Stay Secure with the Latest Linux Advisories

security advisorydenial of servicecritical

openSUSE 16.0: Keylime Critical Issues CVE-2025-1057 2025-20159-1

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.. openSUSE security update: security update for keylime ------------------------------------------------------------- Announcement ID: openSUSE-SU-2025-20159-1 Rating: critical References: * bsc#1237153 * bsc#1254199 Cross-References: * CVE-2025-1057 * CVE-2025-13609 CVSS scores: * CVE-2025-13609 ( SUSE ): 9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H * CVE-2025-13609 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed. Description: This update for keylime fixes the following issues: Update to version 7.13.0+40. Security issues fixed: - CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate UUIDs (bsc#1254199). - CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153). Other issues fixed and changes: - Version 7.13.0+40: * Include new attestation information fields (#1818) * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823) * push-model: require HTTPS for authentication and attestation endpoints * Fix operational_state tracking in push mode attestations * templates: add push model authentication config options to 2.5 templates * Security: Hash authentication tokens in logs * Fix stale IMA policy cache in verification * Fix authentication behavior on failed attestations for push mode * Add shared memory infrastructure for multiprocess communication * Add agent authentication (challenge/response) protocol for push mode * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814) * docs: Fix man page RST formatting for rst2man compatibility (#1813) * Apply limit on keylime-policy workers * tpm:fix ECC signature parsing to support variable-length coordinates * tpm: fix ECC P-521 credential activation with consistent marshaling * tpm: fix ECC P-521 coordinate validation * Remove deprecated disabled_signing_algorithms configuration option (#1804) * algorithms: add support for specific RSA algorithms * algorithms: add support for specific ECC curve algorithms * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent * Manpage for keylime agent * Manpage for keylime verifier * Manpage for keylime registrar * Use constants for timeout and max retries defaults * verifier: Use timeout from `request_timeout` config option * revocation_notifier: Use timeout setting from config file * tenant: Set timeout when getting version from agent * verify/evidence: SEV-SNP evidence type/verifier * verify/evidence: Add evidence type to request JSON - Version v7.13.0: * Avoid re-encoding certificate stored in DB * Revert "models: Do not re-encode certificate stored in DB" * Revert "registrar_agent: Use pyasn1 to parse PEM" * policy/sign: use print() when writing to /dev/stdout * registrar_agent: Use pyasn1 to parse PEM * models: Do not re-encode certificate stored in DB * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events * mb: support vendor_db as logged by newer shim versions * mb: support EV_EFI_HANDOFF_TABLES events on PCR1 * Remove unnecessary configuration values * cloud_verifier_tornado: handle exception in notify_error() * requests_client: close the session at the end of the resource manager * Manpage for keylime_tenant (#1786) * Add 2.5 templates including Push Model changes * Initial version of verify evidence API * db: Do not read pool size and max overflow for sqlite * Use context managers to close DB sessions * revocations: Try to send notifications on shutdown * verifier: Gracefully shutdown on signal * Use `fork` as `multiprocessing` start method * Fix inaccuracy in threat model and addreference to SBAT * Explain TPM properties and expand vTPM discussion * Fix invalid RST and update TOC * Expand threat model page to include adversarial model * Add --push-model option to avoid requests to agents * templates: duplicate str_to_version() in the adjust script * policy: fix mypy issues with rpm_repo * revocation_notifier: fix mypy issue by replacing deprecated call * Fix create_runtime_policy in python < 3.12 * Fix after review * fixed CONSTANT names C0103 errors * Extend meta_data field in verifierdb * docs: update issue templates * docs: add GitHub PR template with documentation reminders * tpm_util: fix quote signature extraction for ECDSA * registrar: Log API versions during startup * Remove excessive logging on exception * scripts: Fix coverage information downloading script - Version v7.12.1: * models: Add Base64Bytes type to read and write from the database * Simplify response check from registrar - Version v7.12.0: * API: Add /version endpoint to registrar * scripts: Download coverage data directly from Testing Farm * docs: Add separate documentation for each API version * scripts/create_runtime_policy.sh: fix path for the exclude list * docs: add documentation for keylime-policy * templates: Add the new agent.conf option 'api_versions' * Enable autocompletion using argcomplete * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2 * Configure EPEL-10 repo in packit-ci.fmf * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1 * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3 * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1 * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0 * keylime-policy: improve error handling when provided a bad key (sign) * keylime-policy: exit with status 1 when the commands failed * keylime-policy: use Certificate() from models.base to validate certs * keylime-policy: check for valid cert file when using x509 backend (sign) *keylime-policy: fix help for "keylime-policy sign" verb * tenant: Correctly log number of tries when deleting * update TCTI environment variable usage * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2 * keylime-policy: add `create measured-boot' subcommand * keylime-policy: add `sign runtime' subcommand * keylime-policy: add logger to use with the policy tool * installer.sh: Restore execution permission * installer: Fix string comparison * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0 * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0 * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0 * installer.sh: updated EPEL, PEP668 Fix, logic fix * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0 * build(deps): bump actions/checkout from 4.2.1 to 4.2.2 * postgresql support for docker using psycopg2 * installer.sh: update package list, add workaround for PEP 668 * build(deps): bump actions/checkout from 4.2.0 to 4.2.1 * keylime.conf: full removal * Drop pending SPDX-License-Identifier headers * create_runtime_policy: Validate algorithm from IMA measurement log * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity * create_runtime_policy: drop commment with test data * create_runtime_policy: Use a common method to guess algorithm * keylime-policy: rename tool to keylime-policy instead of keylime_policy * keylime_policy: create runtime: remove --use-ima-measurement-list * keylime_policy: use consistent arg names for create_runtime_policy * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3 * build(deps): bump actions/checkout from 4.1.7 to 4.2.0 * elchecking/example: workaround empty PK, KEK, db and dbx * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2 * create_runtime_policy: Fix log level for debug messages * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2 *build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5 * pylintrc: Ignore too-many-positional-arguments check * keylime/web/base/controller: Move TypeAlias definition out of class * create_runtime_policy: Calculate digests in multiple threads * create_runtime_policy: Allow rootfs to be in any directory * keylime_policy: Calculate digests from each source separately * create_runtime_policy: Simplify boot_aggregate parsing * ima: Validate JSON when loading IMA Keyring from string * docs: include IDevID page also in the sidebar * docs: point to installation guide from RHEL and SLE Micro * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0 * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1 * change check_tpm_origin_check to a warning that does not prevent registration * docs: Fix Runtime Policy JSON schema to reflect the reality * Sets absolute path for files inside a rootfs dir * policy/create_runtime_policy: fix handling of empty lines in exclude list * keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo) * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright) * codestyle: convert bytearrays to bytes to get expected type (pyright) * codestyle: Use new variables after changing datatype (pyright) * cert_utils: add description why loading using cryptography might fail * ima: list names of the runtime policies * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0 * tox: Use python 3.10 instead of 3.6 * revocation_notifier: Use web_util to generate TLS context * mba: Add a skip custom policies option when loading mba. * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 * cmd/keylime_policy: add tool to handle keylime policies * cert_utils: add is_x509_cert() * common/algorithms: transform Encrypt and Sign class into enums * common/algorithms: add method to calculate digest of a file * build(deps):bump docker/build-push-action from 4.2.1 to 6.5.0 * build(deps): bump docker/login-action from 3.2.0 to 3.3.0 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 * build(deps): bump docker/login-action from 3.2.0 to 3.3.0 * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0 * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1 * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1 * tpm: Replace KDFs and ECDH implementations with python-cryptography * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0 * build(deps): bump docker/login-action from 2.2.0 to 3.2.0 * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1 * build(deps): bump actions/first-interaction * build(deps): bump actions/checkout from 2.7.0 to 4.1.7 * revocation_notifier: Explicitly add CA certificate bundle * Introduce new REST API framework and refactor registrar implementation * mba: Support named measured boot policies * tenant: add friendlier error message if mTLS CA is wrongly configured * ca_impl_openssl: Mark extensions as critical following RFC 5280 * Include Authority Key Identifier in KL-generated certs * verifier, tenant: make payload for agent completely optional Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-104=1 Package List: - openSUSE Leap 16.0: keylime-config-7.13.0+40-160000.1.1 keylime-firewalld-7.13.0+40-160000.1.1 keylime-logrotate-7.13.0+40-160000.1.1 keylime-registrar-7.13.0+40-160000.1.1 keylime-tenant-7.13.0+40-160000.1.1 keylime-tpm_cert_store-7.13.0+40-160000.1.1 keylime-verifier-7.13.0+40-160000.1.1 python313-keylime-7.13.0+40-160000.1.1 References: *https://www.suse.com/security/cve/CVE-2025-1057.html * https://www.suse.com/security/cve/CVE-2025-13609.html . Critical security update for openSUSE addresses two significant vulnerabilities in keylime and provides patching instructions.. Linux security update, openSUSE vulnerabilities, keylime security. . Severity: Critical. LinuxSecurity.com Team

Dec 14, 2025 •Critical OpenSUSE