SUSE-SU-2025:21194-1: critical: Security update for keylime
SLE-SECURITY-UPDATES
null at suse.de
Mon Dec 15 20:30:52 UTC 2025
# Security update for keylime
Announcement ID: SUSE-SU-2025:21194-1
Release Date: 2025-12-12T09:46:14Z
Rating: critical
References:
* bsc#1237153
* bsc#1254199
Cross-References:
* CVE-2025-1057
* CVE-2025-13609
CVSS scores:
* CVE-2025-1057 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
* CVE-2025-13609 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
* CVE-2025-13609 ( SUSE ): 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
* CVE-2025-13609 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP Applications 16.0
An update that solves two vulnerabilities can now be installed.
## Description:
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
* CVE-2025-13609: possible agent identity takeover due to registrar allowing
the registration of agents with duplicate UUIDs (bsc#1254199).
* CVE-2025-1057: registrar denial-of-service due to backward incompatibility
in database type handling (bsc#1237153).
Other issues fixed and changes:
* Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes
(#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier,
registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
* Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
* Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
* Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent
registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-104=1
* SUSE Linux Enterprise Server for SAP Applications 16.0
zypper in -t patch SUSE-SLES-16.0-104=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (noarch)
* keylime-verifier-7.13.0+40-160000.1.1
* keylime-logrotate-7.13.0+40-160000.1.1
* python313-keylime-7.13.0+40-160000.1.1
* keylime-registrar-7.13.0+40-160000.1.1
* keylime-config-7.13.0+40-160000.1.1
* keylime-tpm_cert_store-7.13.0+40-160000.1.1
* keylime-tenant-7.13.0+40-160000.1.1
* keylime-firewalld-7.13.0+40-160000.1.1
* SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
* keylime-verifier-7.13.0+40-160000.1.1
* keylime-logrotate-7.13.0+40-160000.1.1
* python313-keylime-7.13.0+40-160000.1.1
* keylime-registrar-7.13.0+40-160000.1.1
* keylime-config-7.13.0+40-160000.1.1
* keylime-tpm_cert_store-7.13.0+40-160000.1.1
* keylime-tenant-7.13.0+40-160000.1.1
* keylime-firewalld-7.13.0+40-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-1057.html
* https://www.suse.com/security/cve/CVE-2025-13609.html
* https://bugzilla.suse.com/show_bug.cgi?id=1237153
* https://bugzilla.suse.com/show_bug.cgi?id=1254199
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20251215/1b23c179/attachment.htm>
More information about the sle-security-updates
mailing list