Security update for pam_u2f SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0167-1 Final 1 1 2025-01-17T16:09:54Z current 2025-01-17T16:09:54Z 2025-01-17T16:09:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pam_u2f This update for pam_u2f fixes the following issues: - CVE-2025-23013: Fixed problematic PAM_IGNORE return values in `pam_sm_authenticate()` (bsc#1233517) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-167,SUSE-SLE-Module-Basesystem-15-SP6-2025-167,openSUSE-SLE-15.6-2025-167 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250167-1/ Link for SUSE-SU-2025:0167-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020166.html E-Mail link for SUSE-SU-2025:0167-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233517 SUSE Bug 1233517 https://bugzilla.suse.com/1235961 SUSE Bug 1235961 https://www.suse.com/security/cve/CVE-2025-23013/ SUSE CVE CVE-2025-23013 page SUSE Linux Enterprise Module for Basesystem 15 SP6 openSUSE Leap 15.6 pam_u2f-1.2.0-150600.10.5.1 pam_u2f-1.2.0-150600.10.5.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 pam_u2f-1.2.0-150600.10.5.1 as a component of openSUSE Leap 15.6 In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password. CVE-2025-23013 SUSE Linux Enterprise Module for Basesystem 15 SP6:pam_u2f-1.2.0-150600.10.5.1 openSUSE Leap 15.6:pam_u2f-1.2.0-150600.10.5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250167-1/ https://www.suse.com/security/cve/CVE-2025-23013.html CVE-2025-23013 https://bugzilla.suse.com/1233517 SUSE Bug 1233517