SUSE-RU-2023:2811-1: moderate: Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Wed Jul 12 12:30:03 UTC 2023
# Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-
manager-qt
Announcement ID: SUSE-RU-2023:2811-1
Rating: moderate
References:
Affected Products:
* Basesystem Module 15-SP4
* Basesystem Module 15-SP5
* Desktop Applications Module 15-SP4
* openSUSE Leap 15.4
* openSUSE Leap 15.5
* openSUSE Leap Micro 5.3
* SUSE Linux Enterprise Desktop 15 SP4
* SUSE Linux Enterprise Desktop 15 SP5
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Micro for Rancher 5.3
* SUSE Linux Enterprise Micro for Rancher 5.4
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Real Time 15 SP5
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.3
An update that contains one feature can now be installed.
## Description:
This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt
fixes the following issues:
This update provides a feature update to the FIDO2 stack.
Changes in libfido2:
* Version 1.13.0 (2023-02-20)
* New API calls:
* fido_assert_empty_allow_list;
* fido_cred_empty_exclude_list.
* fido2-token: fix issue when listing large blobs.
* Version 1.12.0 (2022-09-22)
* Support for COSE_ES384.
* Improved support for FIDO 2.1 authenticators.
* New API calls:
* es384_pk_free;
* es384_pk_from_EC_KEY;
* es384_pk_from_EVP_PKEY;
* es384_pk_from_ptr;
* es384_pk_new;
* es384_pk_to_EVP_PKEY;
* fido_cbor_info_certs_len;
* fido_cbor_info_certs_name_ptr;
* fido_cbor_info_certs_value_ptr;
* fido_cbor_info_maxrpid_minpinlen;
* fido_cbor_info_minpinlen;
* fido_cbor_info_new_pin_required;
* fido_cbor_info_rk_remaining;
* fido_cbor_info_uv_attempts;
* fido_cbor_info_uv_modality.
* Documentation and reliability fixes.
* Version 1.11.0 (2022-05-03)
* Experimental PCSC support; enable with -DUSE_PCSC.
* Improved OpenSSL 3.0 compatibility.
* Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.
* winhello: advertise "uv" instead of "clientPin".
* winhello: support hmac-secret in fido_dev_get_assert().
* New API calls:
* fido_cbor_info_maxlargeblob.
* Documentation and reliability fixes.
* Separate build and regress targets.
* Version 1.10.0 (2022-01-17)
* bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.
* New API calls:
* fido_dev_info_set;
* fido_dev_io_handle;
* fido_dev_new_with_info;
* fido_dev_open_with_info.
* Cygwin and NetBSD build fixes.
* Documentation and reliability fixes.
* Support for TPM 2.0 attestation of COSE_ES256 credentials.
* Version 1.9.0 (2021-10-27)
* Enabled NFC support on Linux.
* Support for FIDO 2.1 "minPinLength" extension.
* Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation.
* Support for TPM 2.0 attestation.
* Support for device timeouts; see fido_dev_set_timeout().
* New API calls:
* es256_pk_from_EVP_PKEY;
* fido_cred_attstmt_len;
* fido_cred_attstmt_ptr;
* fido_cred_pin_minlen;
* fido_cred_set_attstmt;
* fido_cred_set_pin_minlen;
* fido_dev_set_pin_minlen_rpid;
* fido_dev_set_timeout;
* rs256_pk_from_EVP_PKEY.
* Reliability and portability fixes.
* Better handling of HID devices without identification strings; gh#381.
* Update to version 1.8.0:
* Better support for FIDO 2.1 authenticators.
* Support for attestation format 'none'.
* New API calls:
* fido_assert_set_clientdata;
* fido_cbor_info_algorithm_cose;
* fido_cbor_info_algorithm_count;
* fido_cbor_info_algorithm_type;
* fido_cbor_info_transports_len;
* fido_cbor_info_transports_ptr;
* fido_cred_set_clientdata;
* fido_cred_set_id;
* fido_credman_set_dev_rk;
* fido_dev_is_winhello.
* fido2-token: new -Sc option to update a resident credential.
* Documentation and reliability fixes.
* HID access serialisation on Linux.
* Update to version 1.7.0:
* hid_win: detect devices with vendor or product IDs > 0x7fff
* Support for FIDO 2.1 authenticator configuration.
* Support for FIDO 2.1 UV token permissions.
* Support for FIDO 2.1 "credBlobs" and "largeBlobs" extensions.
* New API calls
* New fido_init flag to disable fido_dev_open’s U2F fallback
* Experimental NFC support on Linux.
* Enabled hidapi again, issues related to hidapi are fixed upstream
* Update to version 1.6.0:
* Documentation and reliability fixes.
* New API calls:
* fido_cred_authdata_raw_len;
* fido_cred_authdata_raw_ptr;
* fido_cred_sigcount;
* fido_dev_get_uv_retry_count;
* fido_dev_supports_credman.
* Hardened Windows build.
* Native FreeBSD and NetBSD support.
* Use CTAP2 canonical CBOR when combining hmac-secret and credProtect.
* Create a udev subpackage and ship the udev rule.
Changes in python-fido2:
* update to 0.9.3:
* Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ
* Support the latest Windows webauthn.h API (included in Windows 11).
* Add product name and serial number to HidDescriptors.
* Remove the need for the uhid-freebsd dependency on FreeBSD.
* Update to version 0.9.1
* Add new CTAP error codes and improve handling of unknown codes.
* Client: API changes to better support extensions.
* Client.make_credential now returns a AuthenticatorAttestationResponse, which
holds the AttestationObject and ClientData, as well as any client extension
results for the credential.
* Client.get_assertion now returns an AssertionSelection object, which is used
to select between multiple assertions
* Renames: The CTAP1 and CTAP2 classes have been renamed to Ctap1 and Ctap2,
respectively.
* ClientPin: The ClientPin API has been restructured to support multiple PIN
protocols, UV tokens, and token permissions.
* CTAP 2.1 PRE: Several new features have been added for CTAP 2.1
* HID: The platform specific HID code has been revamped
* Version 0.8.1 (released 2019-11-25)
* Bugfix: WindowsClient.make_credential error when resident key requirement is
unspecified.
* Version 0.8.0 (released 2019-11-25)
* New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.
* CTAP2 send_cbor/make_credential/get_assertion and U2fClient
request/authenticate timeout arguments replaced with event used to cancel a
request.
* Fido2Client:
* make_credential/get_assertion now take WebAuthn options objects.
* timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.
* Fido2Server:
* ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.
* RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.
* Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.
* Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.
* Fido2Server.timeout is now in ms and of type int.
* Support native WebAuthn API on Windows through WindowsClient.
* Version 0.7.2 (released 2019-10-24)
* Support for the TPM attestation format.
* Allow passing custom challenges to register/authenticate in Fido2Server.
* Bugfix: CTAP2 CANCEL command response handling fixed.
* Bugfix: Fido2Client fix handling of empty allow_list.
* Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.
* Version 0.7.1 (released 2019-09-20)
* Enforce canonical CBOR on Authenticator responses by default.
* PCSC: Support extended APDUs.
* Server: Verify that UP flag is set.
* U2FFido2Server: Implement AppID exclusion extension.
* U2FFido2Server: Allow custom U2F facet verification.
* Bugfix: U2FFido2Server.authenticate_complete now returns the result.
* Version 0.7.0 (released 2019-06-17)
* Add support for NFC devices using PCSC.
* Add support for the hmac-secret Authenticator extension.
* Honor max credential ID length and number of credentials to Authenticator.
* Add close() method to CTAP devices to explicitly release their resources.
* Version 0.6.0 (released 2019-05-10)
* Don't fail if CTAP2 Info contains unknown fields.
* Replace cbor loads/dumps functions with encode/decode/decode_from.
* Server: Add support for AuthenticatorAttachment.
* Server: Add support for more key algorithms.
* Client: Expose CTAP2 Info object as Fido2Client.info.
Changes in yubikey-manager:
* Update to version 4.0.9 (released 2022-06-17)
* Dependency: Add support for python-fido2 1.x
* Fix: Drop stated support for Click 6 as features from 7 are being used.
* Update to version 4.0.8 (released 2022-01-31)
* Bugfix: Fix error message for invalid modhex when programing a YubiOTP
credential.
* Bugfix: Fix issue with displaying a Steam credential when it is the only
account.
* Bugfix: Prevent installation of files in site-packages root.
* Bugfix: Fix cleanup logic in PIV for protected management key.
* Add support for token identifier when programming slot-based HOTP.
* Add support for programming NDEF in text mode.
* Dependency: Add support for Cryptography ⇐ 38.
* version update to 4.0.7
** Bugfix release: Fix broken naming for "YubiKey 4", and a small OATH issue
with touch Steam credentials.
* version 4.0.6 (released 2021-09-08)
**Improve handling of YubiKey device reboots.** More consistently mask
PIN/password input in prompts. **Support switching mode over CCID for YubiKey
Edge.** Run pkill from PATH instead of fixed location.
* version 4.0.5 (released 2021-07-16)
**Bugfix: Fix PIV feature detection for some YubiKey NEO versions.** Bugfix: Fix
argument short form for --period when adding TOTP credentials. **Bugfix: More
strict validation for some arguments, resulting in better error messages.**
Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
** Bugfix: Fix prompting for access code in the otp settings command (now uses
"-A -").
* Update to version 4.0.3
* Add support for fido reset over NFC.
* Bugfix: The --touch argument to piv change-management-key was ignored.
* Bugfix: Don’t prompt for password when importing PIV key/cert if file is
invalid.
* Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
* Bugfix: Detect PKCS#12 format when outer sequence uses indefinite length.
* Dependency: Add support for Click 8.
* Update to version 4.0.2
* Update device names
* Add read_info output to the --diagnose command, and show exception types.
* Bugfix: Fix read_info for YubiKey Plus.
* Add support for YK5-based FIPS YubiKeys.
* Bugfix: Fix OTP device enumeration on Win32.
* Drop reliance on libusb and libykpersonalize.
* Support the "fido" and "otp" subcommands over NFC
* New "ykman --diagnose" command to aid in troubleshooting.
* New "ykman apdu" command for sending raw APDUs over the smart card
interface.
* New "yubikit" package added for custom development and advanced scripting.
* OpenPGP: Add support for KDF enabled YubiKeys.
* Static password: Add support for FR, IT, UK and BEPO keyboard layouts.
* Update to 3.1.1
* Add support for YubiKey 5C NFC
* OpenPGP: set-touch now performs compatibility checks before prompting for
PIN
* OpenPGP: Improve error messages and documentation for set-touch
* PIV: read-object command no longer adds a trailing newline
* CLI: Hint at missing permissions when opening a device fails
* Linux: Improve error handling when pcscd is not running
* Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai
for reporting this!
* Bugfix: set-touch now accepts the cached-fixed option
* Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
* Bugfix: Fix crash in piv info command when a certificate slot contains an
invalid certificate
* Library: PivController.read_certificate(slot) now wraps certificate parsing
exceptions in new exception type InvalidCertificate
* Library: PivController.list_certificates() now returns None for slots
containing invalid certificate, instead of raising an exception
* Version 3.1.0 (released 2019-08-20)
* Add support for YubiKey 5Ci
* OpenPGP: the info command now prints OpenPGP specification version as well
* OpenPGP: Update support for attestation to match OpenPGP v3.4
* PIV: Use UTC time for self-signed certificates
* OTP: Static password now supports the Norman keyboard layout
* Version 3.0.0 (released 2019-06-24)
* Add support for new YubiKey Preview and lightning form factor
* FIDO: Support for credential management
* OpenPGP: Support for OpenPGP attestation, cardholder certificates and cached
touch policies
* OTP: Add flag for using numeric keypad when sending digits
* Version 2.1.1 (released 2019-05-28)
* OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud
* Don’t automatically select the U2F applet on YubiKey NEO, it might be
blocked by the OS
* ChalResp: Always pad challenge correctly
* Bugfix: Don’t crash with older versions of cryptography
* Bugfix: Password was always prompted in OATH command, even if sent as
argument
Changes in yubikey-manager-qt:
* update to 1.2.5:
* Compatibility update for ykman 5.0.1.
* Update to Python 3.11.
* Update product images.
* Update to version 1.2.4 (released 2021-10-26)
* Update device names and images.
* PIV: Fix import of certificate.
* Update to version 1.2.3
* Improved error handling when using Security Key Series devices.
* PIV: Fix generation of certificate in slot 9c.
* Update to version 1.2.2
* Fix detection of YubiKey Plus
* Compatibility update for yubikey-manager 4.0
* Bugfix: Device caching with multiple devices
* Drop dependencies on libusb and libykpers.
* Add additional product names and images
* update to 1.1.5
* Add support for YubiKey 5C NFC
* Update to version 1.1.4
* OTP: Add option to upload YubiOTP credential to YubiCloud
* Linux: Show hint about pcscd service if opening device fails
* Bugfix: Signal handling now compatible with Python 3.8
* Version 1.1.3 (released 2019-08-20)
* Add suppport for YubiKey 5Ci
* PIV: Use UTC time for self-signed certificates
* Version 1.1.2 (released 2019-06-24)
* Add support for new YubiKey Preview
* PIV: The popup for the management key now have a "Use default" option
* Windows: Fix issue with importing PIV certificates
* Bugfix: generate static password now works correctly
## Patch Instructions:
To install this SUSE Moderate update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap Micro 5.3
zypper in -t patch openSUSE-Leap-Micro-5.3-2023-2811=1
* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-2811=1
* openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2023-2811=1
* SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2023-2811=1
* SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2023-2811=1
* SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2023-2811=1
* SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2023-2811=1
* Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-2811=1
* Basesystem Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-2811=1
* Desktop Applications Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP4-2023-2811=1
## Package List:
* openSUSE Leap Micro 5.3 (aarch64 x86_64)
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* libfido2-1-1.13.0-150400.5.3.1
* openSUSE Leap Micro 5.3 (noarch)
* libfido2-udev-1.13.0-150400.5.3.1
* openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
* yubikey-manager-qt-debuginfo-1.2.5-150400.9.3.1
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-devel-1.13.0-150400.5.3.1
* libfido2-utils-debuginfo-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* yubikey-manager-qt-1.2.5-150400.9.3.1
* yubikey-manager-qt-debugsource-1.2.5-150400.9.3.1
* libfido2-1-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* libfido2-utils-1.13.0-150400.5.3.1
* openSUSE Leap 15.4 (noarch)
* python3-dataclasses-0.8-150400.3.2.1
* yubikey-manager-4.0.9-150400.9.3.1
* python3-fido2-0.9.3-150400.9.3.1
* libfido2-udev-1.13.0-150400.5.3.1
* openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
* yubikey-manager-qt-debuginfo-1.2.5-150400.9.3.1
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-devel-1.13.0-150400.5.3.1
* libfido2-utils-debuginfo-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* yubikey-manager-qt-1.2.5-150400.9.3.1
* yubikey-manager-qt-debugsource-1.2.5-150400.9.3.1
* libfido2-1-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* libfido2-utils-1.13.0-150400.5.3.1
* openSUSE Leap 15.5 (noarch)
* python3-dataclasses-0.8-150400.3.2.1
* yubikey-manager-4.0.9-150400.9.3.1
* python3-fido2-0.9.3-150400.9.3.1
* libfido2-udev-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64)
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* libfido2-1-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (noarch)
* libfido2-udev-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64)
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* libfido2-1-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro 5.3 (noarch)
* libfido2-udev-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64)
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* libfido2-1-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (noarch)
* libfido2-udev-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64)
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* libfido2-1-1.13.0-150400.5.3.1
* SUSE Linux Enterprise Micro 5.4 (noarch)
* libfido2-udev-1.13.0-150400.5.3.1
* Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* libfido2-debuginfo-1.13.0-150400.5.3.1
* libfido2-devel-1.13.0-150400.5.3.1
* libfido2-debugsource-1.13.0-150400.5.3.1
* libfido2-1-1.13.0-150400.5.3.1
* libfido2-1-debuginfo-1.13.0-150400.5.3.1
* Basesystem Module 15-SP4 (noarch)
* python3-dataclasses-0.8-150400.3.2.1
* yubikey-manager-4.0.9-150400.9.3.1
* python3-fido2-0.9.3-150400.9.3.1
* libfido2-udev-1.13.0-150400.5.3.1
* Basesystem Module 15-SP5 (noarch)
* python3-dataclasses-0.8-150400.3.2.1
* Desktop Applications Module 15-SP4 (aarch64 ppc64le s390x x86_64)
* yubikey-manager-qt-debugsource-1.2.5-150400.9.3.1
* yubikey-manager-qt-debuginfo-1.2.5-150400.9.3.1
* yubikey-manager-qt-1.2.5-150400.9.3.1
## References:
* https://jira.suse.com/browse/PED-4521
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20230712/af567837/attachment.htm>
More information about the sle-updates
mailing list