Security update for rust-keylime
| Announcement ID: | SUSE-SU-2025:20717-1 |
|---|---|
| Release Date: | 2025-09-16T07:49:07Z |
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves three vulnerabilities can now be installed.
Description:
This update for rust-keylime fixes the following issues:
- Update vendored crate slab to version 0.4.11
-
CVE-2025-55159: Fixed incorrect bounds check in get_disjoint_mut function leading to undefined behavior or potential crash due to out-of-bounds access (bsc#1248006)
-
Update to version 0.2.8+12:
- build(deps): bump actions/checkout from 4 to 5
- build(deps): bump cfg-if from 1.0.0 to 1.0.1
- build(deps): bump openssl from 0.10.72 to 0.10.73
- build(deps): bump clap from 4.5.39 to 4.5.45
- build(deps): bump pest from 2.8.0 to 2.8.1
- Fix clippy warnings
- Use verifier-provided interval for continuous attestation timing
- Add meta object with seconds_to_next_attestation to evidence response
- Fix boot time retrieval
- Fix IMA log format (it must be ['text/plain']) (#1073)
- Remove unnecessary configuration fields
-
cargo: Bump retry-policies to version 0.4.0
-
Update vendored crate shlex to version 1.3.0
-
CVE-2024-58266: Fixed command injection (bsc#1247193)
-
Update to version 0.2.7+141:
- service: Use WantedBy=multi-user.target
- rpm: Add subpackage for push-attestation agent
- push-model: implement continuous attestation with configurable intervals
- Retry registration forever in the state machine
- Add Verifier URL to configuration
- Align exp.backoff to current configuration format
- Increase coverage of state machine (using Context)
- Increase coverage of struct_filler.rs
- Groom code (remove dead code)
- Fix exponential backoff (10secs, 4xx accepted)
- test: Add documentation test to tests/run.sh
- tpm: Avoid running code example during documentation tests
- state_machine: Always start the agent from the Unregistered state
- Add fixes for the URL construction
- Refactor evidences collection in push attestation agent
- push-model: refactor attestation logic into a state machine
- Fix body sending by allowing serializing strings (#1057)
- Log ResilientClient errors/response status codes (#1055)
- Add AK signing scheme and hash algorithm to negotiation
- tpm: Add method to extract signing scheme and hash algorithm from AK
- Allow custom content-type/accept headers
- Integrate exponential backoff to registration (#1052)
- keylime/structures: Rename ShaValues to PcrBanks
-
Add resilient_client for exponential backoff (#1048)
-
Update vendored crate openssl 0.10.73:
-
CVE-2025-3416: Fixed Use-After-Free in Md::fetch and Cipher::fetch (bsc#1242623)
-
Update to version 0.2.7+117:
- Increase coverage in evidence handling structure
- Add Capabilities Negotiations resp. missing fields
- Fix UEFI test to check file access in all cases
- context_info_handler: Do not assume /var/lib/keylime exists
- Fix clippy warnings about uninlined format arguments
- attestation: Allow unwrap() in tests
- Increase coverage (groom code, extend unit tests)
- Include IMA/UEFI logs in Evidence Handling request
- Include method to get all IMA entries as string
- Send correct list of pcr banks and sign algorithms
- Try to fix TPM tests related issues
- Define attestation perform asynchronous
- Perform attestation in push model agent binary
- Refactor code to use new attestation.rs
- Create attestation.rs for Attestation stuff
- Move ContextInfo management to its own handler
- Adjust context_info.rs after rebase
- Add attestation function to ContextInfo structure
- Add prohibited signing algorithms, avoid ecschnorr
- keylime/config: Use macro to implement PushModelConfigTrait
- Introduce keylime-macros and define_view_trait
- config: Remove KeylimeConfig structure
- config: Remove unnecessary options and lazy initialization
- Fix pcr_bank function to send all possible slots
- Send Content-Type:application/json on request (#1039)
- Send correct 'key_algorithm' in certification_keys (#1035)
- Push Model: Persist Attestation Key to file
- Add Keylime push model binary to root GNUmakefile
- Use singleton to avoid multiple Context allocation
- tests: Do not assume
/var/lib/keylimeexists (#1030) - lib/cert: Fix race condition due to use of same file path
- payloads: Fix race condition in tests
- Add uefi_log_handler.rs to parse UEFI binary
- Use IMA log parser to send correct entry count
- Add IMA log parser
- build(deps): bump once_cell from 1.19.0 to 1.21.3
- lib/config/base.rs: Add more unit tests
- lib/permissions: Add unit tests
- keylime-agent: move JsonWrapper from common.rs to the library
- lib/agent_data: Move agent_data related tests from common
- common: Replace APIVersion with the library Version structure
- keylime_agent: Move secure_mount.rs to the library
- lib: Rename keylime_error.rs as error.rs
- config: Move config to keylime library
- config: Rename push_model_config to push_model
- lib: Move permissions.rs from keylime-agent to the lib
- Extract Capabilities Negotiation info from TPM (#1014)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-461=1
Package List:
-
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
- rust-keylime-debuginfo-0.2.8+12-1.1
- rust-keylime-0.2.8+12-1.1
References:
- https://www.suse.com/security/cve/CVE-2024-58266.html
- https://www.suse.com/security/cve/CVE-2025-3416.html
- https://www.suse.com/security/cve/CVE-2025-55159.html
- https://bugzilla.suse.com/show_bug.cgi?id=1242623
- https://bugzilla.suse.com/show_bug.cgi?id=1247193
- https://bugzilla.suse.com/show_bug.cgi?id=1248006