<div class="container">
<h1>Feature update for himmelblau</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-FU-2026:20990-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-04-01T09:26:05Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1247735">bsc#1247735</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249013">bsc#1249013</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257904">bsc#1257904</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258236">bsc#1258236</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1259548">bsc#1259548</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-14511">jsc#PED-14511</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-54882.html">CVE-2025-54882</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-58160.html">CVE-2025-58160</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-25727.html">CVE-2026-25727</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-31979.html">CVE-2026-31979</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-54882</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.4</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-54882</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.1</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-54882</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.1</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58160</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">2.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58160</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58160</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">2.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-25727</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-31979</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-31979</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server - BCI 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves four vulnerabilities, contains one feature and has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for himmelblau fixes the following issues:</p>
<p>Update to himmelblau 2.3.8 (jsc#PED-14511):</p>
<p>Security issues:</p>
<ul>
<li>CVE-2025-54882: world readable cloud TGT token (bsc#1247735).</li>
<li>CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249013).</li>
<li>CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion
(bsc#1257904).</li>
<li>CVE-2026-31979: race condition when accessiung /tmp/krb5cc_<uid> (bsc#1259548).</li>
</ul>
<p>Non security issues:</p>
<ul>
<li>Fix SELinux module packaging to use standard policy macros (bsc#1258236).</li>
</ul>
<p>Changelog:</p>
<p>Version 2.3.8:</p>
<ul>
<li>Add PrivateTmp back to Tasks Daemon</li>
<li>Drop dead code</li>
<li>Drop krb5 ccache dir code</li>
<li>Add a TODO comment</li>
<li>Drop non working packaged krb5 snippet file</li>
<li>Write kerberos config snippet</li>
<li>Extend resolver interface to return kerberos config together with TGTs</li>
<li>Backport SELinux fixes from main</li>
<li>Use libkrimes to store TGTs</li>
</ul>
<p>Version 2.3.7:</p>
<ul>
<li>cargo vet</li>
<li>Fix AWS-LC has PKCS7_verify Certificate Chain Validation Bypass</li>
<li>Revert dependency change which broke the nightly build</li>
<li>gen_dockerfiles: only himmelblaud has tpm feature, fix all others</li>
<li>fix(build): gen_dockerfiles.py mutates shared features list mid-loop</li>
</ul>
<p>Version 2.3.5:</p>
<ul>
<li>Better handle Intune API version</li>
<li>Update make vet from main branch</li>
<li>pam_himmelblau: call split_username once in chauthtok</li>
<li>pam_himmelblau: return PAM_IGNORE in chauthtok for local users</li>
<li>Don't attempt a DAG when Hello fails with SSPR demand</li>
</ul>
<p>Version 2.3.4:</p>
<ul>
<li>deps(rust): bump the all-cargo-updates group across 1 directory with 8 updates</li>
<li>Revert sketching update (which breaks SLE16 build)</li>
</ul>
<p>Version 2.3.3:</p>
<ul>
<li>/var/cache/private/himmelblaud should not be created tmpfiles</li>
<li>Updatee python vers for dataclasses dep</li>
<li>deps(rust): bump the all-cargo-updates group across 1 directory with 3 updates</li>
<li>Generate pin init service file systemd < 250</li>
<li>Checkin missing himmelblaud.if file for SELinux</li>
<li>Resolve typos in selinux package commands</li>
</ul>
<p>Version 2.3.2:</p>
<ul>
<li>Compile SELinux policy at install time for cross-distro compatibility</li>
<li>Improve PAM configuration on openSUSE/SLE</li>
<li>Fix SELinux policy</li>
<li>Add a git hook to ensure selinux policy is tested</li>
<li>Ignore generated himmelblau-hsm-pin-init service file</li>
<li>Refactor SELinux policy for cross-distro compatibility</li>
<li>Fix NSS lookup for mapped local users</li>
<li>Skip OS version compliance checks when min/max values are empty</li>
</ul>
<p>Version 2.3.1:</p>
<ul>
<li>Remove references to qrcodegen (these are 3.x features)</li>
<li>QR Greeter compatibility for old GNOME</li>
<li>Enable QR greeter automatically</li>
<li>ci: Use latest cargo-vet from git to fix CI</li>
<li>Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x</li>
</ul>
<p>Version 2.3.0:</p>
<ul>
<li>Autostart the daemons on fresh install or upgrade</li>
<li>Restart sshd when installing the ssh config</li>
<li>Allow tasks daemon to write krb ccache</li>
<li>Do not enumerate mapped users in NSS</li>
<li>Update libhimmelblau to latest version</li>
<li>Fix Tumbleweed build</li>
</ul>
<p>Version 2.2.0:</p>
<ul>
<li>Update libhimmelblau to 0.8.x series</li>
<li>deps(rust): bump the all-cargo-updates group with 17 updates</li>
<li>Only use OpenSSH bug workaround for ssh service</li>
<li>Fix debug noise from removing user from sudo group</li>
<li>systemd: install files to /usr/lib/, not /etc/</li>
</ul>
<p>Version 2.1.0:</p>
<ul>
<li>Fix nightly authselect build failure</li>
<li>Generate the authselect profiles for each distro</li>
<li>Improve pam config handling in aad-tool</li>
<li>Make <code>aad-tool configure-pam</code> detect location of pam files</li>
</ul>
<p>Version 2.0.5:</p>
<ul>
<li>/var/lib/private/himmelblaud should be owned by root</li>
<li>Use tmpfiles.d to create himmelblaud private data directory</li>
<li>deps(rust): bump the all-cargo-updates group with 13 updates</li>
</ul>
<p>Version 2.0.4:</p>
<ul>
<li>Update kanidm_build_profiles mask version</li>
<li>Utilize cargo vet from main</li>
<li>
<p>Add policies cache patch via systemd-tmpfiles</p>
</li>
<li>
<p>Fix man page comments about change idmap_range</p>
</li>
<li>Stub picky-krb for osc build</li>
<li>Stub a kanidm_build_profiles which builds in osc</li>
<li>Ensure nss cache is created on Ubuntu/Debian</li>
<li>Request a user token if NSS hasn't been called</li>
</ul>
<p>Version 2.0.3:</p>
<ul>
<li>Add nss cache patch via systemd-tmpfiles</li>
</ul>
<p>Version 2.0.2:</p>
<ul>
<li>Recommend <code>patch</code> with the pam package</li>
<li>Fix passwordless FIDO authentication not being used when available</li>
<li>Git workflow updates for stable-2.x</li>
<li>Only warn on Intune failure</li>
</ul>
<p>Version 2.0.1:</p>
<ul>
<li>Force o365 desktop files to always rebuild</li>
<li>Always rebuild the o365 apps</li>
<li>Add restart on-failure to systemd services</li>
<li>Clarify <code>domain</code> SHOULD match login domain</li>
<li>Remove warning about <code>domain</code> himmelblau.conf opt</li>
<li>Pseudo eliminate multi-tenant and domains section</li>
<li>Revert "Fix Hello PIN lookup when an alias domain"</li>
<li>Comment out <code>KbdInteractiveAuthentication on</code> in sshd conf</li>
<li>Check the nxset sooner, to avoid unwanted errors</li>
<li>Recommend oddjob_mkhomedir with authselect</li>
<li>Pin libhimmelblau to 0.7.x</li>
<li>Deprecate Fedora 41</li>
<li>deps(rust): bump the all-cargo-updates group with 11 updates</li>
<li>Bump github/codeql-action from 4.30.8 to 4.31.2</li>
<li>Bump cachix/install-nix-action from 31.8.1 to 31.8.2</li>
<li>Bump actions/upload-artifact from 4.6.2 to 5.0.0</li>
<li>cargo clippy and rebase fix</li>
<li>fixup! add extra debug output to NotFound error code</li>
<li>force error output to show up in CI logs</li>
<li>wrap repeated sources of IdpError::NotFound in helper functions</li>
<li>add extra debug output to NotFound error code</li>
<li>use direnv for loading the nix devshell</li>
<li>We should still encourage mapping by name</li>
<li>Add support for Fedora 43</li>
<li>Provide a offline 'breakglass' mode</li>
<li>cargo clippy</li>
<li>Add warning about incorrect nsswitch configuration</li>
<li>Distinguish between online and offline token fail</li>
<li>Ensure user token uses original name</li>
<li>Fix alias domain in auth result causing failure</li>
<li>Resolve cargo clippy warnings</li>
<li>Only map on cn name for the primary domain</li>
<li>Install systemd in build scripts for gen service</li>
<li>Fix systemd version parsing</li>
<li>Update libhimmelblau to 0.7.19</li>
<li>Resolve SELinux build failures in nightly (part 2)</li>
<li>Rocky container image updates were failing</li>
<li>Warn instead of error when no idmap_range specified</li>
<li>deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates</li>
<li>Trim whitespace from local group names</li>
<li>Fix borrowing error</li>
<li>Fix reference to local_sudo_group in condition</li>
<li>Only run sudo_groups if local_groups does not contain local_sudo_group</li>
<li>Leave SELinux in permissive mode for Himmelblau</li>
<li>Resolve SELinux build failures in nightly</li>
<li>nix: add join_type option to nixos-module settings</li>
<li>Build host configuration changes</li>
<li>Ensure that hsm_pin isn't present decrypted</li>
<li>Document Soft HSM changes to TPM bound</li>
<li>Disable SELinux by default on NixOS</li>
<li>sh doesn't have <code>source</code></li>
<li>Encrypt hsm-pin using systemd-creds</li>
<li>Recommend uuid id mapping</li>
<li>Improve himmelblau.conf man page formatting</li>
<li>Implement Local User Mapping</li>
<li>Add o365 dependency for jq</li>
<li>Add selinux rules for gdm login</li>
<li>Narrow the scope of selinux policy with audit2allow</li>
<li>Generate the systemd service files</li>
<li>Fix selinux build for SLE16</li>
<li>Resolve SLE16 build dependency failure</li>
<li>Fix the rawhide build</li>
<li>Mask the sshkey-attest package</li>
<li>Bump cachix/install-nix-action from 31.7.0 to 31.8.1</li>
<li>cargo vet dependency updates</li>
<li>deps(rust): bump the all-cargo-updates group across 1 directory with 13 updates</li>
<li>Bump actions/dependency-review-action from 4.8.0 to 4.8.1</li>
<li>Bump cachix/install-nix-action from 31.7.0 to 31.8.0</li>
<li>Bump github/codeql-action from 3.30.5 to 4.30.8</li>
<li>Bump ossf/scorecard-action from 2.4.2 to 2.4.3</li>
<li>SELinux improvements</li>
<li>Fix a typo in package gen scripts</li>
<li>cargo fmt</li>
<li>Permit NSS response for mapped primary fake group</li>
<li>Fix Nix Error With Fuzz</li>
<li>Decrease CI fuzzer setup time</li>
<li>Document join types</li>
<li>Support for Entra registered devices</li>
<li>Run <code>cargo test</code> in a container</li>
<li>Bump cachix/install-nix-action from 31.6.2 to 31.7.0</li>
<li>deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates</li>
<li>Bump github/codeql-action from 3.30.4 to 3.30.5</li>
<li>Use pastey crate instead of unmaintained paste</li>
<li>Pin unmaintained serde_cbor dep to serde_cbor_2</li>
<li>Resolve tower-http <code>cargo audit</code> warning</li>
<li>Replace unmaintained fxhash with own version</li>
<li>Resolve warning about workflow top level write permissions</li>
<li>Remove dependabot automerge</li>
<li>Resolve division by 0 in idmap code</li>
<li>[StepSecurity] ci: Harden GitHub Actions</li>
<li>Only idmap against initialized domains</li>
<li>Resolve invalid init of idmap with same domain</li>
<li>Add fuzzing of idmap code</li>
<li>Add basic fuzzing of the config options</li>
<li>Resolve error found by fuzzing</li>
<li>cargo vet prune</li>
<li>deps(rust): bump regex in the all-cargo-updates group</li>
<li>Bump actions/dependency-review-action from 4.7.3 to 4.8.0</li>
<li>Bump actions/checkout from 3.6.0 to 5.0.0</li>
<li>Bump cachix/cachix-action from 14 to 16</li>
<li>Bump ossf/scorecard-action from 2.4.0 to 2.4.2</li>
<li>Bump cachix/install-nix-action from 25 to 31</li>
<li>Add the OpenSSF Best Practices badge</li>
<li>Add scorecard badge</li>
<li>[StepSecurity] Apply security best practices</li>
<li>Fix group static mapping</li>
<li>Move aad-tool idmap cache clear to the idmap cmd</li>
<li>Resolve errant "Hello key missing." messages</li>
<li>Update flake.nix</li>
<li>Slow the dependabot update frequency</li>
<li>Audit dependabot updates</li>
<li>deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates</li>
<li>feat: Add support for aarch64 on Debian-based distributions</li>
<li>Resolve possible invalid pointer dereferences</li>
<li>Avoid revealing account ids in debug log</li>
<li>Cause doc links to open in the correct apps</li>
<li>Permit opening multiple instances of Word/Excel</li>
<li>Modify systray and app close behavior</li>
<li>Don't use questionably licensed icons for o365</li>
<li>Resolve NixOS CI failure</li>
<li>Fix building w/out deprecated interactive feature</li>
<li>Update himmelblau.conf.5 sudo_groups example</li>
<li>Entra group based sudo access</li>
<li>Audited the cargo updates</li>
<li>deps(rust): bump the all-cargo-updates group with 6 updates</li>
<li>Vet libhimmelblau</li>
<li>Add <code>make vet</code> command</li>
<li>Update deny.toml</li>
<li>Remove incompatible licenses from deps</li>
<li>Fix RHEL8 package signing</li>
<li>Add SBOM generation</li>
<li>Add an IRP checklist for security incidents</li>
<li>Run the nixos build/release on the correct version</li>
<li>Add crate dependency auditing on MR</li>
<li>Add some exceptions</li>
<li>Initialize cargo vet</li>
<li>Remove in-tree kanidm dependencies</li>
<li>Fix Hello PIN lookup when an alias domain</li>
<li>Raise maximum group lookup from 100 to 999</li>
<li>Always work with lowercase account names</li>
<li>Modify FUNDING.yml for funding sources</li>
<li>Remove glib dependency</li>
<li>deps(rust): bump the all-cargo-updates group with 10 updates</li>
<li>Add CI check for licenses</li>
<li>Update dependabot.yml to target all stable branches</li>
<li>Add authselect module for Rocky/Fedora</li>
<li>Recommend packages, instead of require</li>
<li>Add a Contributing document</li>
<li>Add a Code of Conduct</li>
<li>add withSelinux flag to nix build, brings SELinux binaries into the build environment.</li>
<li>deps(rust): bump tracing-subscriber in the cargo group</li>
<li>Don't overwrite the himmelblau.conf on rpm upgrade</li>
<li>Add help output to the Makefile</li>
<li>Fix building packages with docker in root mode</li>
<li>Update to latest libhimmelblau and identity_dbus_broker</li>
<li>Make PRT SSO cookie via broker work as well for Edge</li>
<li>Make broker work for Edge</li>
<li>Generate Office 365 desktop apps</li>
<li>Update README</li>
<li>Add <code>make uninstall</code> command</li>
<li>Remove the deprecated tests suite</li>
<li>Himmelblau no longer has git submodules</li>
<li>Make install using packages</li>
<li>Add Debian 13 packages</li>
<li>Generate Dockerfiles automatically</li>
<li>Add SELinux configuration</li>
<li>Himmelblau daemon requires system tss user</li>
<li>Add cron dependency for Intune scripts</li>
<li>Do not mangle /usr/etc configuration files</li>
<li>deps(rust): bump the all-cargo-updates group with 7 updates</li>
<li>Add SLE16 (beta) build target</li>
<li>Automatically append to nsswitch.conf in postinst</li>
<li>Correct the RPM postinst script syntax</li>
<li>Fix Kerberos credential cache permissions</li>
<li>Set file owner and group before writing its content</li>
<li>Create SECURITY.md</li>
<li>Rev the dev version to 2.0.0</li>
<li>Ensure alias domains match when checking Intune device id</li>
<li>Debian 12 doesn't support ConditionPathExists and notify-reload</li>
<li>Write scripts policy to a readable directory</li>
<li>Apply Intune policies right after enrollment</li>
<li>Add more debug instrumentation</li>
<li>Provide device_id to Intune enrollment if not cached</li>
<li>Ensure nss cache directory is created during install</li>
<li>Remove /var/cache/himmelblaud access from tasks daemon</li>
<li>Resolve daemon startup absolute path warnings</li>
<li>Delay Intune enrollment on Device Auth fail</li>
<li>Do not leak the Intune IW service token in the logs</li>
</ul>
<p>Version 1.4.2:</p>
<ul>
<li>Revert libhimmelblau unstable update</li>
</ul>
<p>Version 1.4.1:</p>
<ul>
<li>Update Intune to use app version 1.2511.7</li>
</ul>
<p>Version 1.4.0:</p>
<ul>
<li>Resolve build failures</li>
<li>deps(rust): bump the all-cargo-updates group across 1 directory with 6 updates</li>
</ul>
<p>Version 1.3.0:</p>
<ul>
<li>Revert the self-hosted runner name</li>
<li>deps(rust): bump the all-cargo-updates group with 23 updates</li>
<li>Include latest branch in CI</li>
<li>Self hosted runners</li>
</ul>
<p>Version 1.1.0:</p>
<ul>
<li>Fix policy application</li>
<li>Add remaining Linux password compliance policies</li>
<li>Add custom compliance enforcement</li>
<li>deps(rust): bump the all-cargo-updates group with 3 updates</li>
<li>deps(rust): bump the all-cargo-updates group with 5 updates</li>
<li>Add SLE15SP7 build target</li>
<li>Add RHEL 10 build target</li>
<li>Fix Intermittent auth issue AADSTSError 16000</li>
<li>Remove old utf8proc dependency</li>
<li>Add <code>fedora42</code> build target</li>
<li>Handle PRT expiration and tie to offline auth</li>
<li>Correctly delete the Hello keys on bad pin count</li>
<li>Add ability to disable Hello PIN per-service</li>
<li>Update NixOS support to 25.05</li>
<li>Handle disabled device by attempting re-enrollment</li>
<li>Always attempt confidential client creds for aad-tool</li>
<li>Include HSM option defs in himmelblau.conf man page</li>
<li>Improve the aad-tool cache-clear command</li>
<li>Add <code>mfaSshWorkaroundFlag</code> configuration option to Nix Flake.</li>
<li>Add the ability to remove confidential client creds</li>
<li>If bad PIN count is exceeded, delete the Hello key</li>
<li>deps(rust): bump the all-cargo-updates group with 4 updates</li>
<li>Add instructions for creating developer builds</li>
<li>Fix GDM3 first time login password prompt</li>
<li>Default HsmType should be soft</li>
<li>Add himmelblaud to tss group for TPM startup</li>
<li>Enforce strict order for the systemd units</li>
<li>Update libhimmelblau and compact_jwt</li>
<li>Fix builds w/tpm</li>
<li>aad-tool Authentication flow improvements</li>
<li>Filter out irrelevant debug in aad-tool</li>
<li>Create a unified login experience for aad-tool</li>
<li>Utilize confidential creds for aad-tool enumerate</li>
<li>himmelblau should get posix attributes w/out delegate user access</li>
<li>Always use the Object Id for mapping Group to GID</li>
<li>Update enhancement-request.md for SPI donations</li>
<li>Update bug_report.md with SPI donation</li>
<li>Update build requires in README.md</li>
<li>Update FUNDING.yml with SPI Paypal donation button</li>
<li>Don't break from tasks loop when policies fail</li>
<li>Enroll in Intune as soon as it is enabled</li>
<li>Implement <code>decoupled hello</code> behavior</li>
<li>Cache encrypted PRT to disk for offline login SSO</li>
<li>Update to latest hsm-crypto</li>
<li>Enable tpm functionality</li>
<li>Allow altering the password and PIN prompt messages</li>
<li>Ensure Hello PIN lockout happens when online</li>
<li>Cache the build target output to improve build times</li>
<li>Easier build selection w/ Makefile</li>
<li>Revert mistaken removal from Makefile</li>
<li>Make the user wait longer with each incorrect PIN</li>
<li>Make the bad PIN count configurable</li>
<li>Improve aad-tool manpage</li>
<li>aad-tool fails if the user has FIDO2 enabled</li>
<li>Offline auth permits authentication with invalid Hello PIN</li>
<li>PIN complexity to match Windows</li>
<li>Update to latest SSSD idmap code</li>
<li>Add aad-tool options for setting posix attrs</li>
<li>Add scopes and redirect uris aad-tool application create</li>
<li>Add aad-tool commands for managaging extension attrs</li>
<li>Utilize the sidtoname call for object id mapping</li>
<li>Add commands for listing/creating App registrations</li>
<li>Potential fix for code scanning alert no. 2: Workflow does not contain permissions</li>
<li>Potential fix for code scanning alert no. 4: Workflow does not contain permissions</li>
<li>Potential fix for code scanning alert: Workflow does not contain permissions</li>
<li>Never write the app_id to the server config</li>
<li>Disable passwordless Fido by default</li>
<li>Stop using deprecated <code>users</code> crate</li>
<li>When group membership lookup fails, use cached groups</li>
<li>aad-tool command for enumerating users and groups</li>
<li>Name-Based Group Matching in <code>pam_allow_groups</code> Leads to Potential Security Bypass</li>
<li>Add the configure-pam option to aad-tool man page</li>
<li>Add static idmap cache for on-prem to cloud migration</li>
<li>Update bug_report.md with request for himmelblau.conf</li>
<li>deps(rust): bump the all-cargo-updates group with 2 updates</li>
<li>Update crates in a group</li>
<li>Update crate bumps</li>
<li>Utilize new Intune compliance enforcement via libhimmelblau</li>
<li>Correct the README regarding Intune policy compliance</li>
<li>Disable Chromium policy</li>
<li>Re-enable Intune policy and add scripts and compliance policies</li>
<li>himmelblau.conf alias <code>domain</code> as <code>domains</code></li>
<li>Support Fido auth in pam passwd</li>
<li>Add TAP support to himmelblaud and pam passwd</li>
<li>Mixed case names should properly identify Hello Key</li>
<li>Update linux-entra-sso to latest version</li>
<li>Fix group lookup for Entra Id group name</li>
<li>Fix mixed case name lookup from PRT cache</li>
<li>Crate updates</li>
<li>Fix tasks daemon debug output</li>
<li>Remove write locks where unecessary</li>
<li>Fix deadlock in nss</li>
<li>systemd notify fixes</li>
<li>Console</li>
<li>Address Feedback</li>
<li>Order services before gdb/nss-user-target</li>
<li>deps(rust): bump rpassword from 7.3.1 to 7.4.0</li>
<li>deps(rust): bump tokio from 1.44.2 to 1.45.0</li>
<li>deps(rust): bump sha2 from 0.10.8 to 0.10.9</li>
<li>deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2</li>
<li>deps(rust): bump clap from 4.5.31 to 4.5.38</li>
<li>Update notify-debouncer-full</li>
<li>Update opentelemetry</li>
<li>Update dependencies</li>
<li>deps(rust): bump time from 0.3.39 to 0.3.41</li>
<li>Replace source filter that blacklists files with filter that whitelists files.</li>
<li>Mark himmelblau.conf as config in rpm</li>
<li>Update README.md</li>
<li>Ensure only the base URL is printed to log</li>
<li>If unix_user_get fails, wait, and try again</li>
<li>Supplying a PRT cookie to SSO doesn't require network</li>
<li>Don't send a password prompt if the network is down</li>
<li>Auth via MFA if Hello PIN fails 3 times</li>
<li>Improve Hello PIN failed auth error</li>
<li>Fix rocky9 build</li>
<li>deps(rust): bump anyhow from 1.0.96 to 1.0.98</li>
<li>deps(rust): bump libc from 0.2.170 to 0.2.172</li>
<li>deps(rust): bump cc from 1.2.16 to 1.2.19</li>
<li>deps(rust): bump tokio from 1.43.0 to 1.44.2</li>
<li>deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group</li>
<li>deps(rust): bump reqwest from 0.12.12 to 0.12.15</li>
<li>Update libhimmelblau in Cargo.lock</li>
<li>Fix nss and offline checks for domain aliases</li>
<li>Report error when MS Authenticator denies authorization</li>
<li>Bail out of invalid offline auth</li>
<li>Handle AADSTS errors from BeginAuth response</li>
<li>Never dump failed reqwests to the log</li>
<li>Update sccache-action version to use new cache service</li>
<li>Permit daemon to start when network is down</li>
<li>Add an nss cache for when daemon is down</li>
<li>Additional pam info cues</li>
<li>Proceed with Hello auth even with net down</li>
<li>Indicate to the user what the password and PIN are</li>
<li>Ensure pam messages are seen</li>
<li>Display the minimum PIN length during Hello setup</li>
<li>PAM should loop, not die on error</li>
<li>Ensure prompt msg remains for confirmation</li>
<li>Update bug_report.md</li>
<li>Ignore demands for setting up MS Authenticator</li>
<li>Login fails if Entra is configured to recommend MS authenticator</li>
<li>Add pam configure command to aad-tool</li>
<li>Update README.md with pam passwd instructions</li>
<li>aad-tool authtest needs to map names</li>
<li>Update demo video in README.md</li>
<li>Sign RPM packages</li>
<li>Ensure the pam module is installed correctly for SLE</li>
<li>Improve pam error handling and messaging</li>
<li>Only push cachix builds for stable releases</li>
<li>Terminate linux-entra-sso when browser terminates</li>
<li>On deb, push pam config after install</li>
<li>Increase priority of deb PAM passwd for Himmelblau</li>
<li>Improve offline state handling</li>
<li>Specify request for Entra Id password in PAM</li>
<li>QR Greeter also supports gnome-shell 47</li>
<li>Fix profile photo loading</li>
<li>Clarify pam_allow_groups in himmelblau.conf man page</li>
<li>Don't hide debug for pam_allow_groups miss</li>
<li>Handle failures in passwordless auth</li>
<li>build all root packages</li>
<li>split config options that can be defined per-domain from those which are global only</li>
<li>configure cachix signing and upload in ci</li>
<li>deps(rust): bump serde_json from 1.0.138 to 1.0.140</li>
<li>deps(rust): bump serde from 1.0.218 to 1.0.219</li>
<li>deps(rust): bump time from 0.3.37 to 0.3.39</li>
<li>deps(rust): bump bytes from 1.10.0 to 1.10.1</li>
<li>deps(rust): bump pkg-config from 0.3.31 to 0.3.32</li>
<li>Entra Id is case insensitive, cache lookup must match</li>
<li>deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group</li>
<li>Support CompanionAppsNotification mfa method</li>
<li>QR code for gnome-shell greeter</li>
<li>Allow tasks to start if AccountsService dir missing</li>
<li>Remove invalid python dependency from sso package</li>
<li>Fixes https://github.com/himmelblau-idm/himmelblau/issues/397</li>
<li>Clear server config when clearing cache</li>
<li>Update version in the Cargo.lock</li>
<li>deps(rust): bump async-trait from 0.1.86 to 0.1.87</li>
<li>deps(rust): bump chrono from 0.4.39 to 0.4.40</li>
<li>Fix himmelblau.conf man page cn_name_mapping entry</li>
<li>deps(rust): bump pem from 3.0.4 to 3.0.5</li>
<li>deps(rust): bump serde from 1.0.217 to 1.0.218</li>
</ul>
<p>Version 1.0.0:</p>
<ul>
<li>deps(rust): bump cc from 1.2.15 to 1.2.16</li>
<li>Update workflow versions</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server - BCI 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-471=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server - BCI 16.0 (aarch64 x86_64)
<ul>
<li>libnss_himmelblau2-2.3.8+git0.dec3693-160000.1.1</li>
<li>himmelblau-debuginfo-2.3.8+git0.dec3693-160000.1.1</li>
<li>pam-himmelblau-2.3.8+git0.dec3693-160000.1.1</li>
<li>himmelblau-2.3.8+git0.dec3693-160000.1.1</li>
<li>himmelblau-sso-2.3.8+git0.dec3693-160000.1.1</li>
<li>himmelblau-sso-debuginfo-2.3.8+git0.dec3693-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server - BCI 16.0 (noarch)
<ul>
<li>himmelblau-qr-greeter-2.3.8+git0.dec3693-160000.1.1</li>
<li>himmelblau-sshd-config-2.3.8+git0.dec3693-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-54882.html">https://www.suse.com/security/cve/CVE-2025-54882.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-58160.html">https://www.suse.com/security/cve/CVE-2025-58160.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-25727.html">https://www.suse.com/security/cve/CVE-2026-25727.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-31979.html">https://www.suse.com/security/cve/CVE-2026-31979.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1247735">https://bugzilla.suse.com/show_bug.cgi?id=1247735</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249013">https://bugzilla.suse.com/show_bug.cgi?id=1249013</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1257904">https://bugzilla.suse.com/show_bug.cgi?id=1257904</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258236">https://bugzilla.suse.com/show_bug.cgi?id=1258236</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1259548">https://bugzilla.suse.com/show_bug.cgi?id=1259548</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-14511">https://jira.suse.com/browse/PED-14511</a>
</li>
</ul>
</div>