Recommended update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt

Announcement ID: SUSE-RU-2023:2811-2
Rating: moderate
References:
Affected Products:
  • Basesystem Module 15-SP5
  • Desktop Applications Module 15-SP5
  • SUSE Linux Enterprise Desktop 15 SP5
  • SUSE Linux Enterprise High Performance Computing 15 SP5
  • SUSE Linux Enterprise Micro 5.5
  • SUSE Linux Enterprise Real Time 15 SP5
  • SUSE Linux Enterprise Server 15 SP5
  • SUSE Linux Enterprise Server for SAP Applications 15 SP5

An update that contains one feature can now be installed.

Description:

This update for libfido2, python-fido2, yubikey-manager, yubikey-manager-qt fixes the following issues:

This update provides a feature update to the FIDO2 stack.

Changes in libfido2:

  • Version 1.13.0 (2023-02-20)

    • New API calls:

    • fido_assert_empty_allow_list;

    • fido_cred_empty_exclude_list.

    • fido2-token: fix issue when listing large blobs.

  • Version 1.12.0 (2022-09-22)

  • Support for COSE_ES384.

  • Improved support for FIDO 2.1 authenticators.

  • New API calls:

    • es384_pk_free;
    • es384_pk_from_EC_KEY;
    • es384_pk_from_EVP_PKEY;
    • es384_pk_from_ptr;
    • es384_pk_new;
    • es384_pk_to_EVP_PKEY;
    • fido_cbor_info_certs_len;
    • fido_cbor_info_certs_name_ptr;
    • fido_cbor_info_certs_value_ptr;
    • fido_cbor_info_maxrpid_minpinlen;
    • fido_cbor_info_minpinlen;
    • fido_cbor_info_new_pin_required;
    • fido_cbor_info_rk_remaining;
    • fido_cbor_info_uv_attempts;
    • fido_cbor_info_uv_modality.

  • Documentation and reliability fixes.

  • Version 1.11.0 (2022-05-03)

  • Experimental PCSC support; enable with -DUSE_PCSC.

  • Improved OpenSSL 3.0 compatibility.
  • Use RFC1951 raw deflate to compress CTAP 2.1 largeBlobs.
  • winhello: advertise "uv" instead of "clientPin".
  • winhello: support hmac-secret in fido_dev_get_assert().

  • New API calls:

    • fido_cbor_info_maxlargeblob.

  • Documentation and reliability fixes.

  • Separate build and regress targets.

  • Version 1.10.0 (2022-01-17)

  • bio: fix CTAP2 canonical CBOR encoding in fido_bio_dev_enroll_*(); gh#480.

  • New API calls:

    • fido_dev_info_set;
    • fido_dev_io_handle;
    • fido_dev_new_with_info;
    • fido_dev_open_with_info.
    • Cygwin and NetBSD build fixes.
    • Documentation and reliability fixes.
    • Support for TPM 2.0 attestation of COSE_ES256 credentials.

  • Version 1.9.0 (2021-10-27)

  • Enabled NFC support on Linux.

  • Support for FIDO 2.1 "minPinLength" extension.
  • Support for COSE_EDDSA, COSE_ES256, and COSE_RS1 attestation.
  • Support for TPM 2.0 attestation.
  • Support for device timeouts; see fido_dev_set_timeout().

  • New API calls:

    • es256_pk_from_EVP_PKEY;
    • fido_cred_attstmt_len;
    • fido_cred_attstmt_ptr;
    • fido_cred_pin_minlen;
    • fido_cred_set_attstmt;
    • fido_cred_set_pin_minlen;
    • fido_dev_set_pin_minlen_rpid;
    • fido_dev_set_timeout;
    • rs256_pk_from_EVP_PKEY.

  • Reliability and portability fixes.

  • Better handling of HID devices without identification strings; gh#381.

  • Update to version 1.8.0:

    • Better support for FIDO 2.1 authenticators.
    • Support for attestation format 'none'.

    • New API calls:

      • fido_assert_set_clientdata;
      • fido_cbor_info_algorithm_cose;
      • fido_cbor_info_algorithm_count;
      • fido_cbor_info_algorithm_type;
      • fido_cbor_info_transports_len;
      • fido_cbor_info_transports_ptr;
      • fido_cred_set_clientdata;
      • fido_cred_set_id;
      • fido_credman_set_dev_rk;
      • fido_dev_is_winhello.

    • fido2-token: new -Sc option to update a resident credential.

    • Documentation and reliability fixes.
    • HID access serialisation on Linux.

  • Update to version 1.7.0:

  • hid_win: detect devices with vendor or product IDs > 0x7fff

  • Support for FIDO 2.1 authenticator configuration.
  • Support for FIDO 2.1 UV token permissions.
  • Support for FIDO 2.1 "credBlobs" and "largeBlobs" extensions.
  • New API calls
  • New fido_init flag to disable fido_dev_open’s U2F fallback

  • Experimental NFC support on Linux.

  • Enabled hidapi again, issues related to hidapi are fixed upstream

  • Update to version 1.6.0:

  • Documentation and reliability fixes.

  • New API calls:

    • fido_cred_authdata_raw_len;
    • fido_cred_authdata_raw_ptr;
    • fido_cred_sigcount;
    • fido_dev_get_uv_retry_count;
    • fido_dev_supports_credman.
    • Hardened Windows build.
    • Native FreeBSD and NetBSD support.
    • Use CTAP2 canonical CBOR when combining hmac-secret and credProtect.

  • Create a udev subpackage and ship the udev rule.

Changes in python-fido2:

  • update to 0.9.3:

  • Don't fail device discovery when hidraw doesn't support HIDIOCGRAWUNIQ

  • Support the latest Windows webauthn.h API (included in Windows 11).
  • Add product name and serial number to HidDescriptors.

  • Remove the need for the uhid-freebsd dependency on FreeBSD.

  • Update to version 0.9.1

  • Add new CTAP error codes and improve handling of unknown codes.

  • Client: API changes to better support extensions.
  • Client.make_credential now returns a AuthenticatorAttestationResponse, which holds the AttestationObject and ClientData, as well as any client extension results for the credential.
  • Client.get_assertion now returns an AssertionSelection object, which is used to select between multiple assertions
  • Renames: The CTAP1 and CTAP2 classes have been renamed to Ctap1 and Ctap2, respectively.
  • ClientPin: The ClientPin API has been restructured to support multiple PIN protocols, UV tokens, and token permissions.
  • CTAP 2.1 PRE: Several new features have been added for CTAP 2.1

  • HID: The platform specific HID code has been revamped

  • Version 0.8.1 (released 2019-11-25)

  • Bugfix: WindowsClient.make_credential error when resident key requirement is unspecified.

  • Version 0.8.0 (released 2019-11-25)

  • New fido2.webauthn classes modeled after the W3C WebAuthn spec introduced.

  • CTAP2 send_cbor/make_credential/get_assertion and U2fClient request/authenticate timeout arguments replaced with event used to cancel a request.

  • Fido2Client:

    • make_credential/get_assertion now take WebAuthn options objects.
    • timeout is now provided in ms in WebAuthn options objects. Event based cancelation also available by passing an Event.

  • Fido2Server:

    • ATTESTATION, USER_VERIFICATION, and AUTHENTICATOR_ATTACHMENT enums have been replaced with fido2.webauthn classes.
    • RelyingParty has been replaced with PublicKeyCredentialRpEntity, and name is no longer optional.
    • Options returned by register_begin/authenticate_begin now omit unspecified values if they are optional, instead of filling in default values.
    • Fido2Server.allowed_algorithms now contains a list of PublicKeyCredentialParameters instead of algorithm identifiers.
    • Fido2Server.timeout is now in ms and of type int.

  • Support native WebAuthn API on Windows through WindowsClient.

  • Version 0.7.2 (released 2019-10-24)

  • Support for the TPM attestation format.

  • Allow passing custom challenges to register/authenticate in Fido2Server.
  • Bugfix: CTAP2 CANCEL command response handling fixed.
  • Bugfix: Fido2Client fix handling of empty allow_list.

  • Bugfix: Fix typo in CTAP2.get_assertions() causing it to fail.

  • Version 0.7.1 (released 2019-09-20)

  • Enforce canonical CBOR on Authenticator responses by default.

  • PCSC: Support extended APDUs.
  • Server: Verify that UP flag is set.
  • U2FFido2Server: Implement AppID exclusion extension.
  • U2FFido2Server: Allow custom U2F facet verification.

  • Bugfix: U2FFido2Server.authenticate_complete now returns the result.

  • Version 0.7.0 (released 2019-06-17)

  • Add support for NFC devices using PCSC.

  • Add support for the hmac-secret Authenticator extension.
  • Honor max credential ID length and number of credentials to Authenticator.

  • Add close() method to CTAP devices to explicitly release their resources.

  • Version 0.6.0 (released 2019-05-10)

  • Don't fail if CTAP2 Info contains unknown fields.

  • Replace cbor loads/dumps functions with encode/decode/decode_from.
  • Server: Add support for AuthenticatorAttachment.
  • Server: Add support for more key algorithms.
  • Client: Expose CTAP2 Info object as Fido2Client.info.

Changes in yubikey-manager:

  • Update to version 4.0.9 (released 2022-06-17)

  • Dependency: Add support for python-fido2 1.x

  • Fix: Drop stated support for Click 6 as features from 7 are being used.

  • Update to version 4.0.8 (released 2022-01-31)

  • Bugfix: Fix error message for invalid modhex when programing a YubiOTP credential.

  • Bugfix: Fix issue with displaying a Steam credential when it is the only account.
  • Bugfix: Prevent installation of files in site-packages root.
  • Bugfix: Fix cleanup logic in PIV for protected management key.
  • Add support for token identifier when programming slot-based HOTP.
  • Add support for programming NDEF in text mode.

  • Dependency: Add support for Cryptography ⇐ 38.

  • version update to 4.0.7

** Bugfix release: Fix broken naming for "YubiKey 4", and a small OATH issue with touch Steam credentials.

  • version 4.0.6 (released 2021-09-08)

Improve handling of YubiKey device reboots. More consistently mask PIN/password input in prompts. Support switching mode over CCID for YubiKey Edge. Run pkill from PATH instead of fixed location.

  • version 4.0.5 (released 2021-07-16)

Bugfix: Fix PIV feature detection for some YubiKey NEO versions. Bugfix: Fix argument short form for --period when adding TOTP credentials. Bugfix: More strict validation for some arguments, resulting in better error messages. Bugfix: Correctly handle TOTP credentials using period != 30 AND touch_required. ** Bugfix: Fix prompting for access code in the otp settings command (now uses "-A -").

  • Update to version 4.0.3

  • Add support for fido reset over NFC.

  • Bugfix: The --touch argument to piv change-management-key was ignored.
  • Bugfix: Don’t prompt for password when importing PIV key/cert if file is invalid.
  • Bugfix: Fix setting touch-eject/auto-eject for YubiKey 4 and NEO.
  • Bugfix: Detect PKCS#12 format when outer sequence uses indefinite length.

  • Dependency: Add support for Click 8.

  • Update to version 4.0.2

  • Update device names

  • Add read_info output to the --diagnose command, and show exception types.
  • Bugfix: Fix read_info for YubiKey Plus.
  • Add support for YK5-based FIPS YubiKeys.
  • Bugfix: Fix OTP device enumeration on Win32.
  • Drop reliance on libusb and libykpersonalize.
  • Support the "fido" and "otp" subcommands over NFC
  • New "ykman --diagnose" command to aid in troubleshooting.
  • New "ykman apdu" command for sending raw APDUs over the smart card interface.
  • New "yubikit" package added for custom development and advanced scripting.
  • OpenPGP: Add support for KDF enabled YubiKeys.

  • Static password: Add support for FR, IT, UK and BEPO keyboard layouts.

  • Update to 3.1.1

  • Add support for YubiKey 5C NFC

  • OpenPGP: set-touch now performs compatibility checks before prompting for PIN
  • OpenPGP: Improve error messages and documentation for set-touch
  • PIV: read-object command no longer adds a trailing newline
  • CLI: Hint at missing permissions when opening a device fails
  • Linux: Improve error handling when pcscd is not running
  • Windows: Improve how .DLL files are loaded, thanks to Marius Gabriel Mihai for reporting this!
  • Bugfix: set-touch now accepts the cached-fixed option
  • Bugfix: Fix crash in OtpController.prepare_upload_key() error parsing
  • Bugfix: Fix crash in piv info command when a certificate slot contains an invalid certificate
  • Library: PivController.read_certificate(slot) now wraps certificate parsing exceptions in new exception type InvalidCertificate

  • Library: PivController.list_certificates() now returns None for slots containing invalid certificate, instead of raising an exception

  • Version 3.1.0 (released 2019-08-20)

  • Add support for YubiKey 5Ci

  • OpenPGP: the info command now prints OpenPGP specification version as well
  • OpenPGP: Update support for attestation to match OpenPGP v3.4
  • PIV: Use UTC time for self-signed certificates

  • OTP: Static password now supports the Norman keyboard layout

  • Version 3.0.0 (released 2019-06-24)

  • Add support for new YubiKey Preview and lightning form factor

  • FIDO: Support for credential management
  • OpenPGP: Support for OpenPGP attestation, cardholder certificates and cached touch policies

  • OTP: Add flag for using numeric keypad when sending digits

  • Version 2.1.1 (released 2019-05-28)

  • OTP: Add initial support for uploading Yubico OTP credentials to YubiCloud

  • Don’t automatically select the U2F applet on YubiKey NEO, it might be blocked by the OS
  • ChalResp: Always pad challenge correctly
  • Bugfix: Don’t crash with older versions of cryptography
  • Bugfix: Password was always prompted in OATH command, even if sent as argument

Changes in yubikey-manager-qt:

  • update to 1.2.5:

  • Compatibility update for ykman 5.0.1.

  • Update to Python 3.11.

  • Update product images.

  • Update to version 1.2.4 (released 2021-10-26)

  • Update device names and images.

  • PIV: Fix import of certificate.

  • Update to version 1.2.3

  • Improved error handling when using Security Key Series devices.

  • PIV: Fix generation of certificate in slot 9c.

  • Update to version 1.2.2

  • Fix detection of YubiKey Plus

  • Compatibility update for yubikey-manager 4.0
  • Bugfix: Device caching with multiple devices
  • Drop dependencies on libusb and libykpers.

  • Add additional product names and images

  • update to 1.1.5

  • Add support for YubiKey 5C NFC

  • Update to version 1.1.4

  • OTP: Add option to upload YubiOTP credential to YubiCloud

  • Linux: Show hint about pcscd service if opening device fails

  • Bugfix: Signal handling now compatible with Python 3.8

  • Version 1.1.3 (released 2019-08-20)

  • Add suppport for YubiKey 5Ci

  • PIV: Use UTC time for self-signed certificates

  • Version 1.1.2 (released 2019-06-24)

  • Add support for new YubiKey Preview

  • PIV: The popup for the management key now have a "Use default" option
  • Windows: Fix issue with importing PIV certificates
  • Bugfix: generate static password now works correctly

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • Desktop Applications Module 15-SP5
    zypper in -t patch SUSE-SLE-Module-Desktop-Applications-15-SP5-2023-2811=1
  • Basesystem Module 15-SP5
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-2811=1
  • SUSE Linux Enterprise Micro 5.5
    zypper in -t patch SUSE-SLE-Micro-5.5-2023-2811=1

Package List:

  • Desktop Applications Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    • yubikey-manager-qt-debuginfo-1.2.5-150400.9.3.1
    • yubikey-manager-qt-debugsource-1.2.5-150400.9.3.1
    • yubikey-manager-qt-1.2.5-150400.9.3.1
  • Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    • libfido2-1-debuginfo-1.13.0-150400.5.3.1
    • libfido2-debugsource-1.13.0-150400.5.3.1
    • libfido2-1-1.13.0-150400.5.3.1
    • libfido2-debuginfo-1.13.0-150400.5.3.1
    • libfido2-devel-1.13.0-150400.5.3.1
  • Basesystem Module 15-SP5 (noarch)
    • python3-fido2-0.9.3-150400.9.3.1
    • yubikey-manager-4.0.9-150400.9.3.1
    • python3-dataclasses-0.8-150400.3.2.1
    • libfido2-udev-1.13.0-150400.5.3.1
  • SUSE Linux Enterprise Micro 5.5 (aarch64 s390x x86_64)
    • libfido2-1-debuginfo-1.13.0-150400.5.3.1
    • libfido2-debugsource-1.13.0-150400.5.3.1
    • libfido2-debuginfo-1.13.0-150400.5.3.1
    • libfido2-1-1.13.0-150400.5.3.1

References: