Accepting request 282639 from home:mnhauke

Update to version 2.4.1 OBS-URL: https://build.opensuse.org/request/show/282639 OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=8
2015-01-28 11:01:44 +00:00 · 2015-01-28 11:01:44 +00:00 · 44150de82d
commit 44150de82d
parent 47263ca8a5
4 changed files with 17 additions and 4 deletions
--- a/oath-toolkit-2.4.0.tar.gz
+++ b/oath-toolkit-2.4.0.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:66ebf924304409356b35a3423e4b7255996c5a42503c3188bf08c6446f436ddc
-size 4137994
--- a/oath-toolkit-2.4.1.tar.gz
+++ b/oath-toolkit-2.4.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9bfa42cbc100eb6c43d2bf83e3badc51d9e6f4950a92e07513ae586d0c5e9b24
+size 4136649
--- a/oath-toolkit.changes
+++ b/oath-toolkit.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sat Jan 24 10:29:53 UTC 2015 - mardnh@gmx.de
+
+- Update to version 2.4.1:
+  + liboath: Fix usersfile bug that caused it to update the wrong line.
+    When an usersfile contain multiple lines for the same user but with an
+    unparseable token type (e.g., HOTP vs TOTP), the code would update the
+    wrong line of the file.  Since the then updated line could be a
+    commented out line, this can lead to the same OTP being accepted
+    multiple times which is a security vulnerability.  Reported by Bas van
+    Schaik <bas@sj-vs.net> and patch provided by Ilkka Virta
+    <itvirta@iki.fi>.  CVE-2013-7322
+
 -------------------------------------------------------------------
 Fri Jul 11 18:14:17 UTC 2014 - darin@darins.net

--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@ -18,7 +18,7 @@

 %define build_pskc 0
 Name:           oath-toolkit
-Version:        2.4.0
+Version:        2.4.1
 Release:        0
 Summary:        Toolkit for one-time password authentication systems
 License:        GPL-3.0+