*** This bug is a security vulnerability *** Public security bug reported:
Hi Yubico have released version 1.0.8 of pam-u2f containing two security fixes that together could allow a local user to read any file on the filesystem if the debug variable and the debug_file variables have been set in the pam module configuration. Also, the authfile setting file in the users home directory was parsed as root and would follow symlinks which could be abused in many ways. https://developers.yubico.com/pam-u2f/Release_Notes.html This was discovered by SUSE and they will make a post to oss-security@ soon. Release tar ball https://developers.yubico.com/pam- u2f/Releases/pam_u2f-1.0.8.tar.gz Commit fix for CVE-2019-12210: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62 Commit fix for CVE-2019-12209: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3 Another minor security fix that also went in the release: https://github.com/Yubico/pam-u2f/commit/aab0c31a3bfed8912a271685d6ec909f61380155 Cheers, Gabriel ** Affects: pam-u2f (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1831713 Title: Security update to libpam-u2f from Yubico To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam-u2f/+bug/1831713/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs