SUSE-SU-2025:20717-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2025/suse-su-202520717-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20717-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2025:20717-1
Upstream
Related
Published
2025-09-16T07:50:08Z
Modified
2026-03-23T04:50:57.095667Z
Summary
Security update for rust-keylime
Details

This update for rust-keylime fixes the following issues:

  • Update vendored crate slab to version 0.4.11

    • CVE-2025-55159: Fixed incorrect bounds check in getdisjointmut function leading to undefined behavior or potential crash due to out-of-bounds access (bsc#1248006)

  • Update to version 0.2.8+12:

    • build(deps): bump actions/checkout from 4 to 5
    • build(deps): bump cfg-if from 1.0.0 to 1.0.1
    • build(deps): bump openssl from 0.10.72 to 0.10.73
    • build(deps): bump clap from 4.5.39 to 4.5.45
    • build(deps): bump pest from 2.8.0 to 2.8.1
    • Fix clippy warnings
    • Use verifier-provided interval for continuous attestation timing
    • Add meta object with secondstonext_attestation to evidence response
    • Fix boot time retrieval
    • Fix IMA log format (it must be ['text/plain']) (#1073)
    • Remove unnecessary configuration fields
    • cargo: Bump retry-policies to version 0.4.0

  • Update vendored crate shlex to version 1.3.0

    • CVE-2024-58266: Fixed command injection (bsc#1247193)

  • Update to version 0.2.7+141:

    • service: Use WantedBy=multi-user.target
    • rpm: Add subpackage for push-attestation agent
    • push-model: implement continuous attestation with configurable intervals
    • Retry registration forever in the state machine
    • Add Verifier URL to configuration
    • Align exp.backoff to current configuration format
    • Increase coverage of state machine (using Context)
    • Increase coverage of struct_filler.rs
    • Groom code (remove dead code)
    • Fix exponential backoff (10secs, 4xx accepted)
    • test: Add documentation test to tests/run.sh
    • tpm: Avoid running code example during documentation tests
    • state_machine: Always start the agent from the Unregistered state
    • Add fixes for the URL construction
    • Refactor evidences collection in push attestation agent
    • push-model: refactor attestation logic into a state machine
    • Fix body sending by allowing serializing strings (#1057)
    • Log ResilientClient errors/response status codes (#1055)
    • Add AK signing scheme and hash algorithm to negotiation
    • tpm: Add method to extract signing scheme and hash algorithm from AK
    • Allow custom content-type/accept headers
    • Integrate exponential backoff to registration (#1052)
    • keylime/structures: Rename ShaValues to PcrBanks
    • Add resilient_client for exponential backoff (#1048)

  • Update vendored crate openssl 0.10.73:

    • CVE-2025-3416: Fixed Use-After-Free in Md::fetch and Cipher::fetch (bsc#1242623)

  • Update to version 0.2.7+117:

    • Increase coverage in evidence handling structure
    • Add Capabilities Negotiations resp. missing fields
    • Fix UEFI test to check file access in all cases
    • contextinfohandler: Do not assume /var/lib/keylime exists
    • Fix clippy warnings about uninlined format arguments
    • attestation: Allow unwrap() in tests
    • Increase coverage (groom code, extend unit tests)
    • Include IMA/UEFI logs in Evidence Handling request
    • Include method to get all IMA entries as string
    • Send correct list of pcr banks and sign algorithms
    • Try to fix TPM tests related issues
    • Define attestation perform asynchronous
    • Perform attestation in push model agent binary
    • Refactor code to use new attestation.rs
    • Create attestation.rs for Attestation stuff
    • Move ContextInfo management to its own handler
    • Adjust context_info.rs after rebase
    • Add attestation function to ContextInfo structure
    • Add prohibited signing algorithms, avoid ecschnorr
    • keylime/config: Use macro to implement PushModelConfigTrait
    • Introduce keylime-macros and defineviewtrait
    • config: Remove KeylimeConfig structure
    • config: Remove unnecessary options and lazy initialization
    • Fix pcr_bank function to send all possible slots
    • Send Content-Type:application/json on request (#1039)
    • Send correct 'keyalgorithm' in certificationkeys (#1035)
    • Push Model: Persist Attestation Key to file
    • Add Keylime push model binary to root GNUmakefile
    • Use singleton to avoid multiple Context allocation
    • tests: Do not assume /var/lib/keylime exists (#1030)
    • lib/cert: Fix race condition due to use of same file path
    • payloads: Fix race condition in tests
    • Add uefiloghandler.rs to parse UEFI binary
    • Use IMA log parser to send correct entry count
    • Add IMA log parser
    • build(deps): bump once_cell from 1.19.0 to 1.21.3
    • lib/config/base.rs: Add more unit tests
    • lib/permissions: Add unit tests
    • keylime-agent: move JsonWrapper from common.rs to the library
    • lib/agentdata: Move agentdata related tests from common
    • common: Replace APIVersion with the library Version structure
    • keylimeagent: Move securemount.rs to the library
    • lib: Rename keylime_error.rs as error.rs
    • config: Move config to keylime library
    • config: Rename pushmodelconfig to push_model
    • lib: Move permissions.rs from keylime-agent to the lib
    • Extract Capabilities Negotiation info from TPM (#1014)
References

Affected packages

SUSE:Linux Micro 6.0 / rust-keylime

Package

Name
rust-keylime
Purl
pkg:rpm/suse/rust-keylime&distro=SUSE%20Linux%20Micro%206.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.8+12-1.1

Ecosystem specific 

{
    "binaries": [
        {
            "rust-keylime": "0.2.8+12-1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20717-1.json"