Copyright (c) 2014-2025 Yubico AB - See COPYING

pam-u2f NEWS -- History of user-visible changes.          -*- outline -*-

* Version 1.4.0 (released 2025-03-25)
** Add module configuration file support (default: /etc/security/pam_u2f.conf).
** Add support for building in CMake. This deprecates the autotools build
system which is scheduled to be removed in a future release.
** Terminology updates to user prompts.

* Version 1.3.2 (released 2025-01-16)
** Relax authfile permission check to a warning instead of an error to
prevent a breaking change locking existing users out of their systems.

* Version 1.3.1 (released 2025-01-14)
** Fix incorrect usage of PAM_IGNORE (YSA-2025-01, CVE-2025-23013).
** Changed return value when nouserok is enabled and the user has no
credentials, PAM_IGNORE is used instead of PAM_SUCCESS.
** Hardened checks of authfile permissions.
** Hardened checks for nouserok.
** Improved debug messages.
** Improved documentation.

* Version 1.3.0 (released 2023-03-14)
** Add sanity checking of UV options to pamu2fcfg.
** Add support for username expansion in the authfile path.
** Improvements to the documentation.

* Version 1.2.1 (released 2022-05-11)
** Fixed an issue where native credentials could be truncated, resulting in
failure to authenticate or successful authentication with missing options.
** Stricter parsing of sshformat credentials.
** pamu2fcfg now allows a combination of the --username and --nouser options.
** Improved documentation on FIDO2 options.

* Version 1.2.0 (released 2021-09-22)
** Added support for EdDSA keys.
** Added support for SSH ed25519-sk keys.
** Added authenticator filtering based on user verification options.
** Fixed an issue with privilege restoration on MacOS.
** Fixed an issue where credentials created with pamu2fcfg 1.0.8 or earlier
were not handled correctly if their origin and appid differed.
** Miscellaneous improvements to the documentation.
** Miscellaneous minor bug fixes found by fuzzing.

* Version 1.1.1 (released 2021-05-19)
** Fix an issue where PIN authentication could be bypassed (CVE-2021-31924).
** Fix an issue with nodetect and non-resident credentials.
** Fix build issues with musl libc.
** Add support for self-attestation in pamu2fcfg.
** Fix minor bugs found by fuzzing.

* Version 1.1.0 (released 2020-09-17)
 ** Add support to FIDO2 (move from libu2f-host+libu2f-server to libfido2).
 ** Add support to User Verification
 ** Add support to PIN Verification
 ** Add support to Resident Credentials
 ** Add support to SSH credential format

* Version 1.0.8 (released 2019-06-04)
 ** Fix debug file descriptor leak CVE-2019-12210.
 ** Fix insecure debug file handling CVE-2019-12209.
 Both reported by Matthias Gerstner of the SUSE Security Team.
 ** Fix a non-critical buffer oob access.

* Version 1.0.7 (released 2018-05-15)
 ** Add authpending_file to signal authentication activity
 ** Add nodetect to skip to avoid unnecessary cue messages

* Version 1.0.6 (released 2018-04-18)
 ** Fix an issue when using syslog as a debug facility.
 ** Do not honor cue if no sutable device is found.

* Version 1.0.5 (released 2018-04-16)
 ** General bugfixes and quality-of-life improvements.

* Version 1.0.4 (released 2016-01-07)
 ** Fixed possible permission escalation when using XDG_CONFIG_HOME.

* Version 1.0.3 (released 2015-11-02)
 ** Bugfix in pamu2fcfg.
 ** Minor improvements for verbose mode in pamu2fcfg.

* Version 1.0.2 (released 2015-10-06)
 ** Changes to automake flags.
 ** Improve build on OS X.

* Version 1.0.1 (released 2015-06-18)
 ** Minor changes to man pages and install hooks.

* Version 1.0.0 (released 2015-06-17)
 ** Use XDG_CONFIG_HOME as default for config files.
 ** Added manual and interactive mode.
 ** Added verbose mode.

* Version 0.0.1 (released 2015-01-16)
 ** Changed failure mode after authentication error.
 ** Added call to setcred.

* Version 0.0.0 (released 2014-12-16)
 ** Initial release.
