Security update for rust-keylime SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20491-1 Final 1 1 2025-07-11T09:39:57Z current 2025-07-11T09:39:57Z 2025-07-11T09:39:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for rust-keylime This update for rust-keylime fixes the following issues: - CVE-2024-12224: idna: Fixed improper validation in punycode (bsc#1243861) - Update to version 0.2.7+70: * build(deps): bump wiremock from 0.6.2 to 0.6.3 * build(deps): bump uuid from 1.16.0 to 1.17.0 * lib: Introduce AgentIdentity structure * gitignore: Add *.swp and *.orig to be ignored * build(deps): bump clap from 4.5.38 to 4.5.39 * build(deps): bump tokio from 1.45.0 to 1.45.1 * Unify Push Model structures time formats to UTC (#1016) * Add Quote related structures to Keylime library * Remove configuration file trailing whitespaces (#1012) * keylime-agent.conf: add all accepted TPM encryption algs * tpm: add policy auth for EK to activate crendential * Enable non standard key sizes and curves for EK and AK * config: Use next_back() instead of last() for iterators * Update to tss-esapi v7.6.0 * Avoid duplicated call to ctx.create_ek * build(deps): bump clap from 4.5.23 to 4.5.38 * Add registration for Push Model client * build(deps): bump tokio from 1.44.2 to 1.45.0 * build(deps): bump chrono from 0.4.40 to 0.4.41 * build(deps): bump tempfile from 3.17.1 to 3.20.0 * Refactor code: move error, registration to lib * Move structure filling and URL selection code (#999) * build(deps): bump pest_derive from 2.7.15 to 2.8.0 * build(deps): bump pest from 2.7.15 to 2.8.0 * build(deps): bump libc from 0.2.169 to 0.2.172 * Add Evidence/Authentication messages to prototype * build(deps): bump uuid from 1.15.1 to 1.16.0 * build(deps): bump thiserror from 2.0.11 to 2.0.12 * build(deps): bump signal-hook from 0.3.17 to 0.3.18 * build(deps): bump log from 0.4.25 to 0.4.27 * build(deps): bump assert_cmd from 2.0.16 to 2.0.17 * build(deps): bump actix-web from 4.9.0 to 4.10.2 * build(deps): bump reqwest from 0.12.12 to 0.12.15 * build(deps): bump serde from 1.0.217 to 1.0.219 * Add unit tests for sessions.rs structures * Add auth(sessions) structures * Fix minor README.md issue (#988) * Define EvidenceHandling structures (#971) * Add mockoon test scenario * Add client certificates to push-attestation prototype * Cargo: bump url crate to version 2.5.4 * Add logging to the push attestation prototype * Do not use certificate on insecure mode * common: Move the EncryptedData structure from common to the library * common: Move AuthTag from common to the library * build(deps): bump openssl from 0.10.71 to 0.10.72 * common: Move Symmkey to library as crypto::symmkey * common: Remove unused constants and static values * build(deps): bump tokio from 1.43.0 to 1.44.2 * Refactor code: Include AgentIdentity structure * Push model prototype * Add support for ek certificate chain, stored in TPM NVRAM. * Recover key_class field and set it as "asymmetric" * Update push model structures to latest values * build(deps): bump serde_json from 1.0.138 to 1.0.140 * packit: Add identifier for each copr_build job * keylime-agent.conf: only mention ecdsa and rsassa for signing * build(deps): bump openssl from 0.10.70 to 0.10.71 * build(deps): bump uuid from 1.13.2 to 1.15.1 * Add capabilities_negotiation structures * packit: Add compatibility/api_version_compatibility test * build(deps): bump uuid from 1.11.0 to 1.13.2 * build(deps): bump serde_json from 1.0.135 to 1.0.138 * build(deps): bump thiserror from 2.0.9 to 2.0.11 * build(deps): bump tempfile from 3.14.0 to 3.17.1 * Allow agent to start as non-root * scripts: Fix coverage information downloading script * build(deps): bump openssl from 0.10.68 to 0.10.70 * build(deps): bump tokio from 1.42.0 to 1.43.0 - Update to version 0.2.7+1: * dist: Enable logging for keylime library in the service * Bump version to 0.2.7 * scripts: Download coverage data from Testing Farm directly * main: Remove unnecessary lifetime * cargo: Bump pretty_env_logger to version 0.5.0 * scripts: Fix regex in download_packit_coverage.sh * cargo: Bump clap crate to version 4.5.23 * cargo: Bump base64 crate to version 0.22.1 * build(deps): bump log from 0.4.22 to 0.4.25 * build(deps): bump serde_json from 1.0.133 to 1.0.135 * cargo: Bump tokio crate to version 1.42.0 * packit: Fix RPM builds on copr * cargo: Bump thiserror crate to version 0.2.9 * cargo: Update reqwest to version 0.12.12 * build(deps): bump libc from 0.2.168 to 0.2.169 * build(deps): bump glob from 0.3.1 to 0.3.2 * version: Implement API version validation and ordering * main: Support using multiple API versions for registration * keylime: Introduce the registrar_client module * Provide endpoints under multiple API versions * Move 'serialization' module to the keylime library * Drop unnecessary dependency on common::API_VERSION * keylime-agent.conf: Bump version to 2.3 * build(deps): bump serde from 1.0.210 to 1.0.217 * build(deps): bump pest_derive from 2.7.14 to 2.7.15 * build(deps): bump pest from 2.7.14 to 2.7.15 * build(deps): bump libc from 0.2.167 to 0.2.168 * config: Make IAK and IDevID certificates optional * Fix warnings reported by clippy * workflows: Run job in the CI container directly * tests: Add unit test for device ID builder * main: Move IAK/IDevID related code to dedicated module * tests: Add script to generate IAK and IDevID certificates * build(deps): bump openssl from 0.10.66 to 0.10.68 * build(deps): bump uuid from 1.10.0 to 1.11.0 * build(deps): bump serde_json from 1.0.128 to 1.0.133 * build(deps): bump actix-web from 4.5.1 to 4.9.0 * build(deps): bump reqwest from 0.12.7 to 0.12.9 * tests/setup_swtpm.sh: Add script to setup temporary TPM * Use a single TPM context and avoid race conditions during tests * config: Enable passing a hostname instead of IP * build(deps): bump clap from 4.3.11 to 4.5.21 * build(deps): bump tempfile from 3.10.1 to 3.14.0 * build(deps): bump pest_derive from 2.7.6 to 2.7.14 * build(deps): bump pest from 2.7.6 to 2.7.14 * build(deps): bump codecov/codecov-action from 4 to 5 * workflows: Submit the coverage for merged PR from Fedora 41 * tests: Use Fedora 41 to generate code coverage * api: Make API configuration modular * agent_handler: Move the /agent scope configuration * notifications_handler: Move the /notifications scope configuration * quotes_handler: Move the /quotes scope configuration to quotes_handler * keys_handler: Move /keys scope configuration to keys_handler * Use ${DESTDIR} for config * Fix showing wrong UUID * build(deps): bump actix-rt from 2.9.0 to 2.10.0 * config: Refactor AgentConfig Source trait implementation * build(deps): bump log from 0.4.21 to 0.4.22 * build(deps): bump serde_json from 1.0.120 to 1.0.128 * tpm: check if EK certificate has valid ASN.1 DER encoding * build(deps): bump futures from 0.3.27 to 0.3.31 * cargo: Bump reqwest to version 0.12.7 * build(deps): bump serde from 1.0.203 to 1.0.210 * tests: Add more tests to Packit CI * build(deps): bump docker/build-push-action from 5 to 6 * tests: apply workarounds to known bugs The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-380 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520491-1/ Link for SUSE-SU-2025:20491-1 https://lists.suse.com/pipermail/sle-updates/2025-July/040930.html E-Mail link for SUSE-SU-2025:20491-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1243861 SUSE Bug 1243861 https://www.suse.com/security/cve/CVE-2024-12224/ SUSE CVE CVE-2024-12224 page SUSE Linux Micro 6.0 rust-keylime-0.2.7+70-1.1 rust-keylime-0.2.7+70-1.1 as a component of SUSE Linux Micro 6.0 Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. CVE-2024-12224 SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520491-1/ https://www.suse.com/security/cve/CVE-2024-12224.html CVE-2024-12224 https://bugzilla.suse.com/1243848 SUSE Bug 1243848