SUSE-SU-2025:20491-1: moderate: Security update for rust-keylime
SLE-SECURITY-UPDATES
null at suse.de
Fri Jul 25 12:34:45 UTC 2025
# Security update for rust-keylime
Announcement ID: SUSE-SU-2025:20491-1
Release Date: 2025-07-11T09:49:31Z
Rating: moderate
References:
* bsc#1243861
Cross-References:
* CVE-2024-12224
CVSS scores:
* CVE-2024-12224 ( SUSE ): 2.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2024-12224 ( SUSE ): 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
* CVE-2024-12224 ( NVD ): 5.1
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Affected Products:
* SUSE Linux Micro 6.0
An update that solves one vulnerability can now be installed.
## Description:
This update for rust-keylime fixes the following issues:
* CVE-2024-12224: idna: Fixed improper validation in punycode (bsc#1243861)
* Update to version 0.2.7+70:
* build(deps): bump wiremock from 0.6.2 to 0.6.3
* build(deps): bump uuid from 1.16.0 to 1.17.0
* lib: Introduce AgentIdentity structure
* gitignore: Add _.swp and_.orig to be ignored
* build(deps): bump clap from 4.5.38 to 4.5.39
* build(deps): bump tokio from 1.45.0 to 1.45.1
* Unify Push Model structures time formats to UTC (#1016)
* Add Quote related structures to Keylime library
* Remove configuration file trailing whitespaces (#1012)
* keylime-agent.conf: add all accepted TPM encryption algs
* tpm: add policy auth for EK to activate crendential
* Enable non standard key sizes and curves for EK and AK
* config: Use next_back() instead of last() for iterators
* Update to tss-esapi v7.6.0
* Avoid duplicated call to ctx.create_ek
* build(deps): bump clap from 4.5.23 to 4.5.38
* Add registration for Push Model client
* build(deps): bump tokio from 1.44.2 to 1.45.0
* build(deps): bump chrono from 0.4.40 to 0.4.41
* build(deps): bump tempfile from 3.17.1 to 3.20.0
* Refactor code: move error, registration to lib
* Move structure filling and URL selection code (#999)
* build(deps): bump pest_derive from 2.7.15 to 2.8.0
* build(deps): bump pest from 2.7.15 to 2.8.0
* build(deps): bump libc from 0.2.169 to 0.2.172
* Add Evidence/Authentication messages to prototype
* build(deps): bump uuid from 1.15.1 to 1.16.0
* build(deps): bump thiserror from 2.0.11 to 2.0.12
* build(deps): bump signal-hook from 0.3.17 to 0.3.18
* build(deps): bump log from 0.4.25 to 0.4.27
* build(deps): bump assert_cmd from 2.0.16 to 2.0.17
* build(deps): bump actix-web from 4.9.0 to 4.10.2
* build(deps): bump reqwest from 0.12.12 to 0.12.15
* build(deps): bump serde from 1.0.217 to 1.0.219
* Add unit tests for sessions.rs structures
* Add auth(sessions) structures
* Fix minor README.md issue (#988)
* Define EvidenceHandling structures (#971)
* Add mockoon test scenario
* Add client certificates to push-attestation prototype
* Cargo: bump url crate to version 2.5.4
* Add logging to the push attestation prototype
* Do not use certificate on insecure mode
* common: Move the EncryptedData structure from common to the library
* common: Move AuthTag from common to the library
* build(deps): bump openssl from 0.10.71 to 0.10.72
* common: Move Symmkey to library as crypto::symmkey
* common: Remove unused constants and static values
* build(deps): bump tokio from 1.43.0 to 1.44.2
* Refactor code: Include AgentIdentity structure
* Push model prototype
* Add support for ek certificate chain, stored in TPM NVRAM.
* Recover key_class field and set it as "asymmetric"
* Update push model structures to latest values
* build(deps): bump serde_json from 1.0.138 to 1.0.140
* packit: Add identifier for each copr_build job
* keylime-agent.conf: only mention ecdsa and rsassa for signing
* build(deps): bump openssl from 0.10.70 to 0.10.71
* build(deps): bump uuid from 1.13.2 to 1.15.1
* Add capabilities_negotiation structures
* packit: Add compatibility/api_version_compatibility test
* build(deps): bump uuid from 1.11.0 to 1.13.2
* build(deps): bump serde_json from 1.0.135 to 1.0.138
* build(deps): bump thiserror from 2.0.9 to 2.0.11
* build(deps): bump tempfile from 3.14.0 to 3.17.1
* Allow agent to start as non-root
* scripts: Fix coverage information downloading script
* build(deps): bump openssl from 0.10.68 to 0.10.70
* build(deps): bump tokio from 1.42.0 to 1.43.0
* Update to version 0.2.7+1:
* dist: Enable logging for keylime library in the service
* Bump version to 0.2.7
* scripts: Download coverage data from Testing Farm directly
* main: Remove unnecessary lifetime
* cargo: Bump pretty_env_logger to version 0.5.0
* scripts: Fix regex in download_packit_coverage.sh
* cargo: Bump clap crate to version 4.5.23
* cargo: Bump base64 crate to version 0.22.1
* build(deps): bump log from 0.4.22 to 0.4.25
* build(deps): bump serde_json from 1.0.133 to 1.0.135
* cargo: Bump tokio crate to version 1.42.0
* packit: Fix RPM builds on copr
* cargo: Bump thiserror crate to version 0.2.9
* cargo: Update reqwest to version 0.12.12
* build(deps): bump libc from 0.2.168 to 0.2.169
* build(deps): bump glob from 0.3.1 to 0.3.2
* version: Implement API version validation and ordering
* main: Support using multiple API versions for registration
* keylime: Introduce the registrar_client module
* Provide endpoints under multiple API versions
* Move 'serialization' module to the keylime library
* Drop unnecessary dependency on common::API_VERSION
* keylime-agent.conf: Bump version to 2.3
* build(deps): bump serde from 1.0.210 to 1.0.217
* build(deps): bump pest_derive from 2.7.14 to 2.7.15
* build(deps): bump pest from 2.7.14 to 2.7.15
* build(deps): bump libc from 0.2.167 to 0.2.168
* config: Make IAK and IDevID certificates optional
* Fix warnings reported by clippy
* workflows: Run job in the CI container directly
* tests: Add unit test for device ID builder
* main: Move IAK/IDevID related code to dedicated module
* tests: Add script to generate IAK and IDevID certificates
* build(deps): bump openssl from 0.10.66 to 0.10.68
* build(deps): bump uuid from 1.10.0 to 1.11.0
* build(deps): bump serde_json from 1.0.128 to 1.0.133
* build(deps): bump actix-web from 4.5.1 to 4.9.0
* build(deps): bump reqwest from 0.12.7 to 0.12.9
* tests/setup_swtpm.sh: Add script to setup temporary TPM
* Use a single TPM context and avoid race conditions during tests
* config: Enable passing a hostname instead of IP
* build(deps): bump clap from 4.3.11 to 4.5.21
* build(deps): bump tempfile from 3.10.1 to 3.14.0
* build(deps): bump pest_derive from 2.7.6 to 2.7.14
* build(deps): bump pest from 2.7.6 to 2.7.14
* build(deps): bump codecov/codecov-action from 4 to 5
* workflows: Submit the coverage for merged PR from Fedora 41
* tests: Use Fedora 41 to generate code coverage
* api: Make API configuration modular
* agent_handler: Move the /agent scope configuration
* notifications_handler: Move the /notifications scope configuration
* quotes_handler: Move the /quotes scope configuration to quotes_handler
* keys_handler: Move /keys scope configuration to keys_handler
* Use ${DESTDIR} for config
* Fix showing wrong UUID
* build(deps): bump actix-rt from 2.9.0 to 2.10.0
* config: Refactor AgentConfig Source trait implementation
* build(deps): bump log from 0.4.21 to 0.4.22
* build(deps): bump serde_json from 1.0.120 to 1.0.128
* tpm: check if EK certificate has valid ASN.1 DER encoding
* build(deps): bump futures from 0.3.27 to 0.3.31
* cargo: Bump reqwest to version 0.12.7
* build(deps): bump serde from 1.0.203 to 1.0.210
* tests: Add more tests to Packit CI
* build(deps): bump docker/build-push-action from 5 to 6
* tests: apply workarounds to known bugs
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-380=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* rust-keylime-debuginfo-0.2.7+70-1.1
* rust-keylime-0.2.7+70-1.1
## References:
* https://www.suse.com/security/cve/CVE-2024-12224.html
* https://bugzilla.suse.com/show_bug.cgi?id=1243861
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250725/e6c3743b/attachment.htm>
More information about the sle-security-updates
mailing list