pam_pkcs11-0.6.13-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15800 Final 1 1 2025-02-06T00:00:00Z current 2025-02-06T00:00:00Z 2025-02-06T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z pam_pkcs11-0.6.13-1.1 on GA media These are all security issues fixed in the pam_pkcs11-0.6.13-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15800 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-24032/ SUSE CVE CVE-2025-24032 page https://www.suse.com/security/cve/CVE-2025-24531/ SUSE CVE CVE-2025-24531 page openSUSE Tumbleweed pam_pkcs11-0.6.13-1.1 pam_pkcs11-devel-doc-0.6.13-1.1 pam_pkcs11-0.6.13-1.1 as a component of openSUSE Tumbleweed pam_pkcs11-devel-doc-0.6.13-1.1 as a component of openSUSE Tumbleweed PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if cert_policy is set to none (the default value), then pam_pkcs11 will only check if the user is capable of logging into the token. An attacker may create a different token with the user's public data (e.g. the user's certificate) and a PIN known to the attacker. If no signature with the private key is required, then the attacker may now login as user with that created token. The default to *not* check the private key's signature has been changed with commit commi6638576892b59a99389043c90a1e7dd4d783b921, so that all versions starting with pam_pkcs11-0.6.0 should be affected. As a workaround, in `pam_pkcs11.conf`, set at least `cert_policy = signature;`. CVE-2025-24032 openSUSE Tumbleweed:pam_pkcs11-0.6.13-1.1 openSUSE Tumbleweed:pam_pkcs11-devel-doc-0.6.13-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-24032.html CVE-2025-24032 https://bugzilla.suse.com/1237062 SUSE Bug 1237062 unknown CVE-2025-24531 openSUSE Tumbleweed:pam_pkcs11-0.6.13-1.1 openSUSE Tumbleweed:pam_pkcs11-devel-doc-0.6.13-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-24531.html CVE-2025-24531 https://bugzilla.suse.com/1231843 SUSE Bug 1231843 https://bugzilla.suse.com/1236314 SUSE Bug 1236314