openSUSE-FU-2026:20453-1

This update for himmelblau fixes the following issues:

Update to himmelblau 2.3.8 (jsc#PED-14511):

Security issues:

• CVE-2025-54882: world readable cloud TGT token (bsc#1247735).
• CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249013).
• CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257904).
• CVE-2026-31979: race condition when accessiung /tmp/krb5cc_<uid> (bsc#1259548).

Non security issues:

• Fix SELinux module packaging to use standard policy macros (bsc#1258236).

Changelog:

Version 2.3.8:

• Add PrivateTmp back to Tasks Daemon
• Drop dead code
• Drop krb5 ccache dir code
• Add a TODO comment
• Drop non working packaged krb5 snippet file
• Write kerberos config snippet
• Extend resolver interface to return kerberos config together with TGTs
• Backport SELinux fixes from main
• Use libkrimes to store TGTs

Version 2.3.7:

• cargo vet
• Fix AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
• Revert dependency change which broke the nightly build
• gen_dockerfiles: only himmelblaud has tpm feature, fix all others
• fix(build): gen_dockerfiles.py mutates shared features list mid-loop

Version 2.3.5:

• Better handle Intune API version
• Update make vet from main branch
• pamhimmelblau: call splitusername once in chauthtok
• pamhimmelblau: return PAMIGNORE in chauthtok for local users
• Don't attempt a DAG when Hello fails with SSPR demand

Version 2.3.4:

• deps(rust): bump the all-cargo-updates group across 1 directory with 8 updates
• Revert sketching update (which breaks SLE16 build)

Version 2.3.3:

• /var/cache/private/himmelblaud should not be created tmpfiles
• Updatee python vers for dataclasses dep
• deps(rust): bump the all-cargo-updates group across 1 directory with 3 updates
• Generate pin init service file systemd < 250
• Checkin missing himmelblaud.if file for SELinux
• Resolve typos in selinux package commands

Version 2.3.2:

• Compile SELinux policy at install time for cross-distro compatibility
• Improve PAM configuration on openSUSE/SLE
• Fix SELinux policy
• Add a git hook to ensure selinux policy is tested
• Ignore generated himmelblau-hsm-pin-init service file
• Refactor SELinux policy for cross-distro compatibility
• Fix NSS lookup for mapped local users
• Skip OS version compliance checks when min/max values are empty

Version 2.3.1:

• Remove references to qrcodegen (these are 3.x features)
• QR Greeter compatibility for old GNOME
• Enable QR greeter automatically
• ci: Use latest cargo-vet from git to fix CI
• Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x

Version 2.3.0:

• Autostart the daemons on fresh install or upgrade
• Restart sshd when installing the ssh config
• Allow tasks daemon to write krb ccache
• Do not enumerate mapped users in NSS
• Update libhimmelblau to latest version
• Fix Tumbleweed build

Version 2.2.0:

• Update libhimmelblau to 0.8.x series
• deps(rust): bump the all-cargo-updates group with 17 updates
• Only use OpenSSH bug workaround for ssh service
• Fix debug noise from removing user from sudo group
• systemd: install files to /usr/lib/, not /etc/

Version 2.1.0:

• Fix nightly authselect build failure
• Generate the authselect profiles for each distro
• Improve pam config handling in aad-tool
• Make aad-tool configure-pam detect location of pam files

Version 2.0.5:

• /var/lib/private/himmelblaud should be owned by root
• Use tmpfiles.d to create himmelblaud private data directory
• deps(rust): bump the all-cargo-updates group with 13 updates

Version 2.0.4:

• Update kanidmbuildprofiles mask version
• Utilize cargo vet from main

• Add policies cache patch via systemd-tmpfiles

• Fix man page comments about change idmap_range

• Stub picky-krb for osc build
• Stub a kanidmbuildprofiles which builds in osc
• Ensure nss cache is created on Ubuntu/Debian
• Request a user token if NSS hasn't been called

Version 2.0.3:

• Add nss cache patch via systemd-tmpfiles

Version 2.0.2:

• Recommend patch with the pam package
• Fix passwordless FIDO authentication not being used when available
• Git workflow updates for stable-2.x
• Only warn on Intune failure

Version 2.0.1:

• Force o365 desktop files to always rebuild
• Always rebuild the o365 apps
• Add restart on-failure to systemd services
• Clarify domain SHOULD match login domain
• Remove warning about domain himmelblau.conf opt
• Pseudo eliminate multi-tenant and domains section
• Revert "Fix Hello PIN lookup when an alias domain"
• Comment out KbdInteractiveAuthentication on in sshd conf
• Check the nxset sooner, to avoid unwanted errors
• Recommend oddjob_mkhomedir with authselect
• Pin libhimmelblau to 0.7.x
• Deprecate Fedora 41
• deps(rust): bump the all-cargo-updates group with 11 updates
• Bump github/codeql-action from 4.30.8 to 4.31.2
• Bump cachix/install-nix-action from 31.8.1 to 31.8.2
• Bump actions/upload-artifact from 4.6.2 to 5.0.0
• cargo clippy and rebase fix
• fixup! add extra debug output to NotFound error code
• force error output to show up in CI logs
• wrap repeated sources of IdpError::NotFound in helper functions
• add extra debug output to NotFound error code
• use direnv for loading the nix devshell
• We should still encourage mapping by name
• Add support for Fedora 43
• Provide a offline 'breakglass' mode
• cargo clippy
• Add warning about incorrect nsswitch configuration
• Distinguish between online and offline token fail
• Ensure user token uses original name
• Fix alias domain in auth result causing failure
• Resolve cargo clippy warnings
• Only map on cn name for the primary domain
• Install systemd in build scripts for gen service
• Fix systemd version parsing
• Update libhimmelblau to 0.7.19
• Resolve SELinux build failures in nightly (part 2)
• Rocky container image updates were failing
• Warn instead of error when no idmap_range specified
• deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates
• Trim whitespace from local group names
• Fix borrowing error
• Fix reference to localsudogroup in condition
• Only run sudogroups if localgroups does not contain localsudogroup
• Leave SELinux in permissive mode for Himmelblau
• Resolve SELinux build failures in nightly
• nix: add join_type option to nixos-module settings
• Build host configuration changes
• Ensure that hsm_pin isn't present decrypted
• Document Soft HSM changes to TPM bound
• Disable SELinux by default on NixOS
• sh doesn't have source
• Encrypt hsm-pin using systemd-creds
• Recommend uuid id mapping
• Improve himmelblau.conf man page formatting
• Implement Local User Mapping
• Add o365 dependency for jq
• Add selinux rules for gdm login
• Narrow the scope of selinux policy with audit2allow
• Generate the systemd service files
• Fix selinux build for SLE16
• Resolve SLE16 build dependency failure
• Fix the rawhide build
• Mask the sshkey-attest package
• Bump cachix/install-nix-action from 31.7.0 to 31.8.1
• cargo vet dependency updates
• deps(rust): bump the all-cargo-updates group across 1 directory with 13 updates
• Bump actions/dependency-review-action from 4.8.0 to 4.8.1
• Bump cachix/install-nix-action from 31.7.0 to 31.8.0
• Bump github/codeql-action from 3.30.5 to 4.30.8
• Bump ossf/scorecard-action from 2.4.2 to 2.4.3
• SELinux improvements
• Fix a typo in package gen scripts
• cargo fmt
• Permit NSS response for mapped primary fake group
• Fix Nix Error With Fuzz
• Decrease CI fuzzer setup time
• Document join types
• Support for Entra registered devices
• Run cargo test in a container
• Bump cachix/install-nix-action from 31.6.2 to 31.7.0
• deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates
• Bump github/codeql-action from 3.30.4 to 3.30.5
• Use pastey crate instead of unmaintained paste
• Pin unmaintained serdecbor dep to serdecbor_2
• Resolve tower-http cargo audit warning
• Replace unmaintained fxhash with own version
• Resolve warning about workflow top level write permissions
• Remove dependabot automerge
• Resolve division by 0 in idmap code
• [StepSecurity] ci: Harden GitHub Actions
• Only idmap against initialized domains
• Resolve invalid init of idmap with same domain
• Add fuzzing of idmap code
• Add basic fuzzing of the config options
• Resolve error found by fuzzing
• cargo vet prune
• deps(rust): bump regex in the all-cargo-updates group
• Bump actions/dependency-review-action from 4.7.3 to 4.8.0
• Bump actions/checkout from 3.6.0 to 5.0.0
• Bump cachix/cachix-action from 14 to 16
• Bump ossf/scorecard-action from 2.4.0 to 2.4.2
• Bump cachix/install-nix-action from 25 to 31
• Add the OpenSSF Best Practices badge
• Add scorecard badge
• [StepSecurity] Apply security best practices
• Fix group static mapping
• Move aad-tool idmap cache clear to the idmap cmd
• Resolve errant "Hello key missing." messages
• Update flake.nix
• Slow the dependabot update frequency
• Audit dependabot updates
• deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
• feat: Add support for aarch64 on Debian-based distributions
• Resolve possible invalid pointer dereferences
• Avoid revealing account ids in debug log
• Cause doc links to open in the correct apps
• Permit opening multiple instances of Word/Excel
• Modify systray and app close behavior
• Don't use questionably licensed icons for o365
• Resolve NixOS CI failure
• Fix building w/out deprecated interactive feature
• Update himmelblau.conf.5 sudo_groups example
• Entra group based sudo access
• Audited the cargo updates
• deps(rust): bump the all-cargo-updates group with 6 updates
• Vet libhimmelblau
• Add make vet command
• Update deny.toml
• Remove incompatible licenses from deps
• Fix RHEL8 package signing
• Add SBOM generation
• Add an IRP checklist for security incidents
• Run the nixos build/release on the correct version
• Add crate dependency auditing on MR
• Add some exceptions
• Initialize cargo vet
• Remove in-tree kanidm dependencies
• Fix Hello PIN lookup when an alias domain
• Raise maximum group lookup from 100 to 999
• Always work with lowercase account names
• Modify FUNDING.yml for funding sources
• Remove glib dependency
• deps(rust): bump the all-cargo-updates group with 10 updates
• Add CI check for licenses
• Update dependabot.yml to target all stable branches
• Add authselect module for Rocky/Fedora
• Recommend packages, instead of require
• Add a Contributing document
• Add a Code of Conduct
• add withSelinux flag to nix build, brings SELinux binaries into the build environment.
• deps(rust): bump tracing-subscriber in the cargo group
• Don't overwrite the himmelblau.conf on rpm upgrade
• Add help output to the Makefile
• Fix building packages with docker in root mode
• Update to latest libhimmelblau and identitydbusbroker
• Make PRT SSO cookie via broker work as well for Edge
• Make broker work for Edge
• Generate Office 365 desktop apps
• Update README
• Add make uninstall command
• Remove the deprecated tests suite
• Himmelblau no longer has git submodules
• Make install using packages
• Add Debian 13 packages
• Generate Dockerfiles automatically
• Add SELinux configuration
• Himmelblau daemon requires system tss user
• Add cron dependency for Intune scripts
• Do not mangle /usr/etc configuration files
• deps(rust): bump the all-cargo-updates group with 7 updates
• Add SLE16 (beta) build target
• Automatically append to nsswitch.conf in postinst
• Correct the RPM postinst script syntax
• Fix Kerberos credential cache permissions
• Set file owner and group before writing its content
• Create SECURITY.md
• Rev the dev version to 2.0.0
• Ensure alias domains match when checking Intune device id
• Debian 12 doesn't support ConditionPathExists and notify-reload
• Write scripts policy to a readable directory
• Apply Intune policies right after enrollment
• Add more debug instrumentation
• Provide device_id to Intune enrollment if not cached
• Ensure nss cache directory is created during install
• Remove /var/cache/himmelblaud access from tasks daemon
• Resolve daemon startup absolute path warnings
• Delay Intune enrollment on Device Auth fail
• Do not leak the Intune IW service token in the logs

Version 1.4.2:

• Revert libhimmelblau unstable update

Version 1.4.1:

• Update Intune to use app version 1.2511.7

Version 1.4.0:

• Resolve build failures
• deps(rust): bump the all-cargo-updates group across 1 directory with 6 updates

Version 1.3.0:

• Revert the self-hosted runner name
• deps(rust): bump the all-cargo-updates group with 23 updates
• Include latest branch in CI
• Self hosted runners

Version 1.1.0:

• Fix policy application
• Add remaining Linux password compliance policies
• Add custom compliance enforcement
• deps(rust): bump the all-cargo-updates group with 3 updates
• deps(rust): bump the all-cargo-updates group with 5 updates
• Add SLE15SP7 build target
• Add RHEL 10 build target
• Fix Intermittent auth issue AADSTSError 16000
• Remove old utf8proc dependency
• Add fedora42 build target
• Handle PRT expiration and tie to offline auth
• Correctly delete the Hello keys on bad pin count
• Add ability to disable Hello PIN per-service
• Update NixOS support to 25.05
• Handle disabled device by attempting re-enrollment
• Always attempt confidential client creds for aad-tool
• Include HSM option defs in himmelblau.conf man page
• Improve the aad-tool cache-clear command
• Add mfaSshWorkaroundFlag configuration option to Nix Flake.
• Add the ability to remove confidential client creds
• If bad PIN count is exceeded, delete the Hello key
• deps(rust): bump the all-cargo-updates group with 4 updates
• Add instructions for creating developer builds
• Fix GDM3 first time login password prompt
• Default HsmType should be soft
• Add himmelblaud to tss group for TPM startup
• Enforce strict order for the systemd units
• Update libhimmelblau and compact_jwt
• Fix builds w/tpm
• aad-tool Authentication flow improvements
• Filter out irrelevant debug in aad-tool
• Create a unified login experience for aad-tool
• Utilize confidential creds for aad-tool enumerate
• himmelblau should get posix attributes w/out delegate user access
• Always use the Object Id for mapping Group to GID
• Update enhancement-request.md for SPI donations
• Update bug_report.md with SPI donation
• Update build requires in README.md
• Update FUNDING.yml with SPI Paypal donation button
• Don't break from tasks loop when policies fail
• Enroll in Intune as soon as it is enabled
• Implement decoupled hello behavior
• Cache encrypted PRT to disk for offline login SSO
• Update to latest hsm-crypto
• Enable tpm functionality
• Allow altering the password and PIN prompt messages
• Ensure Hello PIN lockout happens when online
• Cache the build target output to improve build times
• Easier build selection w/ Makefile
• Revert mistaken removal from Makefile
• Make the user wait longer with each incorrect PIN
• Make the bad PIN count configurable
• Improve aad-tool manpage
• aad-tool fails if the user has FIDO2 enabled
• Offline auth permits authentication with invalid Hello PIN
• PIN complexity to match Windows
• Update to latest SSSD idmap code
• Add aad-tool options for setting posix attrs
• Add scopes and redirect uris aad-tool application create
• Add aad-tool commands for managaging extension attrs
• Utilize the sidtoname call for object id mapping
• Add commands for listing/creating App registrations
• Potential fix for code scanning alert no. 2: Workflow does not contain permissions
• Potential fix for code scanning alert no. 4: Workflow does not contain permissions
• Potential fix for code scanning alert: Workflow does not contain permissions
• Never write the app_id to the server config
• Disable passwordless Fido by default
• Stop using deprecated users crate
• When group membership lookup fails, use cached groups
• aad-tool command for enumerating users and groups
• Name-Based Group Matching in pam_allow_groups Leads to Potential Security Bypass
• Add the configure-pam option to aad-tool man page
• Add static idmap cache for on-prem to cloud migration
• Update bug_report.md with request for himmelblau.conf
• deps(rust): bump the all-cargo-updates group with 2 updates
• Update crates in a group
• Update crate bumps
• Utilize new Intune compliance enforcement via libhimmelblau
• Correct the README regarding Intune policy compliance
• Disable Chromium policy
• Re-enable Intune policy and add scripts and compliance policies
• himmelblau.conf alias domain as domains
• Support Fido auth in pam passwd
• Add TAP support to himmelblaud and pam passwd
• Mixed case names should properly identify Hello Key
• Update linux-entra-sso to latest version
• Fix group lookup for Entra Id group name
• Fix mixed case name lookup from PRT cache
• Crate updates
• Fix tasks daemon debug output
• Remove write locks where unecessary
• Fix deadlock in nss
• systemd notify fixes
• Console
• Address Feedback
• Order services before gdb/nss-user-target
• deps(rust): bump rpassword from 7.3.1 to 7.4.0
• deps(rust): bump tokio from 1.44.2 to 1.45.0
• deps(rust): bump sha2 from 0.10.8 to 0.10.9
• deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
• deps(rust): bump clap from 4.5.31 to 4.5.38
• Update notify-debouncer-full
• Update opentelemetry
• Update dependencies
• deps(rust): bump time from 0.3.39 to 0.3.41
• Replace source filter that blacklists files with filter that whitelists files.
• Mark himmelblau.conf as config in rpm
• Update README.md
• Ensure only the base URL is printed to log
• If unixuserget fails, wait, and try again
• Supplying a PRT cookie to SSO doesn't require network
• Don't send a password prompt if the network is down
• Auth via MFA if Hello PIN fails 3 times
• Improve Hello PIN failed auth error
• Fix rocky9 build
• deps(rust): bump anyhow from 1.0.96 to 1.0.98
• deps(rust): bump libc from 0.2.170 to 0.2.172
• deps(rust): bump cc from 1.2.16 to 1.2.19
• deps(rust): bump tokio from 1.43.0 to 1.44.2
• deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
• deps(rust): bump reqwest from 0.12.12 to 0.12.15
• Update libhimmelblau in Cargo.lock
• Fix nss and offline checks for domain aliases
• Report error when MS Authenticator denies authorization
• Bail out of invalid offline auth
• Handle AADSTS errors from BeginAuth response
• Never dump failed reqwests to the log
• Update sccache-action version to use new cache service
• Permit daemon to start when network is down
• Add an nss cache for when daemon is down
• Additional pam info cues
• Proceed with Hello auth even with net down
• Indicate to the user what the password and PIN are
• Ensure pam messages are seen
• Display the minimum PIN length during Hello setup
• PAM should loop, not die on error
• Ensure prompt msg remains for confirmation
• Update bug_report.md
• Ignore demands for setting up MS Authenticator
• Login fails if Entra is configured to recommend MS authenticator
• Add pam configure command to aad-tool
• Update README.md with pam passwd instructions
• aad-tool authtest needs to map names
• Update demo video in README.md
• Sign RPM packages
• Ensure the pam module is installed correctly for SLE
• Improve pam error handling and messaging
• Only push cachix builds for stable releases
• Terminate linux-entra-sso when browser terminates
• On deb, push pam config after install
• Increase priority of deb PAM passwd for Himmelblau
• Improve offline state handling
• Specify request for Entra Id password in PAM
• QR Greeter also supports gnome-shell 47
• Fix profile photo loading
• Clarify pamallowgroups in himmelblau.conf man page
• Don't hide debug for pamallowgroups miss
• Handle failures in passwordless auth
• build all root packages
• split config options that can be defined per-domain from those which are global only
• configure cachix signing and upload in ci
• deps(rust): bump serde_json from 1.0.138 to 1.0.140
• deps(rust): bump serde from 1.0.218 to 1.0.219
• deps(rust): bump time from 0.3.37 to 0.3.39
• deps(rust): bump bytes from 1.10.0 to 1.10.1
• deps(rust): bump pkg-config from 0.3.31 to 0.3.32
• Entra Id is case insensitive, cache lookup must match
• deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
• Support CompanionAppsNotification mfa method
• QR code for gnome-shell greeter
• Allow tasks to start if AccountsService dir missing
• Remove invalid python dependency from sso package
• Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
• Clear server config when clearing cache
• Update version in the Cargo.lock
• deps(rust): bump async-trait from 0.1.86 to 0.1.87
• deps(rust): bump chrono from 0.4.39 to 0.4.40
• Fix himmelblau.conf man page cnnamemapping entry
• deps(rust): bump pem from 3.0.4 to 3.0.5
• deps(rust): bump serde from 1.0.217 to 1.0.218

Version 1.0.0:

• deps(rust): bump cc from 1.2.15 to 1.2.16
• Update workflow versions