Security update to libpam-u2f from Yubico
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-u2f (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hi
Yubico have released version 1.0.8 of pam-u2f containing two security fixes that together could allow a local user to read any file on the filesystem if the debug variable and the debug_file variables have been set in the pam module configuration. Also, the authfile setting file in the users home directory was parsed as root and would follow symlinks which could be abused in many ways.
https:/
This was discovered by SUSE and they will make a post to oss-security@ soon.
Release tar ball https:/
Commit fix for CVE-2019-12210:
https:/
Commit fix for CVE-2019-12209:
https:/
Another minor security fix that also went in the release:
https:/
Cheers,
Gabriel
CVE References
information type: | Private Security → Public Security |
Changed in pam-u2f (Ubuntu): | |
status: | New → Confirmed |
CVE-2019-12210
CVE-2019-12209