Feature update for himmelblau
| Announcement ID: | SUSE-FU-2026:20990-1 |
|---|---|
| Release Date: | 2026-04-01T09:26:05Z |
| Rating: | important |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves four vulnerabilities, contains one feature and has one fix can now be installed.
Description:
This update for himmelblau fixes the following issues:
Update to himmelblau 2.3.8 (jsc#PED-14511):
Security issues:
- CVE-2025-54882: world readable cloud TGT token (bsc#1247735).
- CVE-2025-58160: tracing-subscriber: Tracing log pollution (bsc#1249013).
- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257904).
- CVE-2026-31979: race condition when accessiung /tmp/krb5cc_<uid> (bsc#1259548).
Non security issues:
- Fix SELinux module packaging to use standard policy macros (bsc#1258236).
Changelog:
Version 2.3.8:
- Add PrivateTmp back to Tasks Daemon
- Drop dead code
- Drop krb5 ccache dir code
- Add a TODO comment
- Drop non working packaged krb5 snippet file
- Write kerberos config snippet
- Extend resolver interface to return kerberos config together with TGTs
- Backport SELinux fixes from main
- Use libkrimes to store TGTs
Version 2.3.7:
- cargo vet
- Fix AWS-LC has PKCS7_verify Certificate Chain Validation Bypass
- Revert dependency change which broke the nightly build
- gen_dockerfiles: only himmelblaud has tpm feature, fix all others
- fix(build): gen_dockerfiles.py mutates shared features list mid-loop
Version 2.3.5:
- Better handle Intune API version
- Update make vet from main branch
- pam_himmelblau: call split_username once in chauthtok
- pam_himmelblau: return PAM_IGNORE in chauthtok for local users
- Don't attempt a DAG when Hello fails with SSPR demand
Version 2.3.4:
- deps(rust): bump the all-cargo-updates group across 1 directory with 8 updates
- Revert sketching update (which breaks SLE16 build)
Version 2.3.3:
- /var/cache/private/himmelblaud should not be created tmpfiles
- Updatee python vers for dataclasses dep
- deps(rust): bump the all-cargo-updates group across 1 directory with 3 updates
- Generate pin init service file systemd < 250
- Checkin missing himmelblaud.if file for SELinux
- Resolve typos in selinux package commands
Version 2.3.2:
- Compile SELinux policy at install time for cross-distro compatibility
- Improve PAM configuration on openSUSE/SLE
- Fix SELinux policy
- Add a git hook to ensure selinux policy is tested
- Ignore generated himmelblau-hsm-pin-init service file
- Refactor SELinux policy for cross-distro compatibility
- Fix NSS lookup for mapped local users
- Skip OS version compliance checks when min/max values are empty
Version 2.3.1:
- Remove references to qrcodegen (these are 3.x features)
- QR Greeter compatibility for old GNOME
- Enable QR greeter automatically
- ci: Use latest cargo-vet from git to fix CI
- Fix HSM pin migration failure on Debian/Ubuntu upgrades from v1.4.x
Version 2.3.0:
- Autostart the daemons on fresh install or upgrade
- Restart sshd when installing the ssh config
- Allow tasks daemon to write krb ccache
- Do not enumerate mapped users in NSS
- Update libhimmelblau to latest version
- Fix Tumbleweed build
Version 2.2.0:
- Update libhimmelblau to 0.8.x series
- deps(rust): bump the all-cargo-updates group with 17 updates
- Only use OpenSSH bug workaround for ssh service
- Fix debug noise from removing user from sudo group
- systemd: install files to /usr/lib/, not /etc/
Version 2.1.0:
- Fix nightly authselect build failure
- Generate the authselect profiles for each distro
- Improve pam config handling in aad-tool
- Make
aad-tool configure-pamdetect location of pam files
Version 2.0.5:
- /var/lib/private/himmelblaud should be owned by root
- Use tmpfiles.d to create himmelblaud private data directory
- deps(rust): bump the all-cargo-updates group with 13 updates
Version 2.0.4:
- Update kanidm_build_profiles mask version
- Utilize cargo vet from main
-
Add policies cache patch via systemd-tmpfiles
-
Fix man page comments about change idmap_range
- Stub picky-krb for osc build
- Stub a kanidm_build_profiles which builds in osc
- Ensure nss cache is created on Ubuntu/Debian
- Request a user token if NSS hasn't been called
Version 2.0.3:
- Add nss cache patch via systemd-tmpfiles
Version 2.0.2:
- Recommend
patchwith the pam package - Fix passwordless FIDO authentication not being used when available
- Git workflow updates for stable-2.x
- Only warn on Intune failure
Version 2.0.1:
- Force o365 desktop files to always rebuild
- Always rebuild the o365 apps
- Add restart on-failure to systemd services
- Clarify
domainSHOULD match login domain - Remove warning about
domainhimmelblau.conf opt - Pseudo eliminate multi-tenant and domains section
- Revert "Fix Hello PIN lookup when an alias domain"
- Comment out
KbdInteractiveAuthentication onin sshd conf - Check the nxset sooner, to avoid unwanted errors
- Recommend oddjob_mkhomedir with authselect
- Pin libhimmelblau to 0.7.x
- Deprecate Fedora 41
- deps(rust): bump the all-cargo-updates group with 11 updates
- Bump github/codeql-action from 4.30.8 to 4.31.2
- Bump cachix/install-nix-action from 31.8.1 to 31.8.2
- Bump actions/upload-artifact from 4.6.2 to 5.0.0
- cargo clippy and rebase fix
- fixup! add extra debug output to NotFound error code
- force error output to show up in CI logs
- wrap repeated sources of IdpError::NotFound in helper functions
- add extra debug output to NotFound error code
- use direnv for loading the nix devshell
- We should still encourage mapping by name
- Add support for Fedora 43
- Provide a offline 'breakglass' mode
- cargo clippy
- Add warning about incorrect nsswitch configuration
- Distinguish between online and offline token fail
- Ensure user token uses original name
- Fix alias domain in auth result causing failure
- Resolve cargo clippy warnings
- Only map on cn name for the primary domain
- Install systemd in build scripts for gen service
- Fix systemd version parsing
- Update libhimmelblau to 0.7.19
- Resolve SELinux build failures in nightly (part 2)
- Rocky container image updates were failing
- Warn instead of error when no idmap_range specified
- deps(rust): bump the all-cargo-updates group across 1 directory with 7 updates
- Trim whitespace from local group names
- Fix borrowing error
- Fix reference to local_sudo_group in condition
- Only run sudo_groups if local_groups does not contain local_sudo_group
- Leave SELinux in permissive mode for Himmelblau
- Resolve SELinux build failures in nightly
- nix: add join_type option to nixos-module settings
- Build host configuration changes
- Ensure that hsm_pin isn't present decrypted
- Document Soft HSM changes to TPM bound
- Disable SELinux by default on NixOS
- sh doesn't have
source - Encrypt hsm-pin using systemd-creds
- Recommend uuid id mapping
- Improve himmelblau.conf man page formatting
- Implement Local User Mapping
- Add o365 dependency for jq
- Add selinux rules for gdm login
- Narrow the scope of selinux policy with audit2allow
- Generate the systemd service files
- Fix selinux build for SLE16
- Resolve SLE16 build dependency failure
- Fix the rawhide build
- Mask the sshkey-attest package
- Bump cachix/install-nix-action from 31.7.0 to 31.8.1
- cargo vet dependency updates
- deps(rust): bump the all-cargo-updates group across 1 directory with 13 updates
- Bump actions/dependency-review-action from 4.8.0 to 4.8.1
- Bump cachix/install-nix-action from 31.7.0 to 31.8.0
- Bump github/codeql-action from 3.30.5 to 4.30.8
- Bump ossf/scorecard-action from 2.4.2 to 2.4.3
- SELinux improvements
- Fix a typo in package gen scripts
- cargo fmt
- Permit NSS response for mapped primary fake group
- Fix Nix Error With Fuzz
- Decrease CI fuzzer setup time
- Document join types
- Support for Entra registered devices
- Run
cargo testin a container - Bump cachix/install-nix-action from 31.6.2 to 31.7.0
- deps(rust): bump the all-cargo-updates group across 1 directory with 2 updates
- Bump github/codeql-action from 3.30.4 to 3.30.5
- Use pastey crate instead of unmaintained paste
- Pin unmaintained serde_cbor dep to serde_cbor_2
- Resolve tower-http
cargo auditwarning - Replace unmaintained fxhash with own version
- Resolve warning about workflow top level write permissions
- Remove dependabot automerge
- Resolve division by 0 in idmap code
- [StepSecurity] ci: Harden GitHub Actions
- Only idmap against initialized domains
- Resolve invalid init of idmap with same domain
- Add fuzzing of idmap code
- Add basic fuzzing of the config options
- Resolve error found by fuzzing
- cargo vet prune
- deps(rust): bump regex in the all-cargo-updates group
- Bump actions/dependency-review-action from 4.7.3 to 4.8.0
- Bump actions/checkout from 3.6.0 to 5.0.0
- Bump cachix/cachix-action from 14 to 16
- Bump ossf/scorecard-action from 2.4.0 to 2.4.2
- Bump cachix/install-nix-action from 25 to 31
- Add the OpenSSF Best Practices badge
- Add scorecard badge
- [StepSecurity] Apply security best practices
- Fix group static mapping
- Move aad-tool idmap cache clear to the idmap cmd
- Resolve errant "Hello key missing." messages
- Update flake.nix
- Slow the dependabot update frequency
- Audit dependabot updates
- deps(rust): bump the all-cargo-updates group across 1 directory with 11 updates
- feat: Add support for aarch64 on Debian-based distributions
- Resolve possible invalid pointer dereferences
- Avoid revealing account ids in debug log
- Cause doc links to open in the correct apps
- Permit opening multiple instances of Word/Excel
- Modify systray and app close behavior
- Don't use questionably licensed icons for o365
- Resolve NixOS CI failure
- Fix building w/out deprecated interactive feature
- Update himmelblau.conf.5 sudo_groups example
- Entra group based sudo access
- Audited the cargo updates
- deps(rust): bump the all-cargo-updates group with 6 updates
- Vet libhimmelblau
- Add
make vetcommand - Update deny.toml
- Remove incompatible licenses from deps
- Fix RHEL8 package signing
- Add SBOM generation
- Add an IRP checklist for security incidents
- Run the nixos build/release on the correct version
- Add crate dependency auditing on MR
- Add some exceptions
- Initialize cargo vet
- Remove in-tree kanidm dependencies
- Fix Hello PIN lookup when an alias domain
- Raise maximum group lookup from 100 to 999
- Always work with lowercase account names
- Modify FUNDING.yml for funding sources
- Remove glib dependency
- deps(rust): bump the all-cargo-updates group with 10 updates
- Add CI check for licenses
- Update dependabot.yml to target all stable branches
- Add authselect module for Rocky/Fedora
- Recommend packages, instead of require
- Add a Contributing document
- Add a Code of Conduct
- add withSelinux flag to nix build, brings SELinux binaries into the build environment.
- deps(rust): bump tracing-subscriber in the cargo group
- Don't overwrite the himmelblau.conf on rpm upgrade
- Add help output to the Makefile
- Fix building packages with docker in root mode
- Update to latest libhimmelblau and identity_dbus_broker
- Make PRT SSO cookie via broker work as well for Edge
- Make broker work for Edge
- Generate Office 365 desktop apps
- Update README
- Add
make uninstallcommand - Remove the deprecated tests suite
- Himmelblau no longer has git submodules
- Make install using packages
- Add Debian 13 packages
- Generate Dockerfiles automatically
- Add SELinux configuration
- Himmelblau daemon requires system tss user
- Add cron dependency for Intune scripts
- Do not mangle /usr/etc configuration files
- deps(rust): bump the all-cargo-updates group with 7 updates
- Add SLE16 (beta) build target
- Automatically append to nsswitch.conf in postinst
- Correct the RPM postinst script syntax
- Fix Kerberos credential cache permissions
- Set file owner and group before writing its content
- Create SECURITY.md
- Rev the dev version to 2.0.0
- Ensure alias domains match when checking Intune device id
- Debian 12 doesn't support ConditionPathExists and notify-reload
- Write scripts policy to a readable directory
- Apply Intune policies right after enrollment
- Add more debug instrumentation
- Provide device_id to Intune enrollment if not cached
- Ensure nss cache directory is created during install
- Remove /var/cache/himmelblaud access from tasks daemon
- Resolve daemon startup absolute path warnings
- Delay Intune enrollment on Device Auth fail
- Do not leak the Intune IW service token in the logs
Version 1.4.2:
- Revert libhimmelblau unstable update
Version 1.4.1:
- Update Intune to use app version 1.2511.7
Version 1.4.0:
- Resolve build failures
- deps(rust): bump the all-cargo-updates group across 1 directory with 6 updates
Version 1.3.0:
- Revert the self-hosted runner name
- deps(rust): bump the all-cargo-updates group with 23 updates
- Include latest branch in CI
- Self hosted runners
Version 1.1.0:
- Fix policy application
- Add remaining Linux password compliance policies
- Add custom compliance enforcement
- deps(rust): bump the all-cargo-updates group with 3 updates
- deps(rust): bump the all-cargo-updates group with 5 updates
- Add SLE15SP7 build target
- Add RHEL 10 build target
- Fix Intermittent auth issue AADSTSError 16000
- Remove old utf8proc dependency
- Add
fedora42build target - Handle PRT expiration and tie to offline auth
- Correctly delete the Hello keys on bad pin count
- Add ability to disable Hello PIN per-service
- Update NixOS support to 25.05
- Handle disabled device by attempting re-enrollment
- Always attempt confidential client creds for aad-tool
- Include HSM option defs in himmelblau.conf man page
- Improve the aad-tool cache-clear command
- Add
mfaSshWorkaroundFlagconfiguration option to Nix Flake. - Add the ability to remove confidential client creds
- If bad PIN count is exceeded, delete the Hello key
- deps(rust): bump the all-cargo-updates group with 4 updates
- Add instructions for creating developer builds
- Fix GDM3 first time login password prompt
- Default HsmType should be soft
- Add himmelblaud to tss group for TPM startup
- Enforce strict order for the systemd units
- Update libhimmelblau and compact_jwt
- Fix builds w/tpm
- aad-tool Authentication flow improvements
- Filter out irrelevant debug in aad-tool
- Create a unified login experience for aad-tool
- Utilize confidential creds for aad-tool enumerate
- himmelblau should get posix attributes w/out delegate user access
- Always use the Object Id for mapping Group to GID
- Update enhancement-request.md for SPI donations
- Update bug_report.md with SPI donation
- Update build requires in README.md
- Update FUNDING.yml with SPI Paypal donation button
- Don't break from tasks loop when policies fail
- Enroll in Intune as soon as it is enabled
- Implement
decoupled hellobehavior - Cache encrypted PRT to disk for offline login SSO
- Update to latest hsm-crypto
- Enable tpm functionality
- Allow altering the password and PIN prompt messages
- Ensure Hello PIN lockout happens when online
- Cache the build target output to improve build times
- Easier build selection w/ Makefile
- Revert mistaken removal from Makefile
- Make the user wait longer with each incorrect PIN
- Make the bad PIN count configurable
- Improve aad-tool manpage
- aad-tool fails if the user has FIDO2 enabled
- Offline auth permits authentication with invalid Hello PIN
- PIN complexity to match Windows
- Update to latest SSSD idmap code
- Add aad-tool options for setting posix attrs
- Add scopes and redirect uris aad-tool application create
- Add aad-tool commands for managaging extension attrs
- Utilize the sidtoname call for object id mapping
- Add commands for listing/creating App registrations
- Potential fix for code scanning alert no. 2: Workflow does not contain permissions
- Potential fix for code scanning alert no. 4: Workflow does not contain permissions
- Potential fix for code scanning alert: Workflow does not contain permissions
- Never write the app_id to the server config
- Disable passwordless Fido by default
- Stop using deprecated
userscrate - When group membership lookup fails, use cached groups
- aad-tool command for enumerating users and groups
- Name-Based Group Matching in
pam_allow_groupsLeads to Potential Security Bypass - Add the configure-pam option to aad-tool man page
- Add static idmap cache for on-prem to cloud migration
- Update bug_report.md with request for himmelblau.conf
- deps(rust): bump the all-cargo-updates group with 2 updates
- Update crates in a group
- Update crate bumps
- Utilize new Intune compliance enforcement via libhimmelblau
- Correct the README regarding Intune policy compliance
- Disable Chromium policy
- Re-enable Intune policy and add scripts and compliance policies
- himmelblau.conf alias
domainasdomains - Support Fido auth in pam passwd
- Add TAP support to himmelblaud and pam passwd
- Mixed case names should properly identify Hello Key
- Update linux-entra-sso to latest version
- Fix group lookup for Entra Id group name
- Fix mixed case name lookup from PRT cache
- Crate updates
- Fix tasks daemon debug output
- Remove write locks where unecessary
- Fix deadlock in nss
- systemd notify fixes
- Console
- Address Feedback
- Order services before gdb/nss-user-target
- deps(rust): bump rpassword from 7.3.1 to 7.4.0
- deps(rust): bump tokio from 1.44.2 to 1.45.0
- deps(rust): bump sha2 from 0.10.8 to 0.10.9
- deps(rust): bump systemd-journal-logger from 2.2.0 to 2.2.2
- deps(rust): bump clap from 4.5.31 to 4.5.38
- Update notify-debouncer-full
- Update opentelemetry
- Update dependencies
- deps(rust): bump time from 0.3.39 to 0.3.41
- Replace source filter that blacklists files with filter that whitelists files.
- Mark himmelblau.conf as config in rpm
- Update README.md
- Ensure only the base URL is printed to log
- If unix_user_get fails, wait, and try again
- Supplying a PRT cookie to SSO doesn't require network
- Don't send a password prompt if the network is down
- Auth via MFA if Hello PIN fails 3 times
- Improve Hello PIN failed auth error
- Fix rocky9 build
- deps(rust): bump anyhow from 1.0.96 to 1.0.98
- deps(rust): bump libc from 0.2.170 to 0.2.172
- deps(rust): bump cc from 1.2.16 to 1.2.19
- deps(rust): bump tokio from 1.43.0 to 1.44.2
- deps(rust): bump openssl from 0.10.71 to 0.10.72 in the cargo group
- deps(rust): bump reqwest from 0.12.12 to 0.12.15
- Update libhimmelblau in Cargo.lock
- Fix nss and offline checks for domain aliases
- Report error when MS Authenticator denies authorization
- Bail out of invalid offline auth
- Handle AADSTS errors from BeginAuth response
- Never dump failed reqwests to the log
- Update sccache-action version to use new cache service
- Permit daemon to start when network is down
- Add an nss cache for when daemon is down
- Additional pam info cues
- Proceed with Hello auth even with net down
- Indicate to the user what the password and PIN are
- Ensure pam messages are seen
- Display the minimum PIN length during Hello setup
- PAM should loop, not die on error
- Ensure prompt msg remains for confirmation
- Update bug_report.md
- Ignore demands for setting up MS Authenticator
- Login fails if Entra is configured to recommend MS authenticator
- Add pam configure command to aad-tool
- Update README.md with pam passwd instructions
- aad-tool authtest needs to map names
- Update demo video in README.md
- Sign RPM packages
- Ensure the pam module is installed correctly for SLE
- Improve pam error handling and messaging
- Only push cachix builds for stable releases
- Terminate linux-entra-sso when browser terminates
- On deb, push pam config after install
- Increase priority of deb PAM passwd for Himmelblau
- Improve offline state handling
- Specify request for Entra Id password in PAM
- QR Greeter also supports gnome-shell 47
- Fix profile photo loading
- Clarify pam_allow_groups in himmelblau.conf man page
- Don't hide debug for pam_allow_groups miss
- Handle failures in passwordless auth
- build all root packages
- split config options that can be defined per-domain from those which are global only
- configure cachix signing and upload in ci
- deps(rust): bump serde_json from 1.0.138 to 1.0.140
- deps(rust): bump serde from 1.0.218 to 1.0.219
- deps(rust): bump time from 0.3.37 to 0.3.39
- deps(rust): bump bytes from 1.10.0 to 1.10.1
- deps(rust): bump pkg-config from 0.3.31 to 0.3.32
- Entra Id is case insensitive, cache lookup must match
- deps(rust): bump ring from 0.17.9 to 0.17.13 in the cargo group
- Support CompanionAppsNotification mfa method
- QR code for gnome-shell greeter
- Allow tasks to start if AccountsService dir missing
- Remove invalid python dependency from sso package
- Fixes https://github.com/himmelblau-idm/himmelblau/issues/397
- Clear server config when clearing cache
- Update version in the Cargo.lock
- deps(rust): bump async-trait from 0.1.86 to 0.1.87
- deps(rust): bump chrono from 0.4.39 to 0.4.40
- Fix himmelblau.conf man page cn_name_mapping entry
- deps(rust): bump pem from 3.0.4 to 3.0.5
- deps(rust): bump serde from 1.0.217 to 1.0.218
Version 1.0.0:
- deps(rust): bump cc from 1.2.15 to 1.2.16
- Update workflow versions
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server - BCI 16.0
zypper in -t patch SUSE-SLES-16.0-471=1
Package List:
-
SUSE Linux Enterprise Server - BCI 16.0 (aarch64 x86_64)
- libnss_himmelblau2-2.3.8+git0.dec3693-160000.1.1
- himmelblau-debuginfo-2.3.8+git0.dec3693-160000.1.1
- pam-himmelblau-2.3.8+git0.dec3693-160000.1.1
- himmelblau-2.3.8+git0.dec3693-160000.1.1
- himmelblau-sso-2.3.8+git0.dec3693-160000.1.1
- himmelblau-sso-debuginfo-2.3.8+git0.dec3693-160000.1.1
-
SUSE Linux Enterprise Server - BCI 16.0 (noarch)
- himmelblau-qr-greeter-2.3.8+git0.dec3693-160000.1.1
- himmelblau-sshd-config-2.3.8+git0.dec3693-160000.1.1
References:
- https://www.suse.com/security/cve/CVE-2025-54882.html
- https://www.suse.com/security/cve/CVE-2025-58160.html
- https://www.suse.com/security/cve/CVE-2026-25727.html
- https://www.suse.com/security/cve/CVE-2026-31979.html
- https://bugzilla.suse.com/show_bug.cgi?id=1247735
- https://bugzilla.suse.com/show_bug.cgi?id=1249013
- https://bugzilla.suse.com/show_bug.cgi?id=1257904
- https://bugzilla.suse.com/show_bug.cgi?id=1258236
- https://bugzilla.suse.com/show_bug.cgi?id=1259548
- https://jira.suse.com/browse/PED-14511