From 44150de82d4efde4f29a32e784596c6071c4ebdb733cfb8b9660790cc3157ac5 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Wed, 28 Jan 2015 11:01:44 +0000
Subject: [PATCH] Accepting request 282639 from home:mnhauke

Update to version 2.4.1

OBS-URL: https://build.opensuse.org/request/show/282639
OBS-URL: https://build.opensuse.org/package/show/security/oath-toolkit?expand=0&rev=8
---
 oath-toolkit-2.4.0.tar.gz |  3 ---
 oath-toolkit-2.4.1.tar.gz |  3 +++
 oath-toolkit.changes      | 13 +++++++++++++
 oath-toolkit.spec         |  2 +-
 4 files changed, 17 insertions(+), 4 deletions(-)
 delete mode 100644 oath-toolkit-2.4.0.tar.gz
 create mode 100644 oath-toolkit-2.4.1.tar.gz

diff --git a/oath-toolkit-2.4.0.tar.gz b/oath-toolkit-2.4.0.tar.gz
deleted file mode 100644
index 49c8e4b..0000000
--- a/oath-toolkit-2.4.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:66ebf924304409356b35a3423e4b7255996c5a42503c3188bf08c6446f436ddc
-size 4137994
diff --git a/oath-toolkit-2.4.1.tar.gz b/oath-toolkit-2.4.1.tar.gz
new file mode 100644
index 0000000..b7e1aa0
--- /dev/null
+++ b/oath-toolkit-2.4.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9bfa42cbc100eb6c43d2bf83e3badc51d9e6f4950a92e07513ae586d0c5e9b24
+size 4136649
diff --git a/oath-toolkit.changes b/oath-toolkit.changes
index 66d18f7..2482adf 100644
--- a/oath-toolkit.changes
+++ b/oath-toolkit.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sat Jan 24 10:29:53 UTC 2015 - mardnh@gmx.de
+
+- Update to version 2.4.1:
+  + liboath: Fix usersfile bug that caused it to update the wrong line.
+    When an usersfile contain multiple lines for the same user but with an
+    unparseable token type (e.g., HOTP vs TOTP), the code would update the
+    wrong line of the file.  Since the then updated line could be a
+    commented out line, this can lead to the same OTP being accepted
+    multiple times which is a security vulnerability.  Reported by Bas van
+    Schaik <bas@sj-vs.net> and patch provided by Ilkka Virta
+    <itvirta@iki.fi>.  CVE-2013-7322
+
 -------------------------------------------------------------------
 Fri Jul 11 18:14:17 UTC 2014 - darin@darins.net
 
diff --git a/oath-toolkit.spec b/oath-toolkit.spec
index 11244d9..713129f 100644
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@@ -18,7 +18,7 @@
 
 %define build_pskc 0
 Name:           oath-toolkit
-Version:        2.4.0
+Version:        2.4.1
 Release:        0
 Summary:        Toolkit for one-time password authentication systems
 License:        GPL-3.0+