Security update for libu2f-host (moderate)

An update that solves two vulnerabilities, contains one
feature and has one errata is now available.

Description:

This update for libu2f-host fixes the following issues:

This update ships the u2f-host package (jsc#ECO-3687 bsc#1184648)

Version 1.1.10 (released 2019-05-15)

• Add new devices to udev rules.
• Fix a potentially uninitialized buffer (CVE-2019-9578, bsc#1128140)

Version 1.1.9 (released 2019-03-06)

• Fix CID copying from the init response, which broke compatibility with
  some devices.

Version 1.1.8 (released 2019-03-05)

• Add udev rules
• Drop 70-old-u2f.rules and use 70-u2f.rules for everything
• Use a random nonce for setting up CID to prevent fingerprinting
• CVE-2019-9578: Parse the response to init in a more stable way to
  prevent leakage of uninitialized stack memory back to the device
  (bsc#1128140).

Version 1.1.7 (released 2019-01-08)

• Fix for trusting length from device in device init.

• Fix for buffer overflow when receiving data from device. (YSA-2019-01,
  CVE-2018-20340, bsc#1124781)

• Add udev rules for some new devices.

• Add udev rule for Feitian ePass FIDO

  • Add a timeout to the register and authenticate actions. This update
    was imported from the SUSE:SLE-15:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.2:

  zypper in -t patch openSUSE-2021-799=1