*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Mike Salvatore (mikesalvatore):
Hi Yubico have released version 1.0.8 of pam-u2f containing two security fixes that together could allow a local user to read any file on the filesystem if the debug variable and the debug_file variables have been set in the pam module configuration. Also, the authfile setting file in the users home directory was parsed as root and would follow symlinks which could be abused in many ways. https://developers.yubico.com/pam-u2f/Release_Notes.html This was discovered by SUSE and they will make a post to oss-security@ soon. Release tar ball https://developers.yubico.com/pam- u2f/Releases/pam_u2f-1.0.8.tar.gz Commit fix for CVE-2019-12210: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62 Commit fix for CVE-2019-12209: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 Another minor security fix that also went in the release: https://github.com/Yubico/pam-u2f/commit/aab0c31a3bfed8912a271685d6ec909f61380155 Cheers, Gabriel ** Affects: pam-u2f (Ubuntu) Importance: Undecided Status: New -- Security update to libpam-u2f from Yubico https://bugs.launchpad.net/bugs/1831713 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
