<div class="container">
<h1>Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2023:2811-2</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-4521">jsc#PED-4521</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem Module 15-SP5</li>
<li class="list-group-item">Desktop Applications Module 15-SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that contains one feature can now be installed.</p>
<h2>Description:</h2>
<p>This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues:</p>
<p>This update provides a feature update to the FIDO2 stack.</p>
<p>Changes in libfido2:</p>
<ul>
<li>
<p>Version 1.13.0 (2023-02-20)</p>
<ul>
<li>
<p>New API calls:</p>
</li>
<li>
<p>fido_assert_empty_allow_list;</p>
</li>
<li>
<p>fido_cred_empty_exclude_list.</p>
</li>
<li>
<p>fido2-token: fix issue when listing large blobs.</p>
</li>
</ul>
</li>
<li>
<p>Version 1.12.0 (2022-09-22)</p>
</li>
<li>
<p>Support for COSE_ES384.</p>
</li>
<li>
<p>Improved support for FIDO 2.1 authenticators.</p>
</li>
<li>
<p>New API calls:</p>
<ul>
<li>es384_pk_free;</li>
<li>es384_pk_from_EC_KEY;</li>
<li>es384_pk_from_EVP_PKEY;</li>
<li>es384_pk_from_ptr;</li>
<li>es384_pk_new;</li>
<li>es384_pk_to_EVP_PKEY;</li>
<li>fido_cbor_info_certs_len;</li>
<li>fido_cbor_info_certs_name_ptr;</li>
<li>fido_cbor_info_certs_value_ptr;</li>
<li>fido_cbor_info_maxrpid_minpinlen;</li>
<li>fido_cbor_info_minpinlen;</li>
<li>fido_cbor_info_new_pin_required;</li>
<li>fido_cbor_info_rk_remaining;</li>
<li>fido_cbor_info_uv_attempts;</li>
<li>fido_cbor_info_uv_modality.</li>
</ul>
</li>
<li>
<p>Documentation and reliability fixes.</p>
</li>
<li>
<p>Version 1.11.0 (2022-05-03)</p>
</li>
<li>
<p>Experimental PCSC support; enable with -DUSE_PCSC.</p>
</li>
<li>Improved OpenSSL 3.0 compatibility.</li>
<li>Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.</li>
<li>winhello: advertise "uv" instead of "clientPin".</li>
<li>winhello: support hmac-secret in fido_dev_get_assert().</li>
<li>
<p>New API calls:</p>
<ul>
<li>fido_cbor_info_maxlargeblob.</li>
</ul>
</li>
<li>
<p>Documentation and reliability fixes.</p>
</li>
<li>
<p>Separate build and regress targets.</p>
</li>
<li>
<p>Version 1.10.0 (2022-01-17)</p>
</li>
<li>
<p>bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.</p>
</li>
<li>
<p>New API calls:</p>
<ul>
<li>fido_dev_info_set;</li>
<li>fido_dev_io_handle;</li>
<li>fido_dev_new_with_info;</li>
<li>fido_dev_open_with_info.</li>
<li>Cygwin and NetBSD build fixes.</li>
<li>Documentation and reliability fixes.</li>
<li>Support for TPM 2.0 attestation of COSE_ES256 credentials.</li>
</ul>
</li>
<li>
<p>Version 1.9.0 (2021-10-27)</p>
</li>
<li>
<p>Enabled NFC support on Linux.</p>
</li>
<li>Support for FIDO 2.1 "minPinLength" extension.</li>
<li>Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation.</li>
<li>Support for TPM 2.0 attestation.</li>
<li>Support for device timeouts; see fido_dev_set_timeout().</li>
<li>
<p>New API calls:</p>
<ul>
<li>es256_pk_from_EVP_PKEY;</li>
<li>fido_cred_attstmt_len;</li>
<li>fido_cred_attstmt_ptr;</li>
<li>fido_cred_pin_minlen;</li>
<li>fido_cred_set_attstmt;</li>
<li>fido_cred_set_pin_minlen;</li>
<li>fido_dev_set_pin_minlen_rpid;</li>
<li>fido_dev_set_timeout;</li>
<li>rs256_pk_from_EVP_PKEY.</li>
</ul>
</li>
<li>
<p>Reliability and portability fixes.</p>
</li>
<li>
<p>Better handling of HID devices without identification strings; gh#381.</p>
</li>
<li>
<p>Update to version 1.8.0:</p>
<ul>
<li>Better support for FIDO 2.1 authenticators.</li>
<li>Support for attestation format 'none'.</li>
<li>
<p>New API calls:</p>
<ul>
<li>fido_assert_set_clientdata;</li>
<li>fido_cbor_info_algorithm_cose;</li>
<li>fido_cbor_info_algorithm_count;</li>
<li>fido_cbor_info_algorithm_type;</li>
<li>fido_cbor_info_transports_len;</li>
<li>fido_cbor_info_transports_ptr;</li>
<li>fido_cred_set_clientdata;</li>
<li>fido_cred_set_id;</li>
<li>fido_credman_set_dev_rk;</li>
<li>fido_dev_is_winhello.</li>
</ul>
</li>
<li>
<p>fido2-token: new -Sc option to update a resident credential.</p>
</li>
<li>Documentation and reliability fixes.</li>
<li>HID access serialisation on Linux.</li>
</ul>
</li>
<li>
<p>Update to version 1.7.0:</p>
</li>
<li>
<p>hid_win: detect devices with vendor or product IDs > 0x7fff</p>
</li>
<li>Support for FIDO 2.1 authenticator configuration.</li>
<li>Support for FIDO 2.1 UV token permissions.</li>
<li>Support for FIDO 2.1 "credBlobs" and "largeBlobs" extensions.</li>
<li>New API calls</li>
<li>New fido_init flag to disable fido_dev_open’s U2F fallback</li>
<li>
<p>Experimental NFC support on Linux.</p>
</li>
<li>
<p>Enabled hidapi again, issues related to hidapi are fixed upstream</p>
</li>
<li>
<p>Update to version 1.6.0:</p>
</li>
<li>
<p>Documentation and reliability fixes.</p>
</li>
<li>
<p>New API calls:</p>
<ul>
<li>fido_cred_authdata_raw_len;</li>
<li>fido_cred_authdata_raw_ptr;</li>
<li>fido_cred_sigcount;</li>
<li>fido_dev_get_uv_retry_count;</li>
<li>fido_dev_supports_credman.</li>
<li>Hardened Windows build.</li>
<li>Native FreeBSD and NetBSD support.</li>
<li>Use CTAP2 canonical CBOR when combining hmac-secret and credProtect.</li>
</ul>
</li>
<li>
<p>Create a udev subpackage and ship the udev rule.</p>
</li>
</ul>
<p>Changes in python-fido2:</p>
<ul>
<li>
<p>update to 0.9.3:</p>
</li>
<li>
<p>Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ</p>
</li>
<li>Support the latest Windows webauthn.h API (included in Windows 11).</li>
<li>Add product name and serial number to HidDescriptors.</li>
<li>
<p>Remove the need for the uhid-freebsd dependency on FreeBSD.</p>
</li>
<li>
<p>Update to version 0.9.1</p>
</li>
<li>
<p>Add new CTAP error codes and improve handling of unknown codes.</p>
</li>
<li>Client: API changes to better support extensions.</li>
<li>Client.make_credential now returns a AuthenticatorAttestationResponse,
which holds the AttestationObject and ClientData, as well as any
client extension results for the credential.</li>
<li>Client.get_assertion now returns an AssertionSelection object,
which is used to select between multiple assertions</li>
<li>Renames: The CTAP1 and CTAP2 classes have been renamed to
Ctap1 and Ctap2, respectively.</li>
<li>ClientPin: The ClientPin API has been restructured to support
multiple PIN protocols, UV tokens, and token permissions.</li>
<li>CTAP 2.1 PRE: Several new features have been added for CTAP 2.1</li>
<li>
<p>HID: The platform specific HID code has been revamped</p>
</li>
<li>
<p>Version 0.8.1 (released 2019-11-25)</p>
</li>
<li>
<p>Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified.</p>
</li>
<li>
<p>Version 0.8.0 (released 2019-11-25)</p>
</li>
<li>
<p>New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.</p>
</li>
<li>CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request.</li>
<li>
<p>Fido2Client:</p>
<ul>
<li>make_credential/get_assertion now take WebAuthn options objects.</li>
<li>timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.</li>
</ul>
</li>
<li>
<p>Fido2Server:</p>
<ul>
<li>ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.</li>
<li>RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.</li>
<li>Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.</li>
<li>Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.</li>
<li>Fido2Server.timeout is now in ms and of type int.</li>
</ul>
</li>
<li>
<p>Support native WebAuthn API on Windows through WindowsClient.</p>
</li>
<li>
<p>Version 0.7.2 (released 2019-10-24)</p>
</li>
<li>
<p>Support for the TPM attestation format.</p>
</li>
<li>Allow passing custom challenges to register/authenticate in Fido2Server.</li>
<li>Bugfix: CTAP2 CANCEL command response handling fixed.</li>
<li>Bugfix: Fido2Client fix handling of empty allow_list.</li>
<li>
<p>Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.</p>
</li>
<li>
<p>Version 0.7.1 (released 2019-09-20)</p>
</li>
<li>
<p>Enforce canonical CBOR on Authenticator responses by default.</p>
</li>
<li>PCSC: Support extended APDUs.</li>
<li>Server: Verify that UP flag is set.</li>
<li>U2FFido2Server: Implement AppID exclusion extension.</li>
<li>U2FFido2Server: Allow custom U2F facet verification.</li>
<li>
<p>Bugfix: U2FFido2Server.authenticate_complete now returns the result.</p>
</li>
<li>
<p>Version 0.7.0 (released 2019-06-17)</p>
</li>
<li>
<p>Add support for NFC devices using PCSC.</p>
</li>
<li>Add support for the hmac-secret Authenticator extension.</li>
<li>Honor max credential ID length and number of credentials to Authenticator.</li>
<li>
<p>Add close() method to CTAP devices to explicitly release their resources.</p>
</li>
<li>
<p>Version 0.6.0 (released 2019-05-10)</p>
</li>
<li>
<p>Don't fail if CTAP2 Info contains unknown fields.</p>
</li>
<li>Replace cbor loads/dumps functions with encode/decode/decode_from.</li>
<li>Server: Add support for AuthenticatorAttachment.</li>
<li>Server: Add support for more key algorithms.</li>
<li>Client: Expose CTAP2 Info object as Fido2Client.info. </li>
</ul>
<p>Changes in yubikey-manager:</p>
<ul>
<li>
<p>Update to version 4.0.9 (released 2022-06-17)</p>
</li>
<li>
<p>Dependency: Add support for python-fido2 1.x</p>
</li>
<li>
<p>Fix: Drop stated support for Click 6 as features from 7 are being used.</p>
</li>
<li>
<p>Update to version 4.0.8 (released 2022-01-31)</p>
</li>
<li>
<p>Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.</p>
</li>
<li>Bugfix: Fix issue with displaying a Steam credential when it is the only account.</li>
<li>Bugfix: Prevent installation of files in site-packages root.</li>
<li>Bugfix: Fix cleanup logic in PIV for protected management key.</li>
<li>Add support for token identifier when programming slot-based HOTP.</li>
<li>Add support for programming NDEF in text mode.</li>
<li>
<p>Dependency: Add support for Cryptography ⇐ 38.</p>
</li>
<li>
<p>version update to 4.0.7</p>
</li>
</ul>
<p>** Bugfix release: Fix broken naming for "YubiKey 4", and a small OATH issue with
touch Steam credentials.</p>
<ul>
<li>version 4.0.6 (released 2021-09-08)</li>
</ul>
<p><strong> Improve handling of YubiKey device reboots.
</strong> More consistently mask PIN/password input in prompts.
<strong> Support switching mode over CCID for YubiKey Edge.
</strong> Run pkill from PATH instead of fixed location.</p>
<ul>
<li>version 4.0.5 (released 2021-07-16)</li>
</ul>
<p><strong> Bugfix: Fix PIV feature detection for some YubiKey NEO versions.
</strong> Bugfix: Fix argument short form for --period when adding TOTP credentials.
<strong> Bugfix: More strict validation for some arguments, resulting in better error messages.
</strong> Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required.
** Bugfix: Fix prompting for access code in the otp settings command (now uses "-A -").</p>
<ul>
<li>
<p>Update to version 4.0.3</p>
</li>
<li>
<p>Add support for fido reset over NFC.</p>
</li>
<li>Bugfix: The --touch argument to piv change-management-key was
ignored.</li>
<li>Bugfix: Don’t prompt for password when importing PIV key/cert
if file is invalid.</li>
<li>Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.</li>
<li>Bugfix: Detect PKCS#12 format when outer sequence uses
indefinite length.</li>
<li>
<p>Dependency: Add support for Click 8.</p>
</li>
<li>
<p>Update to version 4.0.2</p>
</li>
<li>
<p>Update device names</p>
</li>
<li>Add read_info output to the --diagnose command, and show
exception types.</li>
<li>Bugfix: Fix read_info for YubiKey Plus.</li>
<li>Add support for YK5-based FIPS YubiKeys.</li>
<li>Bugfix: Fix OTP device enumeration on Win32.</li>
<li>Drop reliance on libusb and libykpersonalize.</li>
<li>Support the "fido" and "otp" subcommands over NFC</li>
<li>New "ykman --diagnose" command to aid in troubleshooting.</li>
<li>New "ykman apdu" command for sending raw APDUs over the smart
card interface.</li>
<li>New "yubikit" package added for custom development and advanced
scripting.</li>
<li>OpenPGP: Add support for KDF enabled YubiKeys.</li>
<li>
<p>Static password: Add support for FR, IT, UK and BEPO keyboard
layouts.</p>
</li>
<li>
<p>Update to 3.1.1</p>
</li>
<li>
<p>Add support for YubiKey 5C NFC</p>
</li>
<li>OpenPGP: set-touch now performs compatibility checks before prompting for PIN</li>
<li>OpenPGP: Improve error messages and documentation for set-touch</li>
<li>PIV: read-object command no longer adds a trailing newline</li>
<li>CLI: Hint at missing permissions when opening a device fails</li>
<li>Linux: Improve error handling when pcscd is not running</li>
<li>Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!</li>
<li>Bugfix: set-touch now accepts the cached-fixed option</li>
<li>Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing</li>
<li>Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate</li>
<li>Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate</li>
<li>
<p>Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception</p>
</li>
<li>
<p>Version 3.1.0 (released 2019-08-20)</p>
</li>
<li>
<p>Add support for YubiKey 5Ci</p>
</li>
<li>OpenPGP: the info command now prints OpenPGP specification version as well</li>
<li>OpenPGP: Update support for attestation to match OpenPGP v3.4</li>
<li>PIV: Use UTC time for self-signed certificates</li>
<li>
<p>OTP: Static password now supports the Norman keyboard layout</p>
</li>
<li>
<p>Version 3.0.0 (released 2019-06-24)</p>
</li>
<li>
<p>Add support for new YubiKey Preview and lightning form factor</p>
</li>
<li>FIDO: Support for credential management</li>
<li>OpenPGP: Support for OpenPGP attestation, cardholder certificates and
cached touch policies</li>
<li>
<p>OTP: Add flag for using numeric keypad when sending digits </p>
</li>
<li>
<p>Version 2.1.1 (released 2019-05-28)</p>
</li>
<li>
<p>OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud</p>
</li>
<li>Don’t automatically select the U2F applet on YubiKey NEO, it might be
blocked by the OS</li>
<li>ChalResp: Always pad challenge correctly</li>
<li>Bugfix: Don’t crash with older versions of cryptography</li>
<li>Bugfix: Password was always prompted in OATH command, even if sent as
argument</li>
</ul>
<p>Changes in yubikey-manager-qt:</p>
<ul>
<li>
<p>update to 1.2.5:</p>
</li>
<li>
<p>Compatibility update for ykman 5.0.1.</p>
</li>
<li>Update to Python 3.11.</li>
<li>
<p>Update product images.</p>
</li>
<li>
<p>Update to version 1.2.4 (released 2021-10-26)</p>
</li>
<li>
<p>Update device names and images.</p>
</li>
<li>
<p>PIV: Fix import of certificate.</p>
</li>
<li>
<p>Update to version 1.2.3</p>
</li>
<li>
<p>Improved error handling when using Security Key Series devices.</p>
</li>
<li>
<p>PIV: Fix generation of certificate in slot 9c.</p>
</li>
<li>
<p>Update to version 1.2.2</p>
</li>
<li>
<p>Fix detection of YubiKey Plus</p>
</li>
<li>Compatibility update for yubikey-manager 4.0</li>
<li>Bugfix: Device caching with multiple devices</li>
<li>Drop dependencies on libusb and libykpers.</li>
<li>
<p>Add additional product names and images</p>
</li>
<li>
<p>update to 1.1.5</p>
</li>
<li>
<p>Add support for YubiKey 5C NFC</p>
</li>
<li>
<p>Update to version 1.1.4</p>
</li>
<li>
<p>OTP: Add option to upload YubiOTP credential to YubiCloud</p>
</li>
<li>Linux: Show hint about pcscd service if opening device fails</li>
<li>
<p>Bugfix: Signal handling now compatible with Python 3.8</p>
</li>
<li>
<p>Version 1.1.3 (released 2019-08-20)</p>
</li>
<li>
<p>Add suppport for YubiKey 5Ci</p>
</li>
<li>
<p>PIV: Use UTC time for self-signed certificates</p>
</li>
<li>
<p>Version 1.1.2 (released 2019-06-24)</p>
</li>
<li>
<p>Add support for new YubiKey Preview</p>
</li>
<li>PIV: The popup for the management key now have a "Use default" option</li>
<li>Windows: Fix issue with importing PIV certificates</li>
<li>Bugfix: generate static password now works correctly</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Desktop Applications Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP5-2023-2811=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-2811=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.5
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-5.5-2023-2811=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Desktop Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>yubikey-manager-qt-debuginfo-1.2.5-150400.9.3.1</li>
<li>yubikey-manager-qt-1.2.5-150400.9.3.1</li>
<li>yubikey-manager-qt-debugsource-1.2.5-150400.9.3.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>libfido2-1-debuginfo-1.13.0-150400.5.3.1</li>
<li>libfido2-1-1.13.0-150400.5.3.1</li>
<li>libfido2-debuginfo-1.13.0-150400.5.3.1</li>
<li>libfido2-devel-1.13.0-150400.5.3.1</li>
<li>libfido2-debugsource-1.13.0-150400.5.3.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP5 (noarch)
<ul>
<li>yubikey-manager-4.0.9-150400.9.3.1</li>
<li>libfido2-udev-1.13.0-150400.5.3.1</li>
<li>python3-fido2-0.9.3-150400.9.3.1</li>
<li>python3-dataclasses-0.8-150400.3.2.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64)
<ul>
<li>libfido2-debugsource-1.13.0-150400.5.3.1</li>
<li>libfido2-1-1.13.0-150400.5.3.1</li>
<li>libfido2-1-debuginfo-1.13.0-150400.5.3.1</li>
<li>libfido2-debuginfo-1.13.0-150400.5.3.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://jira.suse.com/browse/PED-4521">https://jira.suse.com/browse/PED-4521</a>
</li>
</ul>
</div>