<div class="container">
<h1>Security update for keylime</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:21194-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-12-12T09:46:14Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>critical</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1237153">bsc#1237153</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254199">bsc#1254199</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-1057.html">CVE-2025-1057</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-13609.html">CVE-2025-13609</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-1057</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-13609</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.1</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-13609</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.0</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-13609</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.2</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 16.0</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for keylime fixes the following issues:</p>
<p>Update to version 7.13.0+40.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).</li>
<li>CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).</li>
</ul>
<p>Other issues fixed and changes:</p>
<ul>
<li>Version 7.13.0+40:</li>
<li>Include new attestation information fields (#1818)</li>
<li>Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)</li>
<li>push-model: require HTTPS for authentication and attestation endpoints</li>
<li>Fix operational_state tracking in push mode attestations</li>
<li>templates: add push model authentication config options to 2.5 templates</li>
<li>Security: Hash authentication tokens in logs</li>
<li>Fix stale IMA policy cache in verification</li>
<li>Fix authentication behavior on failed attestations for push mode</li>
<li>Add shared memory infrastructure for multiprocess communication</li>
<li>Add agent authentication (challenge/response) protocol for push mode</li>
<li>Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)</li>
<li>docs: Fix man page RST formatting for rst2man compatibility (#1813)</li>
<li>Apply limit on keylime-policy workers</li>
<li>tpm: fix ECC signature parsing to support variable-length coordinates</li>
<li>tpm: fix ECC P-521 credential activation with consistent marshaling</li>
<li>tpm: fix ECC P-521 coordinate validation</li>
<li>Remove deprecated disabled_signing_algorithms configuration option (#1804)</li>
<li>algorithms: add support for specific RSA algorithms</li>
<li>algorithms: add support for specific ECC curve algorithms</li>
<li>Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent</li>
<li>Manpage for keylime agent</li>
<li>Manpage for keylime verifier</li>
<li>Manpage for keylime registrar</li>
<li>Use constants for timeout and max retries defaults</li>
<li>verifier: Use timeout from <code>request_timeout</code> config option</li>
<li>revocation_notifier: Use timeout setting from config file</li>
<li>tenant: Set timeout when getting version from agent</li>
<li>verify/evidence: SEV-SNP evidence type/verifier</li>
<li>
<p>verify/evidence: Add evidence type to request JSON</p>
</li>
<li>
<p>Version v7.13.0:</p>
</li>
<li>Avoid re-encoding certificate stored in DB</li>
<li>Revert "models: Do not re-encode certificate stored in DB"</li>
<li>Revert "registrar_agent: Use pyasn1 to parse PEM"</li>
<li>policy/sign: use print() when writing to /dev/stdout</li>
<li>registrar_agent: Use pyasn1 to parse PEM</li>
<li>models: Do not re-encode certificate stored in DB</li>
<li>mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events</li>
<li>mb: support vendor_db as logged by newer shim versions</li>
<li>mb: support EV_EFI_HANDOFF_TABLES events on PCR1</li>
<li>Remove unnecessary configuration values</li>
<li>cloud_verifier_tornado: handle exception in notify_error()</li>
<li>requests_client: close the session at the end of the resource manager</li>
<li>Manpage for keylime_tenant (#1786)</li>
<li>Add 2.5 templates including Push Model changes</li>
<li>Initial version of verify evidence API</li>
<li>db: Do not read pool size and max overflow for sqlite</li>
<li>Use context managers to close DB sessions</li>
<li>revocations: Try to send notifications on shutdown</li>
<li>verifier: Gracefully shutdown on signal</li>
<li>Use <code>fork</code> as <code>multiprocessing</code> start method</li>
<li>Fix inaccuracy in threat model and add reference to SBAT</li>
<li>Explain TPM properties and expand vTPM discussion</li>
<li>Fix invalid RST and update TOC</li>
<li>Expand threat model page to include adversarial model</li>
<li>Add --push-model option to avoid requests to agents</li>
<li>templates: duplicate str_to_version() in the adjust script</li>
<li>policy: fix mypy issues with rpm_repo</li>
<li>revocation_notifier: fix mypy issue by replacing deprecated call</li>
<li>Fix create_runtime_policy in python < 3.12</li>
<li>Fix after review</li>
<li>fixed CONSTANT names C0103 errors</li>
<li>Extend meta_data field in verifierdb</li>
<li>docs: update issue templates</li>
<li>docs: add GitHub PR template with documentation reminders</li>
<li>tpm_util: fix quote signature extraction for ECDSA</li>
<li>registrar: Log API versions during startup</li>
<li>Remove excessive logging on exception</li>
<li>
<p>scripts: Fix coverage information downloading script</p>
</li>
<li>
<p>Version v7.12.1:</p>
</li>
<li>models: Add Base64Bytes type to read and write from the database</li>
<li>
<p>Simplify response check from registrar</p>
</li>
<li>
<p>Version v7.12.0:</p>
</li>
<li>API: Add /version endpoint to registrar</li>
<li>scripts: Download coverage data directly from Testing Farm</li>
<li>docs: Add separate documentation for each API version</li>
<li>scripts/create_runtime_policy.sh: fix path for the exclude list</li>
<li>docs: add documentation for keylime-policy</li>
<li>templates: Add the new agent.conf option 'api_versions'</li>
<li>Enable autocompletion using argcomplete</li>
<li>build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2</li>
<li>Configure EPEL-10 repo in packit-ci.fmf</li>
<li>build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1</li>
<li>build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3</li>
<li>build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1</li>
<li>build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0</li>
<li>keylime-policy: improve error handling when provided a bad key (sign)</li>
<li>keylime-policy: exit with status 1 when the commands failed</li>
<li>keylime-policy: use Certificate() from models.base to validate certs</li>
<li>keylime-policy: check for valid cert file when using x509 backend (sign)</li>
<li>keylime-policy: fix help for "keylime-policy sign" verb</li>
<li>tenant: Correctly log number of tries when deleting</li>
<li>update TCTI environment variable usage</li>
<li>build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2</li>
<li>keylime-policy: add `create measured-boot' subcommand</li>
<li>keylime-policy: add `sign runtime' subcommand</li>
<li>keylime-policy: add logger to use with the policy tool</li>
<li>installer.sh: Restore execution permission</li>
<li>installer: Fix string comparison</li>
<li>build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0</li>
<li>build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0</li>
<li>build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0</li>
<li>build(deps): bump actions/setup-python from 5.2.0 to 5.3.0</li>
<li>installer.sh: updated EPEL, PEP668 Fix, logic fix</li>
<li>build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0</li>
<li>build(deps): bump actions/checkout from 4.2.1 to 4.2.2</li>
<li>postgresql support for docker using psycopg2</li>
<li>installer.sh: update package list, add workaround for PEP 668</li>
<li>build(deps): bump actions/checkout from 4.2.0 to 4.2.1</li>
<li>keylime.conf: full removal</li>
<li>Drop pending SPDX-License-Identifier headers</li>
<li>create_runtime_policy: Validate algorithm from IMA measurement log</li>
<li>create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity</li>
<li>create_runtime_policy: drop commment with test data</li>
<li>create_runtime_policy: Use a common method to guess algorithm</li>
<li>keylime-policy: rename tool to keylime-policy instead of keylime_policy</li>
<li>keylime_policy: create runtime: remove --use-ima-measurement-list</li>
<li>keylime_policy: use consistent arg names for create_runtime_policy</li>
<li>build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3</li>
<li>build(deps): bump actions/checkout from 4.1.7 to 4.2.0</li>
<li>elchecking/example: workaround empty PK, KEK, db and dbx</li>
<li>elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2</li>
<li>create_runtime_policy: Fix log level for debug messages</li>
<li>build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2</li>
<li>build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5</li>
<li>pylintrc: Ignore too-many-positional-arguments check</li>
<li>keylime/web/base/controller: Move TypeAlias definition out of class</li>
<li>create_runtime_policy: Calculate digests in multiple threads</li>
<li>create_runtime_policy: Allow rootfs to be in any directory</li>
<li>keylime_policy: Calculate digests from each source separately</li>
<li>create_runtime_policy: Simplify boot_aggregate parsing</li>
<li>ima: Validate JSON when loading IMA Keyring from string</li>
<li>docs: include IDevID page also in the sidebar</li>
<li>docs: point to installation guide from RHEL and SLE Micro</li>
<li>build(deps): bump actions/setup-python from 5.1.1 to 5.2.0</li>
<li>build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1</li>
<li>change check_tpm_origin_check to a warning that does not prevent registration</li>
<li>docs: Fix Runtime Policy JSON schema to reflect the reality</li>
<li>Sets absolute path for files inside a rootfs dir</li>
<li>policy/create_runtime_policy: fix handling of empty lines in exclude list</li>
<li>keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)</li>
<li>codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)</li>
<li>codestyle: convert bytearrays to bytes to get expected type (pyright)</li>
<li>codestyle: Use new variables after changing datatype (pyright)</li>
<li>cert_utils: add description why loading using cryptography might fail</li>
<li>ima: list names of the runtime policies</li>
<li>build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0</li>
<li>tox: Use python 3.10 instead of 3.6</li>
<li>revocation_notifier: Use web_util to generate TLS context</li>
<li>mba: Add a skip custom policies option when loading mba.</li>
<li>build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1</li>
<li>build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1</li>
<li>cmd/keylime_policy: add tool to handle keylime policies</li>
<li>cert_utils: add is_x509_cert()</li>
<li>common/algorithms: transform Encrypt and Sign class into enums</li>
<li>common/algorithms: add method to calculate digest of a file</li>
<li>build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0</li>
<li>build(deps): bump docker/login-action from 3.2.0 to 3.3.0</li>
<li>build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1</li>
<li>build(deps): bump docker/login-action from 3.2.0 to 3.3.0</li>
<li>build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0</li>
<li>build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1</li>
<li>build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1</li>
<li>build(deps): bump pre-commit/action from 3.0.0 to 3.0.1</li>
<li>tpm: Replace KDFs and ECDH implementations with python-cryptography</li>
<li>build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0</li>
<li>build(deps): bump docker/login-action from 2.2.0 to 3.2.0</li>
<li>build(deps): bump actions/setup-python from 2.3.4 to 5.1.1</li>
<li>build(deps): bump actions/first-interaction</li>
<li>build(deps): bump actions/checkout from 2.7.0 to 4.1.7</li>
<li>revocation_notifier: Explicitly add CA certificate bundle</li>
<li>Introduce new REST API framework and refactor registrar implementation</li>
<li>mba: Support named measured boot policies</li>
<li>tenant: add friendlier error message if mTLS CA is wrongly configured</li>
<li>ca_impl_openssl: Mark extensions as critical following RFC 5280</li>
<li>Include Authority Key Identifier in KL-generated certs</li>
<li>verifier, tenant: make payload for agent completely optional</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-104=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-104=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 16.0 (noarch)
<ul>
<li>keylime-verifier-7.13.0+40-160000.1.1</li>
<li>keylime-logrotate-7.13.0+40-160000.1.1</li>
<li>python313-keylime-7.13.0+40-160000.1.1</li>
<li>keylime-registrar-7.13.0+40-160000.1.1</li>
<li>keylime-config-7.13.0+40-160000.1.1</li>
<li>keylime-tpm_cert_store-7.13.0+40-160000.1.1</li>
<li>keylime-tenant-7.13.0+40-160000.1.1</li>
<li>keylime-firewalld-7.13.0+40-160000.1.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
<ul>
<li>keylime-verifier-7.13.0+40-160000.1.1</li>
<li>keylime-logrotate-7.13.0+40-160000.1.1</li>
<li>python313-keylime-7.13.0+40-160000.1.1</li>
<li>keylime-registrar-7.13.0+40-160000.1.1</li>
<li>keylime-config-7.13.0+40-160000.1.1</li>
<li>keylime-tpm_cert_store-7.13.0+40-160000.1.1</li>
<li>keylime-tenant-7.13.0+40-160000.1.1</li>
<li>keylime-firewalld-7.13.0+40-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-1057.html">https://www.suse.com/security/cve/CVE-2025-1057.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-13609.html">https://www.suse.com/security/cve/CVE-2025-13609.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1237153">https://bugzilla.suse.com/show_bug.cgi?id=1237153</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254199">https://bugzilla.suse.com/show_bug.cgi?id=1254199</a>
</li>
</ul>
</div>