SUSE alert SUSE-SU-2025:20717-1 (rust-keylime)

From:
             
 
SLE-SECURITY-UPDATES <null@suse.de>
To:
             
 
sle-security-updates@lists.suse.com
Subject:
             
 
SUSE-SU-2025:20717-1: moderate: Security update for rust-keylime
Date:
             
 
Fri, 26 Sep 2025 16:40:45 -0000
Message-ID:
             
 
<175890484547.25554.12551600465504956274@smelt2.prg2.suse.org>


# Security update for rust-keylime

Announcement ID: SUSE-SU-2025:20717-1  
Release Date: 2025-09-16T07:49:07Z  
Rating: moderate  
References:

  * bsc#1242623
  * bsc#1247193
  * bsc#1248006

  
Cross-References:

  * CVE-2024-58266
  * CVE-2025-3416
  * CVE-2025-55159

  
CVSS scores:

  * CVE-2024-58266 ( SUSE ):  2.0
    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2024-58266 ( SUSE ):  3.6 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
  * CVE-2024-58266 ( NVD ):  3.2 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
  * CVE-2024-58266 ( NVD ):  9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-3416 ( SUSE ):  6.3
    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2025-3416 ( SUSE ):  3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-3416 ( NVD ):  3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-55159 ( SUSE ):  5.8
    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-55159 ( SUSE ):  5.8 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:H
  * CVE-2025-55159 ( NVD ):  5.1

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that solves three vulnerabilities can now be installed.

## Description:

This update for rust-keylime fixes the following issues:

  * Update vendored crate slab to version 0.4.11
  * CVE-2025-55159: Fixed incorrect bounds check in get_disjoint_mut function
    leading to undefined behavior or potential crash due to out-of-bounds access
    (bsc#1248006)

  * Update to version 0.2.8+12:

  * build(deps): bump actions/checkout from 4 to 5
  * build(deps): bump cfg-if from 1.0.0 to 1.0.1
  * build(deps): bump openssl from 0.10.72 to 0.10.73
  * build(deps): bump clap from 4.5.39 to 4.5.45
  * build(deps): bump pest from 2.8.0 to 2.8.1
  * Fix clippy warnings
  * Use verifier-provided interval for continuous attestation timing
  * Add meta object with seconds_to_next_attestation to evidence response
  * Fix boot time retrieval
  * Fix IMA log format (it must be ['text/plain']) (#1073)
  * Remove unnecessary configuration fields
  * cargo: Bump retry-policies to version 0.4.0

  * Update vendored crate shlex to version 1.3.0

  * CVE-2024-58266: Fixed command injection (bsc#1247193)

  * Update to version 0.2.7+141:

  * service: Use WantedBy=multi-user.target
  * rpm: Add subpackage for push-attestation agent
  * push-model: implement continuous attestation with configurable intervals
  * Retry registration forever in the state machine
  * Add Verifier URL to configuration
  * Align exp.backoff to current configuration format
  * Increase coverage of state machine (using Context)
  * Increase coverage of struct_filler.rs
  * Groom code (remove dead code)
  * Fix exponential backoff (10secs, 4xx accepted)
  * test: Add documentation test to tests/run.sh
  * tpm: Avoid running code example during documentation tests
  * state_machine: Always start the agent from the Unregistered state
  * Add fixes for the URL construction
  * Refactor evidences collection in push attestation agent
  * push-model: refactor attestation logic into a state machine
  * Fix body sending by allowing serializing strings (#1057)
  * Log ResilientClient errors/response status codes (#1055)
  * Add AK signing scheme and hash algorithm to negotiation
  * tpm: Add method to extract signing scheme and hash algorithm from AK
  * Allow custom content-type/accept headers
  * Integrate exponential backoff to registration (#1052)
  * keylime/structures: Rename ShaValues to PcrBanks
  * Add resilient_client for exponential backoff (#1048)

  * Update vendored crate openssl 0.10.73:

  * CVE-2025-3416: Fixed Use-After-Free in Md::fetch and Cipher::fetch
    (bsc#1242623)

  * Update to version 0.2.7+117:

  * Increase coverage in evidence handling structure
  * Add Capabilities Negotiations resp. missing fields
  * Fix UEFI test to check file access in all cases
  * context_info_handler: Do not assume /var/lib/keylime exists
  * Fix clippy warnings about uninlined format arguments
  * attestation: Allow unwrap() in tests
  * Increase coverage (groom code, extend unit tests)
  * Include IMA/UEFI logs in Evidence Handling request
  * Include method to get all IMA entries as string
  * Send correct list of pcr banks and sign algorithms
  * Try to fix TPM tests related issues
  * Define attestation perform asynchronous
  * Perform attestation in push model agent binary
  * Refactor code to use new attestation.rs
  * Create attestation.rs for Attestation stuff
  * Move ContextInfo management to its own handler
  * Adjust context_info.rs after rebase
  * Add attestation function to ContextInfo structure
  * Add prohibited signing algorithms, avoid ecschnorr
  * keylime/config: Use macro to implement PushModelConfigTrait
  * Introduce keylime-macros and define_view_trait
  * config: Remove KeylimeConfig structure
  * config: Remove unnecessary options and lazy initialization
  * Fix pcr_bank function to send all possible slots
  * Send Content-Type:application/json on request (#1039)
  * Send correct 'key_algorithm' in certification_keys (#1035)
  * Push Model: Persist Attestation Key to file
  * Add Keylime push model binary to root GNUmakefile
  * Use singleton to avoid multiple Context allocation
  * tests: Do not assume `/var/lib/keylime` exists (#1030)
  * lib/cert: Fix race condition due to use of same file path
  * payloads: Fix race condition in tests
  * Add uefi_log_handler.rs to parse UEFI binary
  * Use IMA log parser to send correct entry count
  * Add IMA log parser
  * build(deps): bump once_cell from 1.19.0 to 1.21.3
  * lib/config/base.rs: Add more unit tests
  * lib/permissions: Add unit tests
  * keylime-agent: move JsonWrapper from common.rs to the library
  * lib/agent_data: Move agent_data related tests from common
  * common: Replace APIVersion with the library Version structure
  * keylime_agent: Move secure_mount.rs to the library
  * lib: Rename keylime_error.rs as error.rs
  * config: Move config to keylime library
  * config: Rename push_model_config to push_model
  * lib: Move permissions.rs from keylime-agent to the lib
  * Extract Capabilities Negotiation info from TPM (#1014)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-461=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
    * rust-keylime-debuginfo-0.2.8+12-1.1
    * rust-keylime-0.2.8+12-1.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-58266.html
  * https://www.suse.com/security/cve/CVE-2025-3416.html
  * https://www.suse.com/security/cve/CVE-2025-55159.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1242623
  * https://bugzilla.suse.com/show_bug.cgi?id=1247193
  * https://bugzilla.suse.com/show_bug.cgi?id=1248006



Attachment: None (type=text/html)
(HTML attachment elided)