Security update for rust-keylime

Announcement ID:	SUSE-SU-2025:20491-1
Release Date:	2025-07-11T09:49:31Z
Rating:	moderate
References:	bsc#1243861
Cross-References:	CVE-2024-12224
CVSS scores:	CVE-2024-12224 ( SUSE ): 2.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2024-12224 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVE-2024-12224 ( NVD ): 5.1 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:	SUSE Linux Micro 6.0

An update that solves one vulnerability can now be installed.

Description:

This update for rust-keylime fixes the following issues:

• CVE-2024-12224: idna: Fixed improper validation in punycode (bsc#1243861)

• Update to version 0.2.7+70:

• build(deps): bump wiremock from 0.6.2 to 0.6.3
• build(deps): bump uuid from 1.16.0 to 1.17.0
• lib: Introduce AgentIdentity structure
• gitignore: Add .swp and .orig to be ignored
• build(deps): bump clap from 4.5.38 to 4.5.39
• build(deps): bump tokio from 1.45.0 to 1.45.1
• Unify Push Model structures time formats to UTC (#1016)
• Add Quote related structures to Keylime library
• Remove configuration file trailing whitespaces (#1012)
• keylime-agent.conf: add all accepted TPM encryption algs
• tpm: add policy auth for EK to activate crendential
• Enable non standard key sizes and curves for EK and AK
• config: Use next_back() instead of last() for iterators
• Update to tss-esapi v7.6.0
• Avoid duplicated call to ctx.create_ek
• build(deps): bump clap from 4.5.23 to 4.5.38
• Add registration for Push Model client
• build(deps): bump tokio from 1.44.2 to 1.45.0
• build(deps): bump chrono from 0.4.40 to 0.4.41
• build(deps): bump tempfile from 3.17.1 to 3.20.0
• Refactor code: move error, registration to lib
• Move structure filling and URL selection code (#999)
• build(deps): bump pest_derive from 2.7.15 to 2.8.0
• build(deps): bump pest from 2.7.15 to 2.8.0
• build(deps): bump libc from 0.2.169 to 0.2.172
• Add Evidence/Authentication messages to prototype
• build(deps): bump uuid from 1.15.1 to 1.16.0
• build(deps): bump thiserror from 2.0.11 to 2.0.12
• build(deps): bump signal-hook from 0.3.17 to 0.3.18
• build(deps): bump log from 0.4.25 to 0.4.27
• build(deps): bump assert_cmd from 2.0.16 to 2.0.17
• build(deps): bump actix-web from 4.9.0 to 4.10.2
• build(deps): bump reqwest from 0.12.12 to 0.12.15
• build(deps): bump serde from 1.0.217 to 1.0.219
• Add unit tests for sessions.rs structures
• Add auth(sessions) structures
• Fix minor README.md issue (#988)
• Define EvidenceHandling structures (#971)
• Add mockoon test scenario
• Add client certificates to push-attestation prototype
• Cargo: bump url crate to version 2.5.4
• Add logging to the push attestation prototype
• Do not use certificate on insecure mode
• common: Move the EncryptedData structure from common to the library
• common: Move AuthTag from common to the library
• build(deps): bump openssl from 0.10.71 to 0.10.72
• common: Move Symmkey to library as crypto::symmkey
• common: Remove unused constants and static values
• build(deps): bump tokio from 1.43.0 to 1.44.2
• Refactor code: Include AgentIdentity structure
• Push model prototype
• Add support for ek certificate chain, stored in TPM NVRAM.
• Recover key_class field and set it as "asymmetric"
• Update push model structures to latest values
• build(deps): bump serde_json from 1.0.138 to 1.0.140
• packit: Add identifier for each copr_build job
• keylime-agent.conf: only mention ecdsa and rsassa for signing
• build(deps): bump openssl from 0.10.70 to 0.10.71
• build(deps): bump uuid from 1.13.2 to 1.15.1
• Add capabilities_negotiation structures
• packit: Add compatibility/api_version_compatibility test
• build(deps): bump uuid from 1.11.0 to 1.13.2
• build(deps): bump serde_json from 1.0.135 to 1.0.138
• build(deps): bump thiserror from 2.0.9 to 2.0.11
• build(deps): bump tempfile from 3.14.0 to 3.17.1
• Allow agent to start as non-root
• scripts: Fix coverage information downloading script
• build(deps): bump openssl from 0.10.68 to 0.10.70

• build(deps): bump tokio from 1.42.0 to 1.43.0

• Update to version 0.2.7+1:

• dist: Enable logging for keylime library in the service
• Bump version to 0.2.7
• scripts: Download coverage data from Testing Farm directly
• main: Remove unnecessary lifetime
• cargo: Bump pretty_env_logger to version 0.5.0
• scripts: Fix regex in download_packit_coverage.sh
• cargo: Bump clap crate to version 4.5.23
• cargo: Bump base64 crate to version 0.22.1
• build(deps): bump log from 0.4.22 to 0.4.25
• build(deps): bump serde_json from 1.0.133 to 1.0.135
• cargo: Bump tokio crate to version 1.42.0
• packit: Fix RPM builds on copr
• cargo: Bump thiserror crate to version 0.2.9
• cargo: Update reqwest to version 0.12.12
• build(deps): bump libc from 0.2.168 to 0.2.169
• build(deps): bump glob from 0.3.1 to 0.3.2
• version: Implement API version validation and ordering
• main: Support using multiple API versions for registration
• keylime: Introduce the registrar_client module
• Provide endpoints under multiple API versions
• Move 'serialization' module to the keylime library
• Drop unnecessary dependency on common::API_VERSION
• keylime-agent.conf: Bump version to 2.3
• build(deps): bump serde from 1.0.210 to 1.0.217
• build(deps): bump pest_derive from 2.7.14 to 2.7.15
• build(deps): bump pest from 2.7.14 to 2.7.15
• build(deps): bump libc from 0.2.167 to 0.2.168
• config: Make IAK and IDevID certificates optional
• Fix warnings reported by clippy
• workflows: Run job in the CI container directly
• tests: Add unit test for device ID builder
• main: Move IAK/IDevID related code to dedicated module
• tests: Add script to generate IAK and IDevID certificates
• build(deps): bump openssl from 0.10.66 to 0.10.68
• build(deps): bump uuid from 1.10.0 to 1.11.0
• build(deps): bump serde_json from 1.0.128 to 1.0.133
• build(deps): bump actix-web from 4.5.1 to 4.9.0
• build(deps): bump reqwest from 0.12.7 to 0.12.9
• tests/setup_swtpm.sh: Add script to setup temporary TPM
• Use a single TPM context and avoid race conditions during tests
• config: Enable passing a hostname instead of IP
• build(deps): bump clap from 4.3.11 to 4.5.21
• build(deps): bump tempfile from 3.10.1 to 3.14.0
• build(deps): bump pest_derive from 2.7.6 to 2.7.14
• build(deps): bump pest from 2.7.6 to 2.7.14
• build(deps): bump codecov/codecov-action from 4 to 5
• workflows: Submit the coverage for merged PR from Fedora 41
• tests: Use Fedora 41 to generate code coverage
• api: Make API configuration modular
• agent_handler: Move the /agent scope configuration
• notifications_handler: Move the /notifications scope configuration
• quotes_handler: Move the /quotes scope configuration to quotes_handler
• keys_handler: Move /keys scope configuration to keys_handler
• Use ${DESTDIR} for config
• Fix showing wrong UUID
• build(deps): bump actix-rt from 2.9.0 to 2.10.0
• config: Refactor AgentConfig Source trait implementation
• build(deps): bump log from 0.4.21 to 0.4.22
• build(deps): bump serde_json from 1.0.120 to 1.0.128
• tpm: check if EK certificate has valid ASN.1 DER encoding
• build(deps): bump futures from 0.3.27 to 0.3.31
• cargo: Bump reqwest to version 0.12.7
• build(deps): bump serde from 1.0.203 to 1.0.210
• tests: Add more tests to Packit CI
• build(deps): bump docker/build-push-action from 5 to 6
• tests: apply workarounds to known bugs

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Micro 6.0
  zypper in -t patch SUSE-SLE-Micro-6.0-380=1

Package List:

• SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
  • rust-keylime-debuginfo-0.2.7+70-1.1
  • rust-keylime-0.2.7+70-1.1

References:

• https://www.suse.com/security/cve/CVE-2024-12224.html
• https://bugzilla.suse.com/show_bug.cgi?id=1243861