{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for rust-keylime","title":"Title of the patch"},{"category":"description","text":"This update for rust-keylime fixes the following issues:\n\n- CVE-2024-12224: idna: Fixed improper validation in punycode (bsc#1243861)\n\n- Update to version 0.2.7+70: \n  * build(deps): bump wiremock from 0.6.2 to 0.6.3\n  * build(deps): bump uuid from 1.16.0 to 1.17.0\n  * lib: Introduce AgentIdentity structure\n  * gitignore: Add *.swp and *.orig to be ignored\n  * build(deps): bump clap from 4.5.38 to 4.5.39\n  * build(deps): bump tokio from 1.45.0 to 1.45.1\n  * Unify Push Model structures time formats to UTC (#1016)\n  * Add Quote related structures to Keylime library\n  * Remove configuration file trailing whitespaces (#1012)\n  * keylime-agent.conf: add all accepted TPM encryption algs\n  * tpm: add policy auth for EK to activate crendential\n  * Enable non standard key sizes and curves for EK and AK\n  * config: Use next_back() instead of last() for iterators\n  * Update to tss-esapi v7.6.0\n  * Avoid duplicated call to ctx.create_ek\n  * build(deps): bump clap from 4.5.23 to 4.5.38\n  * Add registration for Push Model client\n  * build(deps): bump tokio from 1.44.2 to 1.45.0\n  * build(deps): bump chrono from 0.4.40 to 0.4.41\n  * build(deps): bump tempfile from 3.17.1 to 3.20.0\n  * Refactor code: move error, registration to lib\n  * Move structure filling and URL selection code (#999)\n  * build(deps): bump pest_derive from 2.7.15 to 2.8.0\n  * build(deps): bump pest from 2.7.15 to 2.8.0\n  * build(deps): bump libc from 0.2.169 to 0.2.172\n  * Add Evidence/Authentication messages to prototype\n  * build(deps): bump uuid from 1.15.1 to 1.16.0\n  * build(deps): bump thiserror from 2.0.11 to 2.0.12\n  * build(deps): bump signal-hook from 0.3.17 to 0.3.18\n  * build(deps): bump log from 0.4.25 to 0.4.27\n  * build(deps): bump assert_cmd from 2.0.16 to 2.0.17\n  * build(deps): bump actix-web from 4.9.0 to 4.10.2\n  * build(deps): bump reqwest from 0.12.12 to 0.12.15\n  * build(deps): bump serde from 1.0.217 to 1.0.219\n  * Add unit tests for sessions.rs structures\n  * Add auth(sessions) structures\n  * Fix minor README.md issue (#988)\n  * Define EvidenceHandling structures (#971)\n  * Add mockoon test scenario\n  * Add client certificates to push-attestation prototype\n  * Cargo: bump url crate to version 2.5.4\n  * Add logging to the push attestation prototype\n  * Do not use certificate on insecure mode\n  * common: Move the EncryptedData structure from common to the library\n  * common: Move AuthTag from common to the library\n  * build(deps): bump openssl from 0.10.71 to 0.10.72\n  * common: Move Symmkey to library as crypto::symmkey\n  * common: Remove unused constants and static values\n  * build(deps): bump tokio from 1.43.0 to 1.44.2\n  * Refactor code: Include AgentIdentity structure\n  * Push model prototype\n  * Add support for ek certificate chain, stored in TPM NVRAM.\n  * Recover key_class field and set it as \"asymmetric\"\n  * Update push model structures to latest values\n  * build(deps): bump serde_json from 1.0.138 to 1.0.140\n  * packit: Add identifier for each copr_build job\n  * keylime-agent.conf: only mention ecdsa and rsassa for signing\n  * build(deps): bump openssl from 0.10.70 to 0.10.71\n  * build(deps): bump uuid from 1.13.2 to 1.15.1\n  * Add capabilities_negotiation structures\n  * packit: Add compatibility/api_version_compatibility test\n  * build(deps): bump uuid from 1.11.0 to 1.13.2\n  * build(deps): bump serde_json from 1.0.135 to 1.0.138\n  * build(deps): bump thiserror from 2.0.9 to 2.0.11\n  * build(deps): bump tempfile from 3.14.0 to 3.17.1\n  * Allow agent to start as non-root\n  * scripts: Fix coverage information downloading script\n  * build(deps): bump openssl from 0.10.68 to 0.10.70\n  * build(deps): bump tokio from 1.42.0 to 1.43.0\n\n- Update to version 0.2.7+1:\n  * dist: Enable logging for keylime library in the service\n  * Bump version to 0.2.7\n  * scripts: Download coverage data from Testing Farm directly\n  * main: Remove unnecessary lifetime\n  * cargo: Bump pretty_env_logger to version 0.5.0\n  * scripts: Fix regex in download_packit_coverage.sh\n  * cargo: Bump clap crate to version 4.5.23\n  * cargo: Bump base64 crate to version 0.22.1\n  * build(deps): bump log from 0.4.22 to 0.4.25\n  * build(deps): bump serde_json from 1.0.133 to 1.0.135\n  * cargo: Bump tokio crate to version 1.42.0\n  * packit: Fix RPM builds on copr\n  * cargo: Bump thiserror crate to version 0.2.9\n  * cargo: Update reqwest to version 0.12.12\n  * build(deps): bump libc from 0.2.168 to 0.2.169\n  * build(deps): bump glob from 0.3.1 to 0.3.2\n  * version: Implement API version validation and ordering\n  * main: Support using multiple API versions for registration\n  * keylime: Introduce the registrar_client module\n  * Provide endpoints under multiple API versions\n  * Move 'serialization' module to the keylime library\n  * Drop unnecessary dependency on common::API_VERSION\n  * keylime-agent.conf: Bump version to 2.3\n  * build(deps): bump serde from 1.0.210 to 1.0.217\n  * build(deps): bump pest_derive from 2.7.14 to 2.7.15\n  * build(deps): bump pest from 2.7.14 to 2.7.15\n  * build(deps): bump libc from 0.2.167 to 0.2.168\n  * config: Make IAK and IDevID certificates optional\n  * Fix warnings reported by clippy\n  * workflows: Run job in the CI container directly\n  * tests: Add unit test for device ID builder\n  * main: Move IAK/IDevID related code to dedicated module\n  * tests: Add script to generate IAK and IDevID certificates\n  * build(deps): bump openssl from 0.10.66 to 0.10.68\n  * build(deps): bump uuid from 1.10.0 to 1.11.0\n  * build(deps): bump serde_json from 1.0.128 to 1.0.133\n  * build(deps): bump actix-web from 4.5.1 to 4.9.0\n  * build(deps): bump reqwest from 0.12.7 to 0.12.9\n  * tests/setup_swtpm.sh: Add script to setup temporary TPM\n  * Use a single TPM context and avoid race conditions during tests\n  * config: Enable passing a hostname instead of IP\n  * build(deps): bump clap from 4.3.11 to 4.5.21\n  * build(deps): bump tempfile from 3.10.1 to 3.14.0\n  * build(deps): bump pest_derive from 2.7.6 to 2.7.14\n  * build(deps): bump pest from 2.7.6 to 2.7.14\n  * build(deps): bump codecov/codecov-action from 4 to 5\n  * workflows: Submit the coverage for merged PR from Fedora 41\n  * tests: Use Fedora 41 to generate code coverage\n  * api: Make API configuration modular\n  * agent_handler: Move the /agent scope configuration\n  * notifications_handler: Move the /notifications scope configuration\n  * quotes_handler: Move the /quotes scope configuration to quotes_handler\n  * keys_handler: Move /keys scope configuration to keys_handler\n  * Use ${DESTDIR} for config\n  * Fix showing wrong UUID\n  * build(deps): bump actix-rt from 2.9.0 to 2.10.0\n  * config: Refactor AgentConfig Source trait implementation\n  * build(deps): bump log from 0.4.21 to 0.4.22\n  * build(deps): bump serde_json from 1.0.120 to 1.0.128\n  * tpm: check if EK certificate has valid ASN.1 DER encoding\n  * build(deps): bump futures from 0.3.27 to 0.3.31\n  * cargo: Bump reqwest to version 0.12.7\n  * build(deps): bump serde from 1.0.203 to 1.0.210\n  * tests: Add more tests to Packit CI\n  * build(deps): bump docker/build-push-action from 5 to 6\n  * tests: apply workarounds to known bugs\n","title":"Description of the patch"},{"category":"details","text":"SUSE-SLE-Micro-6.0-380","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20491-1.json"},{"category":"self","summary":"URL for SUSE-SU-2025:20491-1","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520491-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2025:20491-1","url":"https://lists.suse.com/pipermail/sle-updates/2025-July/040930.html"},{"category":"self","summary":"SUSE Bug 1243861","url":"https://bugzilla.suse.com/1243861"},{"category":"self","summary":"SUSE CVE CVE-2024-12224 page","url":"https://www.suse.com/security/cve/CVE-2024-12224/"}],"title":"Security update for rust-keylime","tracking":{"current_release_date":"2025-07-11T09:39:57Z","generator":{"date":"2025-07-11T09:39:57Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2025:20491-1","initial_release_date":"2025-07-11T09:39:57Z","revision_history":[{"date":"2025-07-11T09:39:57Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"rust-keylime-0.2.7+70-1.1.aarch64","product":{"name":"rust-keylime-0.2.7+70-1.1.aarch64","product_id":"rust-keylime-0.2.7+70-1.1.aarch64"}}],"category":"architecture","name":"aarch64"},{"branches":[{"category":"product_version","name":"rust-keylime-0.2.7+70-1.1.s390x","product":{"name":"rust-keylime-0.2.7+70-1.1.s390x","product_id":"rust-keylime-0.2.7+70-1.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"rust-keylime-0.2.7+70-1.1.x86_64","product":{"name":"rust-keylime-0.2.7+70-1.1.x86_64","product_id":"rust-keylime-0.2.7+70-1.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Linux Micro 6.0","product":{"name":"SUSE Linux Micro 6.0","product_id":"SUSE Linux Micro 6.0","product_identification_helper":{"cpe":"cpe:/o:suse:sl-micro:6.0"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"rust-keylime-0.2.7+70-1.1.aarch64 as component of SUSE Linux Micro 6.0","product_id":"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64"},"product_reference":"rust-keylime-0.2.7+70-1.1.aarch64","relates_to_product_reference":"SUSE Linux Micro 6.0"},{"category":"default_component_of","full_product_name":{"name":"rust-keylime-0.2.7+70-1.1.s390x as component of SUSE Linux Micro 6.0","product_id":"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x"},"product_reference":"rust-keylime-0.2.7+70-1.1.s390x","relates_to_product_reference":"SUSE Linux Micro 6.0"},{"category":"default_component_of","full_product_name":{"name":"rust-keylime-0.2.7+70-1.1.x86_64 as component of SUSE Linux Micro 6.0","product_id":"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"},"product_reference":"rust-keylime-0.2.7+70-1.1.x86_64","relates_to_product_reference":"SUSE Linux Micro 6.0"}]},"vulnerabilities":[{"cve":"CVE-2024-12224","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-12224"}],"notes":[{"category":"general","text":"Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64","SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x","SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-12224","url":"https://www.suse.com/security/cve/CVE-2024-12224"},{"category":"external","summary":"SUSE Bug 1243848 for CVE-2024-12224","url":"https://bugzilla.suse.com/1243848"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64","SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x","SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":4.2,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N","version":"3.1"},"products":["SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64","SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x","SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"]}],"threats":[{"category":"impact","date":"2025-07-11T09:39:57Z","details":"moderate"}],"title":"CVE-2024-12224"}]}