drop not longer needed patches (fixed upstream): * 0001-usersfile-fix-potential-security-issues-in-PAM-modul.patch * 42-null_usersfile_okay.patch Old: * 0001-usersfile-fix-potential-security-issues-in-PAM-modul.patch * 42-null_usersfile_okay.patch - Use %ldconfig_scriptlets macro. ----------(Old E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ oath-toolkit.spec ++++++ --- /var/tmp/diff_new_pack.6wuGNB/_old 2026-02-05 17:57:51.609213959 +0100 +++ /var/tmp/diff_new_pack.6wuGNB/_new 2026-02-05 17:57:51.613214127 +0100 @@ -1,7 +1,7 @@ # # spec file for package oath-toolkit # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,18 +18,16 @@ %{!?_pam_moduledir: %define _pam_moduledir /%{_lib}/security} Name: oath-toolkit -Version: 2.6.11.12 +Version: 2.6.14 Release: 0 Summary: Toolkit for one-time password authentication systems License: GPL-3.0-or-later AND LGPL-2.1-or-later Group: Productivity/Networking/Security URL: https://www.nongnu.org/oath-toolkit/ -Source: https://download-mirror.savannah.gnu.org/releases/%{name}/%{name}-2.6.11.tar.gz -Source1: https://download-mirror.savannah.gnu.org/releases/%{name}/%{name}-2.6.11.tar.gz.sig +#Git-Clone: https://codeberg.org/oath-toolkit/oath-toolkit.git +Source: https://download-mirror.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz +Source1: https://download-mirror.savannah.gnu.org/releases/%{name}/%{name}-%{version}.tar.gz.sig Source99: %{name}.keyring -Patch001: 0001-usersfile-fix-potential-security-issues-in-PAM-modul.patch -# https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/42 -Patch002: 42-null_usersfile_okay.patch BuildRequires: bison BuildRequires: gengetopt BuildRequires: libgcrypt-devel @@ -131,9 +129,7 @@ This subpackage contains the headers for this library. %prep -%setup -q -n %{name}-2.6.11 -%patch -P 001 -p1 -%patch -P 002 -p1 +%setup -q -n %{name}-%{version} %build autoreconf -fiv @@ -155,15 +151,12 @@ mv COPYING COPYING.summary find %{buildroot} -type f -name "*.la" -delete -print -%post -n liboath0 -p /sbin/ldconfig -%postun -n liboath0 -p /sbin/ldconfig -%post -n libpskc0 -p /sbin/ldconfig -%postun -n libpskc0 -p /sbin/ldconfig +%ldconfig_scriptlets -n liboath0 +%ldconfig_scriptlets -n libpskc0 %files %license COPYING.summary %doc ChangeLog NEWS README -%license oathtool/COPYING %{_bindir}/oathtool %{_mandir}/man1/oathtool.* %{_bindir}/pskctool @@ -171,11 +164,9 @@ %files -n pam_oath %doc pam_oath/README -%license pam_oath/COPYING %{_pam_moduledir}/pam_oath.so %files -n liboath0 -%license liboath/COPYING %{_libdir}/liboath.so.* %files xml @@ -191,7 +182,6 @@ %files -n libpskc0 # there's no COPYING for libpskc, but it's LGPL, like liboath %doc libpskc/README -%license liboath/COPYING %{_libdir}/libpskc.so.* %files -n libpskc-devel ++++++ oath-toolkit-2.6.11.tar.gz -> oath-toolkit-2.6.14.tar.gz ++++++ ++++ 569447 lines of diff (skipped)
