Security update for pam_u2f SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20231-1 Final 1 1 2025-03-05T14:55:47Z current 2025-03-05T14:55:47Z 2025-03-05T14:55:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pam_u2f This update for pam_u2f fixes the following issues: - CVE-2025-23013: Fixed problematic PAM_IGNORE return values in `pam_sm_authenticate()`(bsc#1233517). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-29 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520231-1/ Link for SUSE-SU-2025:20231-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021092.html E-Mail link for SUSE-SU-2025:20231-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1233517 SUSE Bug 1233517 https://www.suse.com/security/cve/CVE-2025-23013/ SUSE CVE CVE-2025-23013 page SUSE Linux Micro 6.1 pam_u2f-1.3.0-slfo.1.1_2.1 pam_u2f-1.3.0-slfo.1.1_2.1 as a component of SUSE Linux Micro 6.1 In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a YubiKey or other FIDO compliant authenticators on macOS or Linux. This software package has an issue that allows for an authentication bypass in some configurations. An attacker would require the ability to access the system as an unprivileged user. Depending on the configuration, the attacker may also need to know the user's password. CVE-2025-23013 SUSE Linux Micro 6.1:pam_u2f-1.3.0-slfo.1.1_2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520231-1/ https://www.suse.com/security/cve/CVE-2025-23013.html CVE-2025-23013 https://bugzilla.suse.com/1233517 SUSE Bug 1233517