The fix for this vulnerability (CVE-2021-31924) was backported and included in the NMU version 1.1.0-1.1.
References: - https://github.com/Yubico/pam-u2f/issues/175 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987545#39 There are still functionality issues with the version that is shipped in Debian which were fixed in 1.1.1, such as hardware compatibility, but there are not any known security issues in 1.1.0-1.1 that I am aware of. On Wed, 22 Feb 2023 23:56:58 +0100 Enrique Garcia <cqu...@arcor.de> wrote: > Package: libpam-u2f > Version: 1.1.0-1.1+b1 > Followup-For: Bug #1022073 > X-Debbugs-Cc: cqu...@arcor.de > > The following blog from yubico, who are the developers of libpam-u2f > recommends > using at least version 1.1.1 since there is a risk of local PIN bypass: > > https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login- > Guide-U2F > > The issue is in libpam-u2f 1.1.0, which is exactly the version shipped right > now with Debian (bullseye, bookworm, sid) -- Sent from my Palm Pilot. Please excuse my brevity.
