Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -4 articles for you...
89
security advisoryfedoraauthentication bypassFedora 44 keylime-agent-rust Critical Auth Bypass CVE-2026-1709
Update keylime to version 7.14.1 and keylime-agent-rust to version 0.2.9 Fixes: CVE-2026-1709 and CVE-2025-13609. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2b8b223cf0 2026-03-07 00:17:58.500932+00:00 -------------------------------------------------------------------------------- Name : keylime-agent-rust Product : Fedora 44 Version : 0.2.9 Release : 1.fc44 URL : https://github.com/keylime/rust-keylime/ Summary : The Keylime agent Description : The Keylime agent -------------------------------------------------------------------------------- Update Information: Update keylime to version 7.14.1 and keylime-agent-rust to version 0.2.9 Fixes: CVE-2026-1709 and CVE-2025-13609 -------------------------------------------------------------------------------- ChangeLog: * Fri Feb 13 2026 Anderson Toshiyuki Sasaki - 0.2.9-1 - Update to upstream version 0.2.9 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2416761 - CVE-2025-13609 keylime: Keylime: Registrar allows identity takeover via duplicate UUID registration https://bugzilla.redhat.com/show_bug.cgi?id=2416761 [ 2 ] Bug #2435514 - CVE-2026-1709 keylime: Keylime: Authentication bypass allows unauthorized administrative operations due to missing client-side TLS authentication https://bugzilla.redhat.com/show_bug.cgi?id=2435514 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2b8b223cf0' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Mar 07, 2026
•Critical
Fedora
89
security advisoryfedoracriticalFedora 44 keylime Critical Update CVE-2026-1709 CVE-2025-13609
Update keylime to version 7.14.1 and keylime-agent-rust to version 0.2.9 Fixes: CVE-2026-1709 and CVE-2025-13609. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-2b8b223cf0 2026-03-07 00:17:58.500932+00:00 -------------------------------------------------------------------------------- Name : keylime Product : Fedora 44 Version : 7.14.1 Release : 1.fc44 URL : https://github.com/keylime/keylime Summary : Open source TPM software for Bootstrapping and Maintaining Trust Description : Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. -------------------------------------------------------------------------------- Update Information: Update keylime to version 7.14.1 and keylime-agent-rust to version 0.2.9 Fixes: CVE-2026-1709 and CVE-2025-13609 -------------------------------------------------------------------------------- ChangeLog: * Fri Feb 13 2026 Sergio Correia - 7.14.1-1 - Updating for Keylime release v7.14.1 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2416761 - CVE-2025-13609 keylime: Keylime: Registrar allows identity takeover via duplicate UUID registration https://bugzilla.redhat.com/show_bug.cgi?id=2416761 [ 2 ] Bug #2435514 - CVE-2026-1709 keylime: Keylime: Authentication bypass allows unauthorized administrative operations due to missing client-side TLS authentication https://bugzilla.redhat.com/show_bug.cgi?id=2435514 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-2b8b223cf0' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the FedoraProject GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Mar 07, 2026
•Critical
Fedora
217
security advisorysecurity issueimportantOracle Linux 10 ELSA-2025-23201 Keylime Important Identity Takeover
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2025-23201 http://linux.oracle.com/errata/ELSA-2025-23201.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: keylime-7.12.1-11.el10_1.3.x86_64.rpm keylime-base-7.12.1-11.el10_1.3.x86_64.rpm keylime-registrar-7.12.1-11.el10_1.3.x86_64.rpm keylime-selinux-7.12.1-11.el10_1.3.noarch.rpm keylime-tenant-7.12.1-11.el10_1.3.x86_64.rpm keylime-tools-7.12.1-11.el10_1.3.x86_64.rpm keylime-verifier-7.12.1-11.el10_1.3.x86_64.rpm python3-keylime-7.12.1-11.el10_1.3.x86_64.rpm aarch64: keylime-7.12.1-11.el10_1.3.aarch64.rpm keylime-base-7.12.1-11.el10_1.3.aarch64.rpm keylime-registrar-7.12.1-11.el10_1.3.aarch64.rpm keylime-selinux-7.12.1-11.el10_1.3.noarch.rpm keylime-tenant-7.12.1-11.el10_1.3.aarch64.rpm keylime-tools-7.12.1-11.el10_1.3.aarch64.rpm keylime-verifier-7.12.1-11.el10_1.3.aarch64.rpm python3-keylime-7.12.1-11.el10_1.3.aarch64.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/keylime-7.12.1-11.el10_1.3.src.rpm Related CVEs: CVE-2025-13609 Description of changes: [7.12.1-15] - Registrar allows identity takeover via duplicate UUID registration [7.12.1-14] - Properly fix malformed TPM certificates workaround [7.12.1-13] - Avoid opening /dev/stdout when printing [7.12.1-12] - Fix malformed TPM certificates workaround _______________________________________________ El-errata mailing list
Dec 18, 2025
•Important
Oracle
217
security advisoryimportantOracle LinuxOracle Linux 9: ELSA-2025-23210 Keylime Important Identity Takeover
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2025-23210 http://linux.oracle.com/errata/ELSA-2025-23210.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: keylime-7.12.1-11.el9_7.3.x86_64.rpm keylime-base-7.12.1-11.el9_7.3.x86_64.rpm keylime-registrar-7.12.1-11.el9_7.3.x86_64.rpm keylime-selinux-7.12.1-11.el9_7.3.noarch.rpm keylime-tenant-7.12.1-11.el9_7.3.x86_64.rpm keylime-verifier-7.12.1-11.el9_7.3.x86_64.rpm python3-keylime-7.12.1-11.el9_7.3.x86_64.rpm aarch64: keylime-7.12.1-11.el9_7.3.aarch64.rpm keylime-base-7.12.1-11.el9_7.3.aarch64.rpm keylime-registrar-7.12.1-11.el9_7.3.aarch64.rpm keylime-selinux-7.12.1-11.el9_7.3.noarch.rpm keylime-tenant-7.12.1-11.el9_7.3.aarch64.rpm keylime-verifier-7.12.1-11.el9_7.3.aarch64.rpm python3-keylime-7.12.1-11.el9_7.3.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/keylime-7.12.1-11.el9_7.3.src.rpm Related CVEs: CVE-2025-13609 Description of changes: [7.12.1-11.3] - Registrar allows identity takeover via duplicate UUID registration Resolves: RHEL-130760 [7.12.1-11.2] - Properly fix the malformed certificate workaround Resolves: RHEL-111244 _______________________________________________ El-errata mailing list
Dec 18, 2025
•Important
Oracle
100
security advisorydenial of servicecriticalSUSE: Keylime Critical Update for DoS & Identity Takeover 2025:21194-1
An update that solves two vulnerabilities can now be installed.. # Security update for keylime Announcement ID: SUSE-SU-2025:21194-1 Release Date: 2025-12-12T09:46:14Z Rating: critical References: * bsc#1237153 * bsc#1254199 Cross-References: * CVE-2025-1057 * CVE-2025-13609 CVSS scores: * CVE-2025-1057 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L * CVE-2025-13609 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H * CVE-2025-13609 ( SUSE ): 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H * CVE-2025-13609 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP Applications 16.0 An update that solves two vulnerabilities can now be installed. ## Description: This update for keylime fixes the following issues: Update to version 7.13.0+40. Security issues fixed: * CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate UUIDs (bsc#1254199). * CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153). Other issues fixed and changes: * Version 7.13.0+40: * Include new attestation information fields (#1818) * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823) * push-model: require HTTPS for authentication and attestation endpoints * Fix operational_state tracking in push mode attestations * templates: add push model authentication config options to 2.5 templates * Security: Hash authentication tokens in logs * Fix stale IMA policy cache in verification * Fix authentication behavior on failed attestations for push mode * Add shared memory infrastructure for multiprocess communication * Add agent authentication (challenge/response) protocol for push mode * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814) *docs: Fix man page RST formatting for rst2man compatibility (#1813) * Apply limit on keylime-policy workers * tpm: fix ECC signature parsing to support variable-length coordinates * tpm: fix ECC P-521 credential activation with consistent marshaling * tpm: fix ECC P-521 coordinate validation * Remove deprecated disabled_signing_algorithms configuration option (#1804) * algorithms: add support for specific RSA algorithms * algorithms: add support for specific ECC curve algorithms * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent * Manpage for keylime agent * Manpage for keylime verifier * Manpage for keylime registrar * Use constants for timeout and max retries defaults * verifier: Use timeout from `request_timeout` config option * revocation_notifier: Use timeout setting from config file * tenant: Set timeout when getting version from agent * verify/evidence: SEV-SNP evidence type/verifier * verify/evidence: Add evidence type to request JSON * Version v7.13.0: * Avoid re-encoding certificate stored in DB * Revert "models: Do not re-encode certificate stored in DB" * Revert "registrar_agent: Use pyasn1 to parse PEM" * policy/sign: use print() when writing to /dev/stdout * registrar_agent: Use pyasn1 to parse PEM * models: Do not re-encode certificate stored in DB * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events * mb: support vendor_db as logged by newer shim versions * mb: support EV_EFI_HANDOFF_TABLES events on PCR1 * Remove unnecessary configuration values * cloud_verifier_tornado: handle exception in notify_error() * requests_client: close the session at the end of the resource manager * Manpage for keylime_tenant (#1786) * Add 2.5 templates including Push Model changes * Initial version of verify evidence API * db: Do not read pool size and max overflow for sqlite * Use context managers to close DB sessions * revocations: Try to send notifications on shutdown * verifier:Gracefully shutdown on signal * Use `fork` as `multiprocessing` start method * Fix inaccuracy in threat model and add reference to SBAT * Explain TPM properties and expand vTPM discussion * Fix invalid RST and update TOC * Expand threat model page to include adversarial model * Add --push-model option to avoid requests to agents * templates: duplicate str_to_version() in the adjust script * policy: fix mypy issues with rpm_repo * revocation_notifier: fix mypy issue by replacing deprecated call * Fix create_runtime_policy in python < 3.12 * Fix after review * fixed CONSTANT names C0103 errors * Extend meta_data field in verifierdb * docs: update issue templates * docs: add GitHub PR template with documentation reminders * tpm_util: fix quote signature extraction for ECDSA * registrar: Log API versions during startup * Remove excessive logging on exception * scripts: Fix coverage information downloading script * Version v7.12.1: * models: Add Base64Bytes type to read and write from the database * Simplify response check from registrar * Version v7.12.0: * API: Add /version endpoint to registrar * scripts: Download coverage data directly from Testing Farm * docs: Add separate documentation for each API version * scripts/create_runtime_policy.sh: fix path for the exclude list * docs: add documentation for keylime-policy * templates: Add the new agent.conf option 'api_versions' * Enable autocompletion using argcomplete * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2 * Configure EPEL-10 repo in packit-ci.fmf * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1 * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3 * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1 * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0 * keylime-policy: improve error handling when provided a bad key (sign) * keylime-policy: exit with status 1 when the commands failed * keylime-policy: useCertificate() from models.base to validate certs * keylime-policy: check for valid cert file when using x509 backend (sign) * keylime-policy: fix help for "keylime-policy sign" verb * tenant: Correctly log number of tries when deleting * update TCTI environment variable usage * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2 * keylime-policy: add `create measured-boot' subcommand * keylime-policy: add `sign runtime' subcommand * keylime-policy: add logger to use with the policy tool * installer.sh: Restore execution permission * installer: Fix string comparison * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0 * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0 * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0 * installer.sh: updated EPEL, PEP668 Fix, logic fix * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0 * build(deps): bump actions/checkout from 4.2.1 to 4.2.2 * postgresql support for docker using psycopg2 * installer.sh: update package list, add workaround for PEP 668 * build(deps): bump actions/checkout from 4.2.0 to 4.2.1 * keylime.conf: full removal * Drop pending SPDX-License-Identifier headers * create_runtime_policy: Validate algorithm from IMA measurement log * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity * create_runtime_policy: drop commment with test data * create_runtime_policy: Use a common method to guess algorithm * keylime-policy: rename tool to keylime-policy instead of keylime_policy * keylime_policy: create runtime: remove --use-ima-measurement-list * keylime_policy: use consistent arg names for create_runtime_policy * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3 * build(deps): bump actions/checkout from 4.1.7 to 4.2.0 * elchecking/example: workaround empty PK, KEK, db and dbx * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2 *create_runtime_policy: Fix log level for debug messages * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2 * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5 * pylintrc: Ignore too-many-positional-arguments check * keylime/web/base/controller: Move TypeAlias definition out of class * create_runtime_policy: Calculate digests in multiple threads * create_runtime_policy: Allow rootfs to be in any directory * keylime_policy: Calculate digests from each source separately * create_runtime_policy: Simplify boot_aggregate parsing * ima: Validate JSON when loading IMA Keyring from string * docs: include IDevID page also in the sidebar * docs: point to installation guide from RHEL and SLE Micro * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0 * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1 * change check_tpm_origin_check to a warning that does not prevent registration * docs: Fix Runtime Policy JSON schema to reflect the reality * Sets absolute path for files inside a rootfs dir * policy/create_runtime_policy: fix handling of empty lines in exclude list * keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo) * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright) * codestyle: convert bytearrays to bytes to get expected type (pyright) * codestyle: Use new variables after changing datatype (pyright) * cert_utils: add description why loading using cryptography might fail * ima: list names of the runtime policies * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0 * tox: Use python 3.10 instead of 3.6 * revocation_notifier: Use web_util to generate TLS context * mba: Add a skip custom policies option when loading mba. * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 * cmd/keylime_policy: add tool to handle keylime policies * cert_utils: add is_x509_cert() *common/algorithms: transform Encrypt and Sign class into enums * common/algorithms: add method to calculate digest of a file * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0 * build(deps): bump docker/login-action from 3.2.0 to 3.3.0 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 * build(deps): bump docker/login-action from 3.2.0 to 3.3.0 * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0 * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1 * tpm: Replace KDFs and ECDH implementations with python-cryptography * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0 * build(deps): bump docker/login-action from 2.2.0 to 3.2.0 * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1 * build(deps): bump actions/first-interaction * build(deps): bump actions/checkout from 2.7.0 to 4.1.7 * revocation_notifier: Explicitly add CA certificate bundle * Introduce new REST API framework and refactor registrar implementation * mba: Support named measured boot policies * tenant: add friendlier error message if mTLS CA is wrongly configured * ca_impl_openssl: Mark extensions as critical following RFC 5280 * Include Authority Key Identifier in KL-generated certs * verifier, tenant: make payload for agent completely optional ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-104=1 * SUSE Linux Enterprise Server for SAP Applications 16.0 zypper in -t patch SUSE-SLES-16.0-104=1 ## Package List: * SUSE Linux Enterprise Server 16.0 (noarch) * keylime-verifier-7.13.0+40-160000.1.1 * keylime-logrotate-7.13.0+40-160000.1.1 *python313-keylime-7.13.0+40-160000.1.1 * keylime-registrar-7.13.0+40-160000.1.1 * keylime-config-7.13.0+40-160000.1.1 * keylime-tpm_cert_store-7.13.0+40-160000.1.1 * keylime-tenant-7.13.0+40-160000.1.1 * keylime-firewalld-7.13.0+40-160000.1.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch) * keylime-verifier-7.13.0+40-160000.1.1 * keylime-logrotate-7.13.0+40-160000.1.1 * python313-keylime-7.13.0+40-160000.1.1 * keylime-registrar-7.13.0+40-160000.1.1 * keylime-config-7.13.0+40-160000.1.1 * keylime-tpm_cert_store-7.13.0+40-160000.1.1 * keylime-tenant-7.13.0+40-160000.1.1 * keylime-firewalld-7.13.0+40-160000.1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-1057.html * https://www.suse.com/security/cve/CVE-2025-13609.html * https://bugzilla.suse.com/show_bug.cgi?id=1237153 * https://bugzilla.suse.com/show_bug.cgi?id=1254199 . Critical security update for SUSE Linux addressing keylime's vulnerabilities. Critical patching is strongly urged.. keylime security update,suse critical patch,vulnerability management,linux application security. . Severity: Critical. LinuxSecurity.com Team
Dec 15, 2025
•Critical
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!