Accepting request 1238020 from security

OBS-URL: https://build.opensuse.org/request/show/1238020 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pam_u2f?expand=0&rev=13
2025-01-15 16:45:18 +00:00 · 2025-01-15 16:45:18 +00:00 · eae97f44aa
commit eae97f44aa
parent 6289f3e400 af57c7ed75
6 changed files with 17 additions and 5 deletions
--- a/pam_u2f-1.3.0.tar.gz
+++ b/pam_u2f-1.3.0.tar.gz
--- a/pam_u2f-1.3.0.tar.gz.sig
+++ b/pam_u2f-1.3.0.tar.gz.sig
--- a/pam_u2f-1.3.1.tar.gz
+++ b/pam_u2f-1.3.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9a13549947f844f6b3ab691d71afb4f6f00a45d165fed27b01c66c07750a9387
+size 475244
--- a/pam_u2f-1.3.1.tar.gz.sig
+++ b/pam_u2f-1.3.1.tar.gz.sig
--- a/pam_u2f.changes
+++ b/pam_u2f.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Jan 15 10:02:56 UTC 2025 - Paolo Perego <paolo.perego@suse.com>
+
+- update to 1.3.1:
+  * Fix incorrect usage of PAM_IGNORE (YSA-2025-01, CVE-2025-23013).
+  * Changed return value when nouserok is enabled and the user has no
+  credentials, PAM_IGNORE is used instead of PAM_SUCCESS.
+  * Hardened checks of authfile permissions.
+  * Hardened checks for nouserok.
+  * Improved debug messages.
+  * Improved documentation. 
+
 -------------------------------------------------------------------
 Sat Apr 15 12:01:02 UTC 2023 - Dirk Müller <dmueller@suse.com>

--- a/pam_u2f.spec
+++ b/pam_u2f.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pam_u2f
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -19,7 +19,7 @@
 %{!?_pam_moduledir: %define _pam_moduledir /%{_lib}/security}

 Name:           pam_u2f
-Version:        1.3.0
+Version:        1.3.1
 Release:        0
 Summary:        U2F authentication integration into PAM
 License:        BSD-2-Clause