{"affected":[{"ecosystem_specific":{"binaries":[{"keylime-config":"7.13.0+40-160000.1.1","keylime-firewalld":"7.13.0+40-160000.1.1","keylime-logrotate":"7.13.0+40-160000.1.1","keylime-registrar":"7.13.0+40-160000.1.1","keylime-tenant":"7.13.0+40-160000.1.1","keylime-tpm_cert_store":"7.13.0+40-160000.1.1","keylime-verifier":"7.13.0+40-160000.1.1","python313-keylime":"7.13.0+40-160000.1.1"}]},"package":{"ecosystem":"openSUSE:Leap 16.0","name":"keylime","purl":"pkg:rpm/opensuse/keylime&distro=openSUSE%20Leap%2016.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"7.13.0+40-160000.1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for keylime fixes the following issues:\n\nUpdate to version 7.13.0+40.\n\nSecurity issues fixed:\n\n- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate\n  UUIDs (bsc#1254199).\n- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).\n\nOther issues fixed and changes:\n\n- Version 7.13.0+40:\n  * Include new attestation information fields (#1818)\n  * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)\n  * push-model: require HTTPS for authentication and attestation endpoints\n  * Fix operational_state tracking in push mode attestations\n  * templates: add push model authentication config options to 2.5 templates\n  * Security: Hash authentication tokens in logs\n  * Fix stale IMA policy cache in verification\n  * Fix authentication behavior on failed attestations for push mode\n  * Add shared memory infrastructure for multiprocess communication\n  * Add agent authentication (challenge/response) protocol for push mode\n  * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)\n  * docs: Fix man page RST formatting for rst2man compatibility (#1813)\n  * Apply limit on keylime-policy workers\n  * tpm: fix ECC signature parsing to support variable-length coordinates\n  * tpm: fix ECC P-521 credential activation with consistent marshaling\n  * tpm: fix ECC P-521 coordinate validation\n  * Remove deprecated disabled_signing_algorithms configuration option (#1804)\n  * algorithms: add support for specific RSA algorithms\n  * algorithms: add support for specific ECC curve algorithms\n  * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent\n  * Manpage for keylime agent\n  * Manpage for keylime verifier\n  * Manpage for keylime registrar\n  * Use constants for timeout and max retries defaults\n  * verifier: Use timeout from `request_timeout` config option\n  * revocation_notifier: Use timeout setting from config file\n  * tenant: Set timeout when getting version from agent\n  * verify/evidence: SEV-SNP evidence type/verifier\n  * verify/evidence: Add evidence type to request JSON\n\n- Version v7.13.0:\n  * Avoid re-encoding certificate stored in DB\n  * Revert \"models: Do not re-encode certificate stored in DB\"\n  * Revert \"registrar_agent: Use pyasn1 to parse PEM\"\n  * policy/sign: use print() when writing to /dev/stdout\n  * registrar_agent: Use pyasn1 to parse PEM\n  * models: Do not re-encode certificate stored in DB\n  * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events\n  * mb: support vendor_db as logged by newer shim versions\n  * mb: support EV_EFI_HANDOFF_TABLES events on PCR1\n  * Remove unnecessary configuration values\n  * cloud_verifier_tornado: handle exception in notify_error()\n  * requests_client: close the session at the end of the resource manager\n  * Manpage for keylime_tenant (#1786)\n  * Add 2.5 templates including Push Model changes\n  * Initial version of verify evidence API\n  * db: Do not read pool size and max overflow for sqlite\n  * Use context managers to close DB sessions\n  * revocations: Try to send notifications on shutdown\n  * verifier: Gracefully shutdown on signal\n  * Use `fork` as `multiprocessing` start method\n  * Fix inaccuracy in threat model and add reference to SBAT\n  * Explain TPM properties and expand vTPM discussion\n  * Fix invalid RST and update TOC\n  * Expand threat model page to include adversarial model\n  * Add --push-model option to avoid requests to agents\n  * templates: duplicate str_to_version() in the adjust script\n  * policy: fix mypy issues with rpm_repo\n  * revocation_notifier: fix mypy issue by replacing deprecated call\n  * Fix create_runtime_policy in python < 3.12\n  * Fix after review\n  * fixed CONSTANT names C0103 errors\n  * Extend meta_data field in verifierdb\n  * docs: update issue templates\n  * docs: add GitHub PR template with documentation reminders\n  * tpm_util: fix quote signature extraction for ECDSA\n  * registrar: Log API versions during startup\n  * Remove excessive logging on exception\n  * scripts: Fix coverage information downloading script\n\n- Version v7.12.1:\n  * models: Add Base64Bytes type to read and write from the database\n  * Simplify response check from registrar\n\n- Version v7.12.0:\n  * API: Add /version endpoint to registrar\n  * scripts: Download coverage data directly from Testing Farm\n  * docs: Add separate documentation for each API version\n  * scripts/create_runtime_policy.sh: fix path for the exclude list\n  * docs: add documentation for keylime-policy\n  * templates: Add the new agent.conf option 'api_versions'\n  * Enable autocompletion using argcomplete\n  * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2\n  * Configure EPEL-10 repo in packit-ci.fmf\n  * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1\n  * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3\n  * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1\n  * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0\n  * keylime-policy: improve error handling when provided a bad key (sign)\n  * keylime-policy: exit with status 1 when the commands failed\n  * keylime-policy: use Certificate() from models.base to validate certs\n  * keylime-policy: check for valid cert file when using x509 backend (sign)\n  * keylime-policy: fix help for \"keylime-policy sign\" verb\n  * tenant: Correctly log number of tries when deleting\n  * update TCTI environment variable usage\n  * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2\n  * keylime-policy: add `create measured-boot' subcommand\n  * keylime-policy: add `sign runtime' subcommand\n  * keylime-policy: add logger to use with the policy tool\n  * installer.sh: Restore execution permission\n  * installer: Fix string comparison\n  * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0\n  * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0\n  * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0\n  * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0\n  * installer.sh: updated EPEL, PEP668 Fix, logic fix\n  * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0\n  * build(deps): bump actions/checkout from 4.2.1 to 4.2.2\n  * postgresql support for docker using psycopg2\n  * installer.sh: update package list, add workaround for PEP 668\n  * build(deps): bump actions/checkout from 4.2.0 to 4.2.1\n  * keylime.conf: full removal\n  * Drop pending SPDX-License-Identifier headers\n  * create_runtime_policy: Validate algorithm from IMA measurement log\n  * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity\n  * create_runtime_policy: drop commment with test data\n  * create_runtime_policy: Use a common method to guess algorithm\n  * keylime-policy: rename tool to keylime-policy instead of keylime_policy\n  * keylime_policy: create runtime: remove --use-ima-measurement-list\n  * keylime_policy: use consistent arg names for create_runtime_policy\n  * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3\n  * build(deps): bump actions/checkout from 4.1.7 to 4.2.0\n  * elchecking/example: workaround empty PK, KEK, db and dbx\n  * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2\n  * create_runtime_policy: Fix log level for debug messages\n  * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2\n  * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5\n  * pylintrc: Ignore too-many-positional-arguments check\n  * keylime/web/base/controller: Move TypeAlias definition out of class\n  * create_runtime_policy: Calculate digests in multiple threads\n  * create_runtime_policy: Allow rootfs to be in any directory\n  * keylime_policy: Calculate digests from each source separately\n  * create_runtime_policy: Simplify boot_aggregate parsing\n  * ima: Validate JSON when loading IMA Keyring from string\n  * docs: include IDevID page also in the sidebar\n  * docs: point to installation guide from RHEL and SLE Micro\n  * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0\n  * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1\n  * change check_tpm_origin_check to a warning that does not prevent registration\n  * docs: Fix Runtime Policy JSON schema to reflect the reality\n  * Sets absolute path for files inside a rootfs dir\n  * policy/create_runtime_policy: fix handling of empty lines in exclude list\n  * keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)\n  * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)\n  * codestyle: convert bytearrays to bytes to get expected type (pyright)\n  * codestyle: Use new variables after changing datatype (pyright)\n  * cert_utils: add description why loading using cryptography might fail\n  * ima: list names of the runtime policies\n  * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0\n  * tox: Use python 3.10 instead of 3.6\n  * revocation_notifier: Use web_util to generate TLS context\n  * mba: Add a skip custom policies option when loading mba.\n  * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1\n  * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n  * cmd/keylime_policy: add tool to handle keylime policies\n  * cert_utils: add is_x509_cert()\n  * common/algorithms: transform Encrypt and Sign class into enums\n  * common/algorithms: add method to calculate digest of a file\n  * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0\n  * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n  * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n  * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n  * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0\n  * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1\n  * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n  * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1\n  * tpm: Replace KDFs and ECDH implementations with python-cryptography\n  * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0\n  * build(deps): bump docker/login-action from 2.2.0 to 3.2.0\n  * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1\n  * build(deps): bump actions/first-interaction\n  * build(deps): bump actions/checkout from 2.7.0 to 4.1.7\n  * revocation_notifier: Explicitly add CA certificate bundle\n  * Introduce new REST API framework and refactor registrar implementation\n  * mba: Support named measured boot policies\n  * tenant: add friendlier error message if mTLS CA is wrongly configured\n  * ca_impl_openssl: Mark extensions as critical following RFC 5280\n  * Include Authority Key Identifier in KL-generated certs\n  * verifier, tenant: make payload for agent completely optional\n\n","id":"openSUSE-SU-2025:20159-1","modified":"2025-12-12T09:46:01Z","published":"2025-12-12T09:46:01Z","references":[{"type":"ADVISORY","url":null},{"type":"REPORT","url":"https://bugzilla.suse.com/1237153"},{"type":"REPORT","url":"https://bugzilla.suse.com/1254199"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-1057"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-13609"}],"related":["CVE-2025-1057","CVE-2025-13609"],"summary":"Security update for keylime","upstream":["CVE-2025-1057","CVE-2025-13609"]}