The fix for this vulnerability (CVE-2021-31924) was backported and included in
the NMU version 1.1.0-1.1.
References:
- https://github.com/Yubico/pam-u2f/issues/175
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987545#39
There are still functionality issues with the version that is
Is there any process I can initiate to get the upstream versions into
Debian while the package maintainer (nicoo) is away?
It's been 9 months since I submitted the merge request to go from 1.1.0
to 1.1.1. I'd like to do more to help, but I'm not sure how to proceed.
-- Adam Hacker
Package: libpam-u2f
Version: 1.1.0-1.1+b1
Followup-For: Bug #1022073
X-Debbugs-Cc: cqu...@arcor.de
The following blog from yubico, who are the developers of libpam-u2f recommends
using at least version 1.1.1 since there is a risk of local PIN bypass:
Package: src:pam-u2f
Version: 1.1.0-1.1
Upstream has released version 1.2.1. There are also several pending
merge requests in salsa to update this package at least to 1.1.1, all
from the same user with the handle @adam_hax ("Adam Hacker"):
4 matches
Mail list logo
