This here is a more complete description of the issue:

```
    if the `debug` and `debug_file` options are set then the opened debug
    file will be inherited to the successfully authenticated user's process.
    Therefore this user can manipulate the information in the debug file and
    also write further information to it, possibly filling up a privileged
    file system.
  
    In some contexts the program utilizing PAM closes off leaked file
    descriptors but it does work with su, for example:
  
    Use the following line in the PAM stack:
  
    auth    optional        pam_u2f.so debug debug_file=/tmp/u2f-debug.txt
  
    The prepare the debug file such that the PAM module can open it:
  
    root# touch /tmp/u2f-debug.txt
  
    Then perform su on yourself as an unprivileged user:
  
    user$ su user
    Password: XXX
    user$ ls -l /proc/$$/fd
    [...]
    l-wx------ 1 mgerstner users 64  8. Mai 11:44 3 -> /tmp/u2f-debug.txt
  
    As you can see the new user shell now has an open file handle for the
    debug file.
```

Addressed this in SLE codestreams:

- https://build.suse.de/request/show/193686
- https://build.suse.de/request/show/193687

The openSUSE codestreams will either inherit it from SLE, or will be updated/bumped once this becomes public. Not sure what else will change with next upstream release, but personally I would prefer to bump the version instead of maintaining patches on top of an old release.

This is an autogenerated message for IBS integration:
This bug (1135727) was mentioned in
https://build.suse.de/request/show/193688 SLE-15 / pam_u2f

Upstream published the findings by now. The patches [1], [2] and the release
notes [3] are available.

[1]: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
[2]: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
[3]: https://developers.yubico.com/pam-u2f/Release_Notes.html

SUSE-SU-2019:1750-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128140,1135727,1135729
CVE References: CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    libu2f-host-1.1.6-3.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    libu2f-host-1.1.6-3.6.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    libu2f-host-1.1.6-3.6.1, pam_u2f-1.0.8-3.3.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    libu2f-host-1.1.6-3.6.1, pam_u2f-1.0.8-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2019:1749-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1124781,1128140,1135727,1135729
CVE References: CVE-2018-20340,CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    libu2f-host-1.1.6-3.5.1, pam_u2f-1.0.8-3.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libu2f-host-1.1.6-3.5.1, pam_u2f-1.0.8-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

openSUSE-SU-2019:1708-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128140,1135727,1135729
CVE References: CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
openSUSE Leap 15.1 (src):    libu2f-host-1.1.6-lp151.2.6.1, pam_u2f-1.0.8-lp151.2.3.1

openSUSE-SU-2019:1725-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1128140,1135727,1135729
CVE References: CVE-2019-12209,CVE-2019-12210,CVE-2019-9578
Sources used:
openSUSE Leap 15.0 (src):    libu2f-host-1.1.6-lp150.10.1, pam_u2f-1.0.8-lp150.7.1

Released.