Lang en

Instructions for application of hotfix for the autoresync vulnerability

The hotfix is available in our repositories for the following versions of the current version of LinOTP 2.10.5.x (2.10.5.2). You will get the fix automatically with the next system upgrade.

If the update of the whole system is not an option in your environemnt you can install the packages containing only the fix for your version of LinOTP manually as described in install-via-package below. Alternatively you can apply the hotfix manually from the patch file provided - this should work for all versions of LinOTP as described in apply-via-patch.

Installing the hotfix manually from package

Download the package for your release of LinOTP (choose the correct package for the linux distribution LinOTP is operating on):

Installation

  1. Copy the file to your LinOTP system using SCP. In case you are using the LinOTP SVA and use Windows, we recommend the use of the command line tool PSCP as follows:
#> pscp -scp linotp_VERSION.deb root@<linotpserver>:/root
  1. Open a login shell on your LinOTP Server. (In case of use of the SVA, execute "unsupported" to enter an unrestricted shell). And enter the directory containing the package.
root@linotpappliance:~# cd /root
(Note for SVA users: Please note that while we are requesting the use of "unsupported" to apply the hotfix, we fully support this particular procedure)
  1. List the content of the directory and install the package.
root@linotpappliance:~# ls
    linotp_2.10.5.3-1_all.deb

root@linotpappliance:~# dpkg -i linotp-2.10.5.3-1.deb
  1. Restart the LinOTP Server
root@linotpappliance:~# systemctl restart apache2.service
  1. [SVA only] Exit "unsupported" mode using the command "exit".

LinOTP will serve the new file for all future requests. Please note that it is possible that the old version may be cached in the browser for some time. This will depend on the browser and configuration used.

Future LinOTP versions will include this fix, so it will not be necessary to apply this hotfix to any future updates.

Applying the hotfix manually from patch

The be applied for the hotfix can be downloaded from our servers:

https://www.linotp.org/files/2019-06-24_totp-autoresync-hotfix.patch

The hotfix can be applied by copying the file contained in the archive onto the appliance or your server. It is not necessary to restart any services or reboot the machine.

  1. Download the file "2019-06-24_totp-autoresync-hotfix.patch" to your local system
  2. Copy the file "2019-06-24_totp-autoresync-hotfix.patch" using SCP to your LinOTP system. In case you are using the LinOTP SVA and use Windows, we recommend the use of the command line tool PSCP as follows:
#> pscp 2019-06-24_totp-autoresync-hotfix.patch root@<linotpserver>:/root
  1. Open a login shell on your LinOTP Server. (In case of use of the SVA, execute "unsupported" to enter an unrestricted shell). Determine the location of the file as follows:
root@linotpappliance:~# find / -name "totptoken.py" -type f
You should see output similar to this:
/usr/lib/python2.7/dist-packages/linotp/tokens/totptoken.py
(Note for SVA users: Please note that while we are requesting the use of "unsupported" to apply the hotfix, we fully support this particular procedure)
  1. Change the current working directory to /root as follows:
root@linotpappliance:~# cd /root
  1. If you wish, create a backup of the file to be replaced using the file path obtained in point 3 as follows:
root@linotpappliance:~# cp \
/usr/lib/python2.7/dist-packages/linotp/tokens/totptoken.py \
totptoken.py.backup
Please note that we have renamed the file suffix in order to prevent accidentally overwriting the name of the new file.
  1. Navigate to the location of the old file (see the directory you found above):
root@linotpappliance:~# cd /usr/lib/python2.7/dist-packages/linotp/tokens
  1. Copy the patch to the current directory
root@linotpappliance:.../linotp/tokens# cp /root/2019-06-24_totp-autoresync-hotfix.patch .
  1. Test the patch
root@linotpappliance:.../linotp/tokens/totptoken.py# patch -p5 -b --dry-run < 2019-06-24_totp-autoresync-hotfix.patch
You should see output similar to this:
root@linotpappliance:/usr/lib/python2.7/dist-packages/linotp/tokens# patch -p5 -b --dry-run < 2019-06-24_totp-autoresync-hotfix.patch
checking file totptoken.py
root@linotpappliance:/usr/lib/python2.7/dist-packages/linotp/tokens#
  1. Apply the patch

    If you do not see any errors the patch can be applied.

root@linotpappliance:/usr/lib/python2.7/dist-packages/linotp/tokens# patch -p5 -b --dry-run < 2019-06-24_totp-autoresync-hotfix.patch
checking file totptoken.py
root@linotpappliance:/usr/lib/python2.7/dist-packages/linotp/tokens#
You should see output similar to this:
root@linotpappliance:/usr/lib/python2.7/dist-packages/linotp/tokens# patch -p5 -b < 2019-06-24_totp-autoresync-hotfix.patch
checking file totptoken.py
root@linotpappliance:/usr/lib/python2.7/dist-packages/linotp/tokens#
  1. Restart LinOTP

    To activate the patch, restart LinOTP.

root@linotpappliance:# systemctl restart apache2.service
  1. [SVA only] Exit "unsupported" mode using the command "exit".

LinOTP will serve the new file for all future requests. Please note that it is possible that the old version may be cached in the browser for some time. This will depend on the browser and configuration used.

Future LinOTP versions will include this fix, so it will not be necessary to apply this hotfix to any future updates.