openSUSE-SU-2021:1755-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2021:1755-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2021:1755-1
Related
Published
2021-07-10T18:57:28Z
Modified
2021-07-10T18:57:28Z
Summary
Security update for libu2f-host
Details

This update for libu2f-host fixes the following issues:

This update ships the u2f-host package (jsc#ECO-3687 bsc#1184648)

Version 1.1.10 (released 2019-05-15)

  • Add new devices to udev rules.
  • Fix a potentially uninitialized buffer (CVE-2019-9578, bsc#1128140)

Version 1.1.9 (released 2019-03-06)

  • Fix CID copying from the init response, which broke compatibility with some devices.

Version 1.1.8 (released 2019-03-05)

  • Add udev rules
  • Drop 70-old-u2f.rules and use 70-u2f.rules for everything
  • Use a random nonce for setting up CID to prevent fingerprinting
  • CVE-2019-9578: Parse the response to init in a more stable way to prevent leakage of uninitialized stack memory back to the device (bsc#1128140).

Version 1.1.7 (released 2019-01-08)

  • Fix for trusting length from device in device init.
  • Fix for buffer overflow when receiving data from device. (YSA-2019-01, CVE-2018-20340, bsc#1124781)

  • Add udev rules for some new devices.

  • Add udev rule for Feitian ePass FIDO

    • Add a timeout to the register and authenticate actions.
References

Affected packages

openSUSE:Leap 15.3 / libu2f-host

Package

Name
libu2f-host
Purl
pkg:rpm/opensuse/libu2f-host&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.10-3.9.1

Ecosystem specific 

{
    "binaries": [
        {
            "libu2f-host0": "1.1.10-3.9.1",
            "u2f-host": "1.1.10-3.9.1",
            "libu2f-host-doc": "1.1.10-3.9.1",
            "libu2f-host-devel": "1.1.10-3.9.1"
        }
    ]
}