<div class="container">
<h1>Security update for rust-keylime</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:20057-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-02-03T08:57:20Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1223234">bsc#1223234</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1229952">bsc#1229952</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230029">bsc#1230029</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-32650.html">CVE-2024-32650</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-43806.html">CVE-2024-43806</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-32650</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-43806</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities and has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for rust-keylime fixes the following issues:</p>
<ul>
<li>Update vendored crates (CVE-2024-43806, bsc#1229952, bsc#1230029)</li>
<li>rustix 0.37.25</li>
<li>rustix 0.38.34</li>
<li>
<p>shlex 1.3.0</p>
</li>
<li>
<p>Update to version 0.2.6+13:</p>
</li>
<li>Enable test functional/iak-idevid-persisted-and-protected</li>
<li>build(deps): bump uuid from 1.7.0 to 1.10.0</li>
<li>build(deps): bump openssl from 0.10.64 to 0.10.66</li>
<li>keylime-agent/src/revocation: Fix comment indentation</li>
<li>keylime/crypto: Fix indentation of documentation comment</li>
<li>build(deps): bump thiserror from 1.0.59 to 1.0.63</li>
<li>build(deps): bump serde_json from 1.0.116 to 1.0.120</li>
<li>dependabot: Extend to also monitor workflow actions</li>
<li>ci: Disable Packit CI on CentOS Stream 9</li>
<li>ci: use CODECOV_TOKEN when submitting coverage data</li>
<li>revocation: Use into() for unfallible transformation</li>
<li>secure_mount: Fix possible infinite loop</li>
<li>
<p>error: Rename enum variants to avoid clippy warning</p>
</li>
<li>
<p>Update to version 0.2.6~0:</p>
</li>
<li>Bump version to 0.2.6</li>
<li>build(deps): bump libc from 0.2.153 to 0.2.155</li>
<li>build(deps): bump serde from 1.0.196 to 1.0.203</li>
<li>rpm/fedora: Update rust macro usage</li>
<li>config: Support hostnames in registrar_ip option</li>
<li>added use of persisted IAK and IDevID and authorisation values</li>
<li>config changes</li>
<li>Adding /agent/info API to agent</li>
<li>
<p>Fix leftover 'unnecessary qualification' warnings on tests</p>
</li>
<li>
<p>Update to version 0.2.5~4:</p>
</li>
<li>Fix 'unnecessary qualification' warnings</li>
<li>fix IAK template to match IDevID</li>
<li>rpm: fix COPR RPMs build for centos-stream-10</li>
<li>
<p>Build COPR RPMs for centos-stream-10</p>
</li>
<li>
<p>Update to version 0.2.5~0:</p>
</li>
<li>Bump version to 0.2.5</li>
<li>cargo: Relax required version for pest crate</li>
<li>build(deps): bump log from 0.4.20 to 0.4.21</li>
<li>
<p>build(deps): bump thiserror from 1.0.56 to 1.0.59</p>
</li>
<li>
<p>actix-web update moves rustls as feature (bsc#1223234, CVE-2024-32650)</p>
</li>
<li>
<p>Update to version 0.2.4~39:</p>
</li>
<li>build(deps): bump openssl from 0.10.63 to 0.10.64</li>
<li>build(deps): bump h2 from 0.3.24 to 0.3.26</li>
<li>build(deps): bump serde_json from 1.0.107 to 1.0.116</li>
<li>build(deps): bump actix-web from 4.4.1 to 4.5.1</li>
<li>crypto: Enable TLS 1.3</li>
<li>build(deps): bump tempfile from 3.9.0 to 3.10.1</li>
<li>build(deps): bump mio from 0.8.4 to 0.8.11</li>
<li>enable hex values to be used for tpm_ownerpassword</li>
<li>config: Support IPv6 with or without brackets</li>
<li>keylime: Implement a simple IP parser to remove brackets</li>
<li>crypto: Implement CertificateBuilder to generate certificates</li>
<li>tests: Fix coverage download by supporting arbitrary URL</li>
<li>cargo: Add testing feature to keylime library</li>
<li>Set X509 SAN with local DNSname/IP/IPv6</li>
<li>Include newest Node20 versions for Github actions</li>
<li>tpm: Add unit test for uncovered public functions</li>
<li>crypto: Implement ECC key generation support</li>
<li>crypto: Add test for match_cert_to_template()</li>
<li>Fix minor typo, format and remove end whitespaces</li>
<li>crypto: Make error types less specific</li>
<li>tests/run.sh: Run tarpaulin with a single thread</li>
<li>payloads: Remove explicit drop of channel transmitter</li>
<li>crypto: Move to keylime library</li>
<li>crypto: Add specific type for every possible error</li>
<li>tpm: Rename origin of error as source in structures</li>
<li>list_parser: Add source for error for backtrace</li>
<li>algorithms: Make errors more specific</li>
<li>typo fix for default path to measured boot log file</li>
<li>README: remove mentions of libarchive as a dependency</li>
<li>Dockerfile.wolfi: Update clang to version 17</li>
<li>docker: Remove libarchive as a dependency</li>
<li>rpm: Remove libarchive from dependencies</li>
<li>cargo: Replace compress-tools with zip crate</li>
<li>cargo: Bump ahash to version 0.8.7</li>
<li>build(deps): bump serde from 1.0.195 to 1.0.196</li>
<li>build(deps): bump libc from 0.2.152 to 0.2.153</li>
<li>build(deps): bump reqwest from 0.11.23 to 0.11.24</li>
<li>docker: Install configuration file in the correct path</li>
<li>
<p>config: Make IAK/IDevID disabled by default</p>
</li>
<li>
<p>Update to version 0.2.4+git.1706692574.a744517:</p>
</li>
<li>Bump version to 0.2.4</li>
<li>build(deps): bump uuid from 1.4.1 to 1.7.0</li>
<li>keylime-agent.conf: Allow setting event logs paths</li>
<li>Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration.</li>
<li>workflows: Update checkout action to version 4</li>
<li>build(deps): bump serde from 1.0.188 to 1.0.195</li>
<li>build(deps): bump pest_derive from 2.7.0 to 2.7.6</li>
<li>build(deps): bump openssl from 0.10.62 to 0.10.63</li>
<li>build(deps): bump config from 0.13.3 to 0.13.4</li>
<li>build(deps): bump base64 from 0.21.4 to 0.21.7</li>
<li>build(deps): bump tempfile from 3.8.0 to 3.9.0</li>
<li>build(deps): bump pest from 2.7.0 to 2.7.6</li>
<li>build(deps): bump actix-web from 4.4.0 to 4.4.1</li>
<li>build(deps): bump reqwest from 0.11.22 to 0.11.23</li>
<li>build(deps): bump h2 from 0.3.17 to 0.3.24</li>
<li>build(deps): bump shlex from 1.1.0 to 1.3.0</li>
<li>cargo: Bump tss-esapi to version 7.4.0</li>
<li>workflows: Fix keylime-bot token usage</li>
<li>tpm: Add error context for every possible error</li>
<li>tpm: Add AlgorithmError to TpmError</li>
<li>detect idevid template from certificates</li>
<li>build(deps): bump wiremock from 0.5.18 to 0.5.22</li>
<li>build(deps): bump thiserror from 1.0.48 to 1.0.56</li>
<li>Make use of workspace dependencies</li>
<li>build(deps): bump openssl from 0.10.57 to 0.10.62</li>
<li>
<p>packit: Bump Fedora version used for code coverage</p>
</li>
<li>
<p>Update to version 0.2.3+git.1701075380.a5dc985:</p>
</li>
<li>build(deps): bump actix-rt from 2.8.0 to 2.9.0</li>
<li>Bump version to 0.2.3</li>
<li>build(deps): bump reqwest from 0.11.20 to 0.11.22</li>
<li>Bump configuration version and fix enable_iak_idevid</li>
<li>Enable test functional/iak-idevid-register-with-certificates</li>
<li>Update packit plan with new tests</li>
<li>
<p>Add certificates and certificate checking for IDevID and IAK keys (#669)</p>
</li>
<li>
<p>Update to version 0.2.2+git.1697658634.9c7c6fa:</p>
</li>
<li>build(deps): bump rustix from 0.37.11 to 0.37.25</li>
<li>build(deps): bump tempfile from 3.6.0 to 3.8.0</li>
<li>build(deps): bump base64 from 0.21.0 to 0.21.4</li>
<li>build(deps): bump serde_json from 1.0.96 to 1.0.107</li>
<li>build(deps): bump openssl from 0.10.55 to 0.10.57</li>
<li>cargo: Bump serde to version 1.0.188</li>
<li>tests: Fix tarpaulin issues with dropped -v option</li>
<li>build(deps): bump signal-hook from 0.3.15 to 0.3.17</li>
<li>build(deps): bump actix-web from 4.3.1 to 4.4.0</li>
<li>build(deps): bump thiserror from 1.0.40 to 1.0.48</li>
<li>Remove private_in_public</li>
<li>Initial PR to add support for IDevID and IAK</li>
<li>build(deps): bump uuid from 1.3.1 to 1.4.1</li>
<li>build(deps): bump log from 0.4.17 to 0.4.20</li>
<li>build(deps): bump reqwest from 0.11.16 to 0.11.20</li>
<li>Do not use too specific version on cargo audit workflow</li>
<li>Add workflow to run cargo-audit security audit</li>
<li>README: update dependencies for Debian and Ubuntu</li>
<li>Use latest versions of checkout/upload-artifacts</li>
<li>docker: Add 'keylime' system user</li>
<li>Use "currently" for swtpm emulator warning (#632)</li>
<li>Update container workflow actions versions</li>
<li>Build container image and push to quay.io</li>
<li>
<p>README: update requirements</p>
</li>
<li>
<p>Update to version 0.2.2+git.1689256829.3d2b627:</p>
</li>
<li>Bump version to 0.2.2</li>
<li>build(deps): bump tempfile from 3.5.0 to 3.6.0</li>
<li>
<p>removing SIGINT stop signals from Dockerfiles and systemd service, as well as adding SIGTERM to IMA emulator as shutdown signal</p>
</li>
<li>
<p>Update to version 0.2.1+git.1689167094.67ce0cf:</p>
</li>
<li>cargo: Bump serde to version 1.0.166</li>
<li>build(deps): bump libc from 0.2.142 to 0.2.147</li>
<li>adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi</li>
<li>hash: add more configurable hash algorithm for public key digest</li>
<li>cargo: Update clap to version 4.3.11</li>
<li>cargo: Bump tokio crate version to 1.28.2</li>
<li>Add an example of IMA policy</li>
<li>main: Gracefully shutdown on SIGTERM or SIGINT</li>
<li>cargo: Bump proc-macro2 crate version</li>
<li>revocation: Parse revocation actions flexibly</li>
<li>crypto: Add unit tests for x509 functions</li>
<li>crypto: Make internal functions private</li>
<li>config: Add unit test for the list to files mapping</li>
<li>config: Make trusted_client_ca to accept lists</li>
<li>lib: Implement parser for lists from config file</li>
<li>build(deps): bump openssl from 0.10.48 to 0.10.55</li>
<li>Add secure mount sanity test to packit testing.</li>
<li>
<p>[packit] Do not let COPR project expire</p>
</li>
<li>
<p>Recommends the IMA Policy subpackage only if SELinux is configured</p>
</li>
<li>
<p>Update to version 0.2.1+git.1685699835.3c9d17c:</p>
</li>
<li>Remove MOUNT_SECURE bool</li>
<li>rpm: Remove unused directory and add dependency for mount</li>
<li>keylime-agent/src: update API version to 2.1 to consistent with https://github.com/keylime/keylime/blob/master/docs/rest_apis.rst</li>
<li>docker/fedora/keylime_rust.Dockerfile: add the logic of cloning and compiling rust-keylime</li>
<li>[tests] Update test coverage task name regexp</li>
<li>[tests] Simply coverage file URL parsing</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-65=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
<ul>
<li>rust-keylime-debugsource-0.2.6+13-1.1</li>
<li>rust-keylime-0.2.6+13-1.1</li>
<li>rust-keylime-debuginfo-0.2.6+13-1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-32650.html">https://www.suse.com/security/cve/CVE-2024-32650.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-43806.html">https://www.suse.com/security/cve/CVE-2024-43806.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1223234">https://bugzilla.suse.com/show_bug.cgi?id=1223234</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1229952">https://bugzilla.suse.com/show_bug.cgi?id=1229952</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1230029">https://bugzilla.suse.com/show_bug.cgi?id=1230029</a>
</li>
</ul>
</div>