Stay Secure with the Latest Linux Advisories

security advisoryGentoohigh severity

Gentoo: GLSA-202501-04 High: Yubico pam-u2f Partial Auth Bypass

A vulnerability has been discovered in Yubico pam-u2f, which can lead to a partial authentication bypass.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202501-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Yubico pam-u2f: Partial Authentication Bypass Date: January 23, 2025 Bugs: #948201 ID: 202501-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Yubico pam-u2f, which can lead to a partial authentication bypass. Background ========== Yubico pam-u2f is a PAM module for FIDO2 and U2F keys. Affected packages ================= Package Vulnerable Unaffected ---------------- ------------ ------------ sys-auth/pam_u2f < 1.3.2 > = 1.3.2 Description =========== Multiple vulnerabilities have been discovered in Yubico pam-u2f. Please review the CVE identifiers referenced below for details. Impact ====== Depending on specific settings and usage scenarios the result of the pam-u2f module may be altered or ignored. Workaround ========== There is no known workaround at this time. Resolution ========== All Yubico pam-u2f users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =sys-auth/pam_u2f-1.3.2" References ========== [ 1 ] CVE-2025-23013 https://nvd.nist.gov/vuln/detail/CVE-2025-23013 [ 2 ] YSA-2025-01 https://www.yubico.com/support/security-advisories/YSA-2025-01 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202501-04 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of ourusers' machines is of utmost importance to us. Any security concerns should be addressed to This email address is being protected from spambots. You need JavaScript enabled to view it. or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2025 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . The Yubico pam-u2f module for Gentoo Linux presents a critical vulnerability that might enable a partial bypass of authentication measures. Users are advised to perform an upgrade immediately.. pam-u2f,Yubico,Gentoo Security Advisory,security updates,authentication bypass. . LinuxSecurity.com Team

Jan 23, 2025 Gentoo