[OATH-Toolkit-help] OATH Toolkit 2.4.1

oath-toolkit-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] OATH Toolkit 2.4.1

From:	Simon Josefsson
Subject:	[OATH-Toolkit-help] OATH Toolkit 2.4.1
Date:	Wed, 12 Feb 2014 15:32:08 +0100
User-agent:	Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.3 (gnu/linux)

This is a security bugfix for the 2.4.x branch, see below for details.

I have had health issues since late last year -- see
http://blog.josefsson.org/ -- but I hope to return to reviewing Fabian's
OCRA patches so we can finally get them released.

Happy hacking,
Simon

** liboath: Fix usersfile bug that caused it to update the wrong line.
When an usersfile contain multiple lines for the same user but with an
unparseable token type (e.g., HOTP vs TOTP), the code would update the
wrong line of the file.  Since the then updated line could be a
commented out line, this can lead to the same OTP being accepted
multiple times which is a security vulnerability.  Reported by Bas van
Schaik <address@hidden> and patch provided by Ilkka Virta
<address@hidden>.  CVE-2013-7322

The OATH Toolkit makes it easy to build one-time password
authentication systems.  It contains shared libraries, command line
tools and a PAM module.  Supported technologies include the
event-based HOTP algorithm (RFC4226) and the time-based TOTP algorithm
(RFC6238).  OATH stands for Open AuTHentication, which is the
organization that specify the algorithms.  For managing secret key
files, the Portable Symmetric Key Container (PSKC) format described in
RFC6030 is supported.

The components included in the package is:

  * liboath: A shared and static C library for OATH handling.

  * oathtool: A command line tool for generating and validating OTPs.

  * pam_oath: A PAM module for pluggable login authentication for OATH.

  * libpskc: A shared and static C library for PSKC handling.

  * pskctool: A command line tool for manipulating PSKC data.

The project's web page is available at:
  http://www.nongnu.org/oath-toolkit/

Documentation for the command line tools oathtool and pskctool:
  http://www.nongnu.org/oath-toolkit/oathtool.1.html
  http://www.nongnu.org/oath-toolkit/pskctool.1.html
  http://www.nongnu.org/oath-toolkit/libpskc-api/pskc-tutorial-pskctool.html

Manual for PAM module:
  http://git.savannah.gnu.org/cgit/oath-toolkit.git/tree/pam_oath/README

Liboath manual:
  http://www.nongnu.org/oath-toolkit/liboath-api/liboath-oath.html

Libpskc Tutorial & Manual
  http://www.nongnu.org/oath-toolkit/libpskc-api/pskc-tutorial-quickstart.html
  http://www.nongnu.org/oath-toolkit/libpskc-api/pskc-reference.html

If you need help to use the OATH Toolkit, or want to help others, you
are invited to join our oath-toolkit-help mailing list, see:
  https://lists.nongnu.org/mailman/listinfo/oath-toolkit-help

Here are the compressed sources of the entire package:
  
http://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz
(4.0MB)
  
http://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.4.1.tar.gz.sig
(OpenPGP)

The software is cryptographically signed by the author using an OpenPGP
key identified by the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2014-05-11]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <address@hidden>
uid                  Simon Josefsson <address@hidden>
sub   2048R/105E722E 2012-03-13 [expires: 2014-02-17]
sub   2048R/728AB82C 2012-03-13 [expires: 2014-02-17]
sub   2048R/9394F626 2012-03-13 [expires: 2014-02-17]
sub   1280R/4D5D40AE 2002-05-05 [expires: 2014-05-11]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Here are the SHA-1 and SHA-224 checksums:

b0ca4c5f89c12c550f7227123c2f21f45b2bf969  oath-toolkit-2.4.1.tar.gz
c88309c3c24772c9f0405af95880947826f9e5d3862aa3d7eaa51f4f  
oath-toolkit-2.4.1.tar.gz

General information on contributing:
  http://www.nongnu.org/oath-toolkit/contrib.html

Savannah developer's home page:
  https://savannah.nongnu.org/projects/oath-toolkit/

Code coverage charts:
  http://www.nongnu.org/oath-toolkit/coverage/

Clang code analysis:
  http://www.nongnu.org/oath-toolkit/clang-analyzer/

Daily snapshots:
  http://daily.josefsson.org/oath-toolkit/

Autobuild statistics:
  http://autobuild.josefsson.org/oath-toolkit/

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[OATH-Toolkit-help] OATH Toolkit 2.4.1, Simon Josefsson <=

Prev by Date: Re: [OATH-Toolkit-help] libpam-oath vulnerable to replay of OTP as result of incorrectly parsing comments in users file?
Next by Date: Re: [OATH-Toolkit-help] Compiling on OSX Mavericks
Previous by thread: [OATH-Toolkit-help] Processed: retitle 738515 to oath-toolkit: CVE-2013-7322: certain one-time-passwords not invalidated correctly
Next by thread: [OATH-Toolkit-help] Simple HOTP client for command line and client applications
Index(es):
- Date
- Thread