SUSE-CU-2023:2288-1: Security update of bci/ruby

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri Jul 14 07:10:24 UTC 2023


SUSE Container Update Advisory: bci/ruby
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2023:2288-1
Container Tags        : bci/ruby:2 , bci/ruby:2-10.1 , bci/ruby:2.5 , bci/ruby:2.5-10.1 , bci/ruby:latest
Container Release     : 10.1
Severity              : moderate
Type                  : security
References            : 1210714 1211430 CVE-2023-1255 CVE-2023-2650 
-----------------------------------------------------------------

The container bci/ruby was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2620-1
Released:    Fri Jun 23 13:41:36 2023
Summary:     Security update for openssl-3
Type:        security
Severity:    moderate
References:  1210714,1211430,CVE-2023-1255,CVE-2023-2650
This update for openssl-3 fixes the following issues:

- CVE-2023-1255: Fixed input buffer over-read in AES-XTS implementation on 64 bit ARM (bsc#1210714).
- CVE-2023-2650: Fixed possible DoS translating ASN.1 object identifiers (bsc#1211430).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:2811-1
Released:    Wed Jul 12 11:56:18 2023
Summary:     Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt
Type:        recommended
Severity:    moderate
References:  
This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues:

This update provides a feature update to the FIDO2 stack.

Changes in libfido2:

- Version 1.13.0 (2023-02-20)

    * New API calls:

      + fido_assert_empty_allow_list;
      + fido_cred_empty_exclude_list.

    * fido2-token: fix issue when listing large blobs.

- Version 1.12.0 (2022-09-22)

  * Support for COSE_ES384.
  * Improved support for FIDO 2.1 authenticators.

  * New API calls:

    + es384_pk_free;
    + es384_pk_from_EC_KEY;
    + es384_pk_from_EVP_PKEY;
    + es384_pk_from_ptr;
    + es384_pk_new;
    + es384_pk_to_EVP_PKEY;
    + fido_cbor_info_certs_len;
    + fido_cbor_info_certs_name_ptr;
    + fido_cbor_info_certs_value_ptr;
    + fido_cbor_info_maxrpid_minpinlen;
    + fido_cbor_info_minpinlen;
    + fido_cbor_info_new_pin_required;
    + fido_cbor_info_rk_remaining;
    + fido_cbor_info_uv_attempts;
    + fido_cbor_info_uv_modality.

   * Documentation and reliability fixes.

- Version 1.11.0 (2022-05-03)

  * Experimental PCSC support; enable with -DUSE_PCSC.
  * Improved OpenSSL 3.0 compatibility.
  * Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.
  * winhello: advertise 'uv' instead of 'clientPin'.
  * winhello: support hmac-secret in fido_dev_get_assert().
  * New API calls:

    + fido_cbor_info_maxlargeblob.

  * Documentation and reliability fixes.
  * Separate build and regress targets.

- Version 1.10.0 (2022-01-17)

  * bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.
  * New API calls:

     - fido_dev_info_set;
     - fido_dev_io_handle;
     - fido_dev_new_with_info;
     - fido_dev_open_with_info.
  * Cygwin and NetBSD build fixes.
  * Documentation and reliability fixes.
  * Support for TPM 2.0 attestation of COSE_ES256 credentials.

- Version 1.9.0 (2021-10-27)

  * Enabled NFC support on Linux.
  * Support for FIDO 2.1 'minPinLength' extension.
  * Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation.
  * Support for TPM 2.0 attestation.
  * Support for device timeouts; see fido_dev_set_timeout().
  * New API calls:

       - es256_pk_from_EVP_PKEY;
       - fido_cred_attstmt_len;
       - fido_cred_attstmt_ptr;
       - fido_cred_pin_minlen;
       - fido_cred_set_attstmt;
       - fido_cred_set_pin_minlen;
       - fido_dev_set_pin_minlen_rpid;
       - fido_dev_set_timeout;
       - rs256_pk_from_EVP_PKEY.

  * Reliability and portability fixes.
  * Better handling of HID devices without identification strings; gh#381.

- Update to version 1.8.0:

	* Better support for FIDO 2.1 authenticators.
	* Support for attestation format 'none'.
	* New API calls:

		- fido_assert_set_clientdata;
		- fido_cbor_info_algorithm_cose;
		- fido_cbor_info_algorithm_count;
		- fido_cbor_info_algorithm_type;
		- fido_cbor_info_transports_len;
		- fido_cbor_info_transports_ptr;
		- fido_cred_set_clientdata;
		- fido_cred_set_id;
		- fido_credman_set_dev_rk;
		- fido_dev_is_winhello.

	* fido2-token: new -Sc option to update a resident credential.
	* Documentation and reliability fixes.
	* HID access serialisation on Linux.

- Update to version 1.7.0:

  * hid_win: detect devices with vendor or product IDs > 0x7fff
  * Support for FIDO 2.1 authenticator configuration.
  * Support for FIDO 2.1 UV token permissions.
  * Support for FIDO 2.1 'credBlobs' and 'largeBlobs' extensions.
  * New API calls
  * New fido_init flag to disable fido_dev_open’s U2F fallback
  * Experimental NFC support on Linux.

- Enabled hidapi again, issues related to hidapi are fixed upstream

- Update to version 1.6.0:

  * Documentation and reliability fixes.

  * New API calls:

    + fido_cred_authdata_raw_len;
    + fido_cred_authdata_raw_ptr;
    + fido_cred_sigcount;
    + fido_dev_get_uv_retry_count;
    + fido_dev_supports_credman.
  * Hardened Windows build.
  * Native FreeBSD and NetBSD support.
  * Use CTAP2 canonical CBOR when combining hmac-secret and credProtect.

- Create a udev subpackage and ship the udev rule.

Changes in python-fido2:

- update to 0.9.3:

  * Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ
  * Support the latest Windows webauthn.h API (included in Windows 11).
  * Add product name and serial number to HidDescriptors.
  * Remove the need for the uhid-freebsd dependency on FreeBSD.

- Update to version 0.9.1

  * Add new CTAP error codes and improve handling of unknown codes.
  * Client: API changes to better support extensions.
  * Client.make_credential now returns a AuthenticatorAttestationResponse,
    which holds the AttestationObject and ClientData, as well as any
    client extension results for the credential.
  * Client.get_assertion now returns an AssertionSelection object,
    which is used to select between multiple assertions
  * Renames: The CTAP1 and CTAP2 classes have been renamed to
    Ctap1 and Ctap2, respectively.
  * ClientPin: The ClientPin API has been restructured to support
    multiple PIN protocols, UV tokens, and token permissions.
  * CTAP 2.1 PRE: Several new features have been added for CTAP 2.1
  * HID: The platform specific HID code has been revamped

- Version 0.8.1 (released 2019-11-25)

  * Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified.

- Version 0.8.0 (released 2019-11-25)

  * New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.
  * CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request.
  * Fido2Client:

    - make_credential/get_assertion now take WebAuthn options objects.
    - timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.

  * Fido2Server:

    - ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.
    - RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.
    - Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.
    - Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.
    - Fido2Server.timeout is now in ms and of type int.

  * Support native WebAuthn API on Windows through WindowsClient.

- Version 0.7.2 (released 2019-10-24)

  * Support for the TPM attestation format.
  * Allow passing custom challenges to register/authenticate in Fido2Server.
  * Bugfix: CTAP2 CANCEL command response handling fixed.
  * Bugfix: Fido2Client fix handling of empty allow_list.
  * Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.

- Version 0.7.1 (released 2019-09-20)

  * Enforce canonical CBOR on Authenticator responses by default.
  * PCSC: Support extended APDUs.
  * Server: Verify that UP flag is set.
  * U2FFido2Server: Implement AppID exclusion extension.
  * U2FFido2Server: Allow custom U2F facet verification.
  * Bugfix: U2FFido2Server.authenticate_complete now returns the result.

- Version 0.7.0 (released 2019-06-17)

  * Add support for NFC devices using PCSC.
  * Add support for the hmac-secret Authenticator extension.
  * Honor max credential ID length and number of credentials to Authenticator.
  * Add close() method to CTAP devices to explicitly release their resources.

- Version 0.6.0 (released 2019-05-10)

  * Don't fail if CTAP2 Info contains unknown fields.
  * Replace cbor loads/dumps functions with encode/decode/decode_from.
  * Server: Add support for AuthenticatorAttachment.
  * Server: Add support for more key algorithms.
  * Client: Expose CTAP2 Info object as Fido2Client.info. 

Changes in yubikey-manager:

- Update to version 4.0.9 (released 2022-06-17)

  * Dependency: Add support for python-fido2 1.x
  * Fix: Drop stated support for Click 6 as features from 7 are being used.

- Update to version 4.0.8 (released 2022-01-31)

  * Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.
  * Bugfix: Fix issue with displaying a Steam credential when it is the only account.
  * Bugfix: Prevent installation of files in site-packages root.
  * Bugfix: Fix cleanup logic in PIV for protected management key.
  * Add support for token identifier when programming slot-based HOTP.
  * Add support for programming NDEF in text mode.
  * Dependency: Add support for Cryptography ⇐ 38.

- version update to 4.0.7

  ** Bugfix release: Fix broken naming for 'YubiKey 4', and a small OATH issue with
      touch Steam credentials.

- version 4.0.6 (released 2021-09-08)

   ** Improve handling of YubiKey device reboots.
   ** More consistently mask PIN/password input in prompts.
   ** Support switching mode over CCID for YubiKey Edge.
   ** Run pkill from PATH instead of fixed location.

- version 4.0.5 (released 2021-07-16)

   ** Bugfix: Fix PIV feature detection for some YubiKey NEO versions.
   ** Bugfix: Fix argument short form for --period when adding TOTP credentials.
   ** Bugfix: More strict validation for some arguments, resulting in better error messages.
   ** Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
   ** Bugfix: Fix prompting for access code in the otp settings command (now uses '-A -').

- Update to version 4.0.3

  * Add support for fido reset over NFC.
  * Bugfix: The --touch argument to piv change-management-key was
    ignored.
  * Bugfix: Don’t prompt for password when importing PIV key/cert
    if file is invalid.
  * Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
  * Bugfix: Detect PKCS#12 format when outer sequence uses
    indefinite length.
  * Dependency: Add support for Click 8.

- Update to version 4.0.2

  * Update device names
  * Add read_info output to the --diagnose command, and show
    exception types.
  * Bugfix: Fix read_info for YubiKey Plus.
  * Add support for YK5-based FIPS YubiKeys.
  * Bugfix: Fix OTP device enumeration on Win32.
  * Drop reliance on libusb and libykpersonalize.
  * Support the 'fido' and 'otp' subcommands over NFC
  * New 'ykman --diagnose' command to aid in troubleshooting.
  * New 'ykman apdu' command for sending raw APDUs over the smart
    card interface.
  * New 'yubikit' package added for custom development and advanced
    scripting.
  * OpenPGP: Add support for KDF enabled YubiKeys.
  * Static password: Add support for FR, IT, UK and BEPO keyboard
    layouts.

- Update to 3.1.1

  * Add support for YubiKey 5C NFC
  * OpenPGP: set-touch now performs compatibility checks before prompting for PIN
  * OpenPGP: Improve error messages and documentation for set-touch
  * PIV: read-object command no longer adds a trailing newline
  * CLI: Hint at missing permissions when opening a device fails
  * Linux: Improve error handling when pcscd is not running
  * Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!
  * Bugfix: set-touch now accepts the cached-fixed option
  * Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
  * Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate
  * Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate
  * Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception

- Version 3.1.0 (released 2019-08-20)

  * Add support for YubiKey 5Ci
  * OpenPGP: the info command now prints OpenPGP specification version as well
  * OpenPGP: Update support for attestation to match OpenPGP v3.4
  * PIV: Use UTC time for self-signed certificates
  * OTP: Static password now supports the Norman keyboard layout

- Version 3.0.0 (released 2019-06-24)

  * Add support for new YubiKey Preview and lightning form factor
  * FIDO: Support for credential management
  * OpenPGP: Support for OpenPGP attestation, cardholder certificates and
    cached touch policies
  * OTP: Add flag for using numeric keypad when sending digits 

- Version 2.1.1 (released 2019-05-28)

  * OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud
  * Don’t automatically select the U2F applet on YubiKey NEO, it might be
    blocked by the OS
  * ChalResp: Always pad challenge correctly
  * Bugfix: Don’t crash with older versions of cryptography
  * Bugfix: Password was always prompted in OATH command, even if sent as
    argument

Changes in yubikey-manager-qt:

- update to 1.2.5:

  * Compatibility update for ykman 5.0.1.
  * Update to Python 3.11.
  * Update product images.

- Update to version 1.2.4 (released 2021-10-26)

  * Update device names and images.
  * PIV: Fix import of certificate.

- Update to version 1.2.3

  * Improved error handling when using Security Key Series devices.
  * PIV: Fix generation of certificate in slot 9c.

- Update to version 1.2.2

  * Fix detection of YubiKey Plus
  * Compatibility update for yubikey-manager 4.0
  * Bugfix: Device caching with multiple devices
  * Drop dependencies on libusb and libykpers.
  * Add additional product names and images

- update to 1.1.5

  * Add support for YubiKey 5C NFC

- Update to version 1.1.4

 * OTP: Add option to upload YubiOTP credential to YubiCloud
 * Linux: Show hint about pcscd service if opening device fails
 * Bugfix: Signal handling now compatible with Python 3.8

- Version 1.1.3 (released 2019-08-20)

  * Add suppport for YubiKey 5Ci
  * PIV: Use UTC time for self-signed certificates

- Version 1.1.2 (released 2019-06-24)

  * Add support for new YubiKey Preview
  * PIV: The popup for the management key now have a 'Use default' option
  * Windows: Fix issue with importing PIV certificates
  * Bugfix: generate static password now works correctly 


The following package changes have been done:

- crypto-policies-20210917.c9d86d1-150400.1.7 added
- libhidapi-hidraw0-0.10.1-1.6 added
- libopenssl3-3.0.8-150500.5.3.1 added
- libfido2-1-1.13.0-150400.5.3.1 updated
- libfido2-udev-1.5.0-1.30 removed


More information about the sle-security-updates mailing list