Debian alert DLA-4040-1 (pam-u2f)

From:
             
 
Emilio Pozuelo Monfort <pochu@debian.org>
To:
             
 
<debian-lts-announce@lists.debian.org>
Subject:
             
 
[SECURITY] [DLA 4040-1] pam-u2f security update
Date:
             
 
Mon, 03 Feb 2025 09:14:55 +0100
Message-ID:
             
 
<20250203081455.CE6C62A0526@andromeda>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4040-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Emilio Pozuelo Monfort
February 03, 2025                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : pam-u2f
Version        : 1.1.0-1.1+deb11u1
CVE ID         : CVE-2025-23013

Matthias Gerstner reported that pam-u2f, a PAM module which allows to
use U2F (Universal 2nd Factor) devices in the PAM authentication stack,
does not properly handle PAM_IGNORE return values, allowing to bypass
the second factor or password-less login without inserting the proper
device.

For Debian 11 bullseye, this problem has been fixed in version
1.1.0-1.1+deb11u1.

We recommend that you upgrade your pam-u2f packages.

For the detailed security status of pam-u2f please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pam-u2f

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmegev8ACgkQnUbEiOQ2
gwI/sA//ajq+CAuJAdEUQYQ0Favaoh8/5obLM/nEilo8/a+rowOCCbzikYl9L2S5
5OefXbw6Ft2lhLT1JcHDr/8cQFgY6ouh1XH1K6YjjGPKmFc4vCsx5XjZ6rpMpXpP
41Ji21vJ1nnoKNY0E2DeNp1a5mDeDQzjR8djnJfxM3qfz2V52PEew1L1DDQ5vCxV
cNxA8GWgxckc4yNzDQzDG89aw045JpcPH5fTeWXXHAgcRRBt8xm+5iFpQRGpjgx6
k8pLoVaSk2WnnuX6shvSeGK8dNYF6V2+os+6xqRa0vRjsUEhleD5nMGPeU8BOpPK
GqxFSfjgXgDegcnskJ1pyEqYdxPdNLBhGv4YeBX2MeNkTvMqtrO+fa+6Ja61c6Kq
DUqhxyhraYqw35WQWxKjffA0D6axL6QD86ApVJFgzcv7eWVNvgsSC1ZmF14RlasC
a69tOPOoHkaFx+O5Gx0fH2nIpnm/Englgo3Olv8gOUWrVdPyPRzpN11zdMfyEOoa
pdFxZqdJwpnh2u2nDR3Us6Czzhu6yp1szPS+CZ1z9XTgfzr/JDJMr2+TqjfH5JSq
8ELJQoHg/5QYFTLSPfeeqt++N83NlZpI417skBvZB/c382PRi3Ak/9uoEfVmLson
nggOcxrHcUdnLC3Y8M1ftiylywEYZUn+aW5JGWWCQ86XDZD3Gos=
=fBlO
-----END PGP SIGNATURE-----