suse-su-2025:20491-1
Vulnerability from csaf_suse
Published
2025-07-11 09:39
Modified
2025-07-11 09:39
Summary
Security update for rust-keylime
Notes
Title of the patch
Security update for rust-keylime
Description of the patch
This update for rust-keylime fixes the following issues:
- CVE-2024-12224: idna: Fixed improper validation in punycode (bsc#1243861)
- Update to version 0.2.7+70:
* build(deps): bump wiremock from 0.6.2 to 0.6.3
* build(deps): bump uuid from 1.16.0 to 1.17.0
* lib: Introduce AgentIdentity structure
* gitignore: Add *.swp and *.orig to be ignored
* build(deps): bump clap from 4.5.38 to 4.5.39
* build(deps): bump tokio from 1.45.0 to 1.45.1
* Unify Push Model structures time formats to UTC (#1016)
* Add Quote related structures to Keylime library
* Remove configuration file trailing whitespaces (#1012)
* keylime-agent.conf: add all accepted TPM encryption algs
* tpm: add policy auth for EK to activate crendential
* Enable non standard key sizes and curves for EK and AK
* config: Use next_back() instead of last() for iterators
* Update to tss-esapi v7.6.0
* Avoid duplicated call to ctx.create_ek
* build(deps): bump clap from 4.5.23 to 4.5.38
* Add registration for Push Model client
* build(deps): bump tokio from 1.44.2 to 1.45.0
* build(deps): bump chrono from 0.4.40 to 0.4.41
* build(deps): bump tempfile from 3.17.1 to 3.20.0
* Refactor code: move error, registration to lib
* Move structure filling and URL selection code (#999)
* build(deps): bump pest_derive from 2.7.15 to 2.8.0
* build(deps): bump pest from 2.7.15 to 2.8.0
* build(deps): bump libc from 0.2.169 to 0.2.172
* Add Evidence/Authentication messages to prototype
* build(deps): bump uuid from 1.15.1 to 1.16.0
* build(deps): bump thiserror from 2.0.11 to 2.0.12
* build(deps): bump signal-hook from 0.3.17 to 0.3.18
* build(deps): bump log from 0.4.25 to 0.4.27
* build(deps): bump assert_cmd from 2.0.16 to 2.0.17
* build(deps): bump actix-web from 4.9.0 to 4.10.2
* build(deps): bump reqwest from 0.12.12 to 0.12.15
* build(deps): bump serde from 1.0.217 to 1.0.219
* Add unit tests for sessions.rs structures
* Add auth(sessions) structures
* Fix minor README.md issue (#988)
* Define EvidenceHandling structures (#971)
* Add mockoon test scenario
* Add client certificates to push-attestation prototype
* Cargo: bump url crate to version 2.5.4
* Add logging to the push attestation prototype
* Do not use certificate on insecure mode
* common: Move the EncryptedData structure from common to the library
* common: Move AuthTag from common to the library
* build(deps): bump openssl from 0.10.71 to 0.10.72
* common: Move Symmkey to library as crypto::symmkey
* common: Remove unused constants and static values
* build(deps): bump tokio from 1.43.0 to 1.44.2
* Refactor code: Include AgentIdentity structure
* Push model prototype
* Add support for ek certificate chain, stored in TPM NVRAM.
* Recover key_class field and set it as "asymmetric"
* Update push model structures to latest values
* build(deps): bump serde_json from 1.0.138 to 1.0.140
* packit: Add identifier for each copr_build job
* keylime-agent.conf: only mention ecdsa and rsassa for signing
* build(deps): bump openssl from 0.10.70 to 0.10.71
* build(deps): bump uuid from 1.13.2 to 1.15.1
* Add capabilities_negotiation structures
* packit: Add compatibility/api_version_compatibility test
* build(deps): bump uuid from 1.11.0 to 1.13.2
* build(deps): bump serde_json from 1.0.135 to 1.0.138
* build(deps): bump thiserror from 2.0.9 to 2.0.11
* build(deps): bump tempfile from 3.14.0 to 3.17.1
* Allow agent to start as non-root
* scripts: Fix coverage information downloading script
* build(deps): bump openssl from 0.10.68 to 0.10.70
* build(deps): bump tokio from 1.42.0 to 1.43.0
- Update to version 0.2.7+1:
* dist: Enable logging for keylime library in the service
* Bump version to 0.2.7
* scripts: Download coverage data from Testing Farm directly
* main: Remove unnecessary lifetime
* cargo: Bump pretty_env_logger to version 0.5.0
* scripts: Fix regex in download_packit_coverage.sh
* cargo: Bump clap crate to version 4.5.23
* cargo: Bump base64 crate to version 0.22.1
* build(deps): bump log from 0.4.22 to 0.4.25
* build(deps): bump serde_json from 1.0.133 to 1.0.135
* cargo: Bump tokio crate to version 1.42.0
* packit: Fix RPM builds on copr
* cargo: Bump thiserror crate to version 0.2.9
* cargo: Update reqwest to version 0.12.12
* build(deps): bump libc from 0.2.168 to 0.2.169
* build(deps): bump glob from 0.3.1 to 0.3.2
* version: Implement API version validation and ordering
* main: Support using multiple API versions for registration
* keylime: Introduce the registrar_client module
* Provide endpoints under multiple API versions
* Move 'serialization' module to the keylime library
* Drop unnecessary dependency on common::API_VERSION
* keylime-agent.conf: Bump version to 2.3
* build(deps): bump serde from 1.0.210 to 1.0.217
* build(deps): bump pest_derive from 2.7.14 to 2.7.15
* build(deps): bump pest from 2.7.14 to 2.7.15
* build(deps): bump libc from 0.2.167 to 0.2.168
* config: Make IAK and IDevID certificates optional
* Fix warnings reported by clippy
* workflows: Run job in the CI container directly
* tests: Add unit test for device ID builder
* main: Move IAK/IDevID related code to dedicated module
* tests: Add script to generate IAK and IDevID certificates
* build(deps): bump openssl from 0.10.66 to 0.10.68
* build(deps): bump uuid from 1.10.0 to 1.11.0
* build(deps): bump serde_json from 1.0.128 to 1.0.133
* build(deps): bump actix-web from 4.5.1 to 4.9.0
* build(deps): bump reqwest from 0.12.7 to 0.12.9
* tests/setup_swtpm.sh: Add script to setup temporary TPM
* Use a single TPM context and avoid race conditions during tests
* config: Enable passing a hostname instead of IP
* build(deps): bump clap from 4.3.11 to 4.5.21
* build(deps): bump tempfile from 3.10.1 to 3.14.0
* build(deps): bump pest_derive from 2.7.6 to 2.7.14
* build(deps): bump pest from 2.7.6 to 2.7.14
* build(deps): bump codecov/codecov-action from 4 to 5
* workflows: Submit the coverage for merged PR from Fedora 41
* tests: Use Fedora 41 to generate code coverage
* api: Make API configuration modular
* agent_handler: Move the /agent scope configuration
* notifications_handler: Move the /notifications scope configuration
* quotes_handler: Move the /quotes scope configuration to quotes_handler
* keys_handler: Move /keys scope configuration to keys_handler
* Use ${DESTDIR} for config
* Fix showing wrong UUID
* build(deps): bump actix-rt from 2.9.0 to 2.10.0
* config: Refactor AgentConfig Source trait implementation
* build(deps): bump log from 0.4.21 to 0.4.22
* build(deps): bump serde_json from 1.0.120 to 1.0.128
* tpm: check if EK certificate has valid ASN.1 DER encoding
* build(deps): bump futures from 0.3.27 to 0.3.31
* cargo: Bump reqwest to version 0.12.7
* build(deps): bump serde from 1.0.203 to 1.0.210
* tests: Add more tests to Packit CI
* build(deps): bump docker/build-push-action from 5 to 6
* tests: apply workarounds to known bugs
Patchnames
SUSE-SLE-Micro-6.0-380
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rust-keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rust-keylime fixes the following issues:\n\n- CVE-2024-12224: idna: Fixed improper validation in punycode (bsc#1243861)\n\n- Update to version 0.2.7+70: \n * build(deps): bump wiremock from 0.6.2 to 0.6.3\n * build(deps): bump uuid from 1.16.0 to 1.17.0\n * lib: Introduce AgentIdentity structure\n * gitignore: Add *.swp and *.orig to be ignored\n * build(deps): bump clap from 4.5.38 to 4.5.39\n * build(deps): bump tokio from 1.45.0 to 1.45.1\n * Unify Push Model structures time formats to UTC (#1016)\n * Add Quote related structures to Keylime library\n * Remove configuration file trailing whitespaces (#1012)\n * keylime-agent.conf: add all accepted TPM encryption algs\n * tpm: add policy auth for EK to activate crendential\n * Enable non standard key sizes and curves for EK and AK\n * config: Use next_back() instead of last() for iterators\n * Update to tss-esapi v7.6.0\n * Avoid duplicated call to ctx.create_ek\n * build(deps): bump clap from 4.5.23 to 4.5.38\n * Add registration for Push Model client\n * build(deps): bump tokio from 1.44.2 to 1.45.0\n * build(deps): bump chrono from 0.4.40 to 0.4.41\n * build(deps): bump tempfile from 3.17.1 to 3.20.0\n * Refactor code: move error, registration to lib\n * Move structure filling and URL selection code (#999)\n * build(deps): bump pest_derive from 2.7.15 to 2.8.0\n * build(deps): bump pest from 2.7.15 to 2.8.0\n * build(deps): bump libc from 0.2.169 to 0.2.172\n * Add Evidence/Authentication messages to prototype\n * build(deps): bump uuid from 1.15.1 to 1.16.0\n * build(deps): bump thiserror from 2.0.11 to 2.0.12\n * build(deps): bump signal-hook from 0.3.17 to 0.3.18\n * build(deps): bump log from 0.4.25 to 0.4.27\n * build(deps): bump assert_cmd from 2.0.16 to 2.0.17\n * build(deps): bump actix-web from 4.9.0 to 4.10.2\n * build(deps): bump reqwest from 0.12.12 to 0.12.15\n * build(deps): bump serde from 1.0.217 to 1.0.219\n * Add unit tests for sessions.rs structures\n * Add auth(sessions) structures\n * Fix minor README.md issue (#988)\n * Define EvidenceHandling structures (#971)\n * Add mockoon test scenario\n * Add client certificates to push-attestation prototype\n * Cargo: bump url crate to version 2.5.4\n * Add logging to the push attestation prototype\n * Do not use certificate on insecure mode\n * common: Move the EncryptedData structure from common to the library\n * common: Move AuthTag from common to the library\n * build(deps): bump openssl from 0.10.71 to 0.10.72\n * common: Move Symmkey to library as crypto::symmkey\n * common: Remove unused constants and static values\n * build(deps): bump tokio from 1.43.0 to 1.44.2\n * Refactor code: Include AgentIdentity structure\n * Push model prototype\n * Add support for ek certificate chain, stored in TPM NVRAM.\n * Recover key_class field and set it as \"asymmetric\"\n * Update push model structures to latest values\n * build(deps): bump serde_json from 1.0.138 to 1.0.140\n * packit: Add identifier for each copr_build job\n * keylime-agent.conf: only mention ecdsa and rsassa for signing\n * build(deps): bump openssl from 0.10.70 to 0.10.71\n * build(deps): bump uuid from 1.13.2 to 1.15.1\n * Add capabilities_negotiation structures\n * packit: Add compatibility/api_version_compatibility test\n * build(deps): bump uuid from 1.11.0 to 1.13.2\n * build(deps): bump serde_json from 1.0.135 to 1.0.138\n * build(deps): bump thiserror from 2.0.9 to 2.0.11\n * build(deps): bump tempfile from 3.14.0 to 3.17.1\n * Allow agent to start as non-root\n * scripts: Fix coverage information downloading script\n * build(deps): bump openssl from 0.10.68 to 0.10.70\n * build(deps): bump tokio from 1.42.0 to 1.43.0\n\n- Update to version 0.2.7+1:\n * dist: Enable logging for keylime library in the service\n * Bump version to 0.2.7\n * scripts: Download coverage data from Testing Farm directly\n * main: Remove unnecessary lifetime\n * cargo: Bump pretty_env_logger to version 0.5.0\n * scripts: Fix regex in download_packit_coverage.sh\n * cargo: Bump clap crate to version 4.5.23\n * cargo: Bump base64 crate to version 0.22.1\n * build(deps): bump log from 0.4.22 to 0.4.25\n * build(deps): bump serde_json from 1.0.133 to 1.0.135\n * cargo: Bump tokio crate to version 1.42.0\n * packit: Fix RPM builds on copr\n * cargo: Bump thiserror crate to version 0.2.9\n * cargo: Update reqwest to version 0.12.12\n * build(deps): bump libc from 0.2.168 to 0.2.169\n * build(deps): bump glob from 0.3.1 to 0.3.2\n * version: Implement API version validation and ordering\n * main: Support using multiple API versions for registration\n * keylime: Introduce the registrar_client module\n * Provide endpoints under multiple API versions\n * Move \u0027serialization\u0027 module to the keylime library\n * Drop unnecessary dependency on common::API_VERSION\n * keylime-agent.conf: Bump version to 2.3\n * build(deps): bump serde from 1.0.210 to 1.0.217\n * build(deps): bump pest_derive from 2.7.14 to 2.7.15\n * build(deps): bump pest from 2.7.14 to 2.7.15\n * build(deps): bump libc from 0.2.167 to 0.2.168\n * config: Make IAK and IDevID certificates optional\n * Fix warnings reported by clippy\n * workflows: Run job in the CI container directly\n * tests: Add unit test for device ID builder\n * main: Move IAK/IDevID related code to dedicated module\n * tests: Add script to generate IAK and IDevID certificates\n * build(deps): bump openssl from 0.10.66 to 0.10.68\n * build(deps): bump uuid from 1.10.0 to 1.11.0\n * build(deps): bump serde_json from 1.0.128 to 1.0.133\n * build(deps): bump actix-web from 4.5.1 to 4.9.0\n * build(deps): bump reqwest from 0.12.7 to 0.12.9\n * tests/setup_swtpm.sh: Add script to setup temporary TPM\n * Use a single TPM context and avoid race conditions during tests\n * config: Enable passing a hostname instead of IP\n * build(deps): bump clap from 4.3.11 to 4.5.21\n * build(deps): bump tempfile from 3.10.1 to 3.14.0\n * build(deps): bump pest_derive from 2.7.6 to 2.7.14\n * build(deps): bump pest from 2.7.6 to 2.7.14\n * build(deps): bump codecov/codecov-action from 4 to 5\n * workflows: Submit the coverage for merged PR from Fedora 41\n * tests: Use Fedora 41 to generate code coverage\n * api: Make API configuration modular\n * agent_handler: Move the /agent scope configuration\n * notifications_handler: Move the /notifications scope configuration\n * quotes_handler: Move the /quotes scope configuration to quotes_handler\n * keys_handler: Move /keys scope configuration to keys_handler\n * Use ${DESTDIR} for config\n * Fix showing wrong UUID\n * build(deps): bump actix-rt from 2.9.0 to 2.10.0\n * config: Refactor AgentConfig Source trait implementation\n * build(deps): bump log from 0.4.21 to 0.4.22\n * build(deps): bump serde_json from 1.0.120 to 1.0.128\n * tpm: check if EK certificate has valid ASN.1 DER encoding\n * build(deps): bump futures from 0.3.27 to 0.3.31\n * cargo: Bump reqwest to version 0.12.7\n * build(deps): bump serde from 1.0.203 to 1.0.210\n * tests: Add more tests to Packit CI\n * build(deps): bump docker/build-push-action from 5 to 6\n * tests: apply workarounds to known bugs\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-380",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20491-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20491-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520491-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20491-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-July/040930.html"
},
{
"category": "self",
"summary": "SUSE Bug 1243861",
"url": "https://bugzilla.suse.com/1243861"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-12224 page",
"url": "https://www.suse.com/security/cve/CVE-2024-12224/"
}
],
"title": "Security update for rust-keylime",
"tracking": {
"current_release_date": "2025-07-11T09:39:57Z",
"generator": {
"date": "2025-07-11T09:39:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20491-1",
"initial_release_date": "2025-07-11T09:39:57Z",
"revision_history": [
{
"date": "2025-07-11T09:39:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "rust-keylime-0.2.7+70-1.1.aarch64",
"product": {
"name": "rust-keylime-0.2.7+70-1.1.aarch64",
"product_id": "rust-keylime-0.2.7+70-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "rust-keylime-0.2.7+70-1.1.s390x",
"product": {
"name": "rust-keylime-0.2.7+70-1.1.s390x",
"product_id": "rust-keylime-0.2.7+70-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rust-keylime-0.2.7+70-1.1.x86_64",
"product": {
"name": "rust-keylime-0.2.7+70-1.1.x86_64",
"product_id": "rust-keylime-0.2.7+70-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.7+70-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64"
},
"product_reference": "rust-keylime-0.2.7+70-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.7+70-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x"
},
"product_reference": "rust-keylime-0.2.7+70-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rust-keylime-0.2.7+70-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"
},
"product_reference": "rust-keylime-0.2.7+70-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-12224",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-12224"
}
],
"notes": [
{
"category": "general",
"text": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64",
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x",
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-12224",
"url": "https://www.suse.com/security/cve/CVE-2024-12224"
},
{
"category": "external",
"summary": "SUSE Bug 1243848 for CVE-2024-12224",
"url": "https://bugzilla.suse.com/1243848"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64",
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x",
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.aarch64",
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.s390x",
"SUSE Linux Micro 6.0:rust-keylime-0.2.7+70-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-07-11T09:39:57Z",
"details": "moderate"
}
],
"title": "CVE-2024-12224"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…