openSUSE-SU-2025:20159-1

Описание

This update for keylime fixes the following issues:

Update to version 7.13.0+40.

Security issues fixed:

• CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate UUIDs (bsc#1254199).
• CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).

Other issues fixed and changes:

• Version 7.13.0+40:

  • Include new attestation information fields (#1818)
  • Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
  • push-model: require HTTPS for authentication and attestation endpoints
  • Fix operational_state tracking in push mode attestations
  • templates: add push model authentication config options to 2.5 templates
  • Security: Hash authentication tokens in logs
  • Fix stale IMA policy cache in verification
  • Fix authentication behavior on failed attestations for push mode
  • Add shared memory infrastructure for multiprocess communication
  • Add agent authentication (challenge/response) protocol for push mode
  • Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
  • docs: Fix man page RST formatting for rst2man compatibility (#1813)
  • Apply limit on keylime-policy workers
  • tpm: fix ECC signature parsing to support variable-length coordinates
  • tpm: fix ECC P-521 credential activation with consistent marshaling
  • tpm: fix ECC P-521 coordinate validation
  • Remove deprecated disabled_signing_algorithms configuration option (#1804)
  • algorithms: add support for specific RSA algorithms
  • algorithms: add support for specific ECC curve algorithms
  • Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
  • Manpage for keylime agent
  • Manpage for keylime verifier
  • Manpage for keylime registrar
  • Use constants for timeout and max retries defaults
  • verifier: Use timeout from request_timeout config option
  • revocation_notifier: Use timeout setting from config file
  • tenant: Set timeout when getting version from agent
  • verify/evidence: SEV-SNP evidence type/verifier
  • verify/evidence: Add evidence type to request JSON

• Version v7.13.0:

  • Avoid re-encoding certificate stored in DB
  • Revert "models: Do not re-encode certificate stored in DB"
  • Revert "registrar_agent: Use pyasn1 to parse PEM"
  • policy/sign: use print() when writing to /dev/stdout
  • registrar_agent: Use pyasn1 to parse PEM
  • models: Do not re-encode certificate stored in DB
  • mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
  • mb: support vendor_db as logged by newer shim versions
  • mb: support EV_EFI_HANDOFF_TABLES events on PCR1
  • Remove unnecessary configuration values
  • cloud_verifier_tornado: handle exception in notify_error()
  • requests_client: close the session at the end of the resource manager
  • Manpage for keylime_tenant (#1786)
  • Add 2.5 templates including Push Model changes
  • Initial version of verify evidence API
  • db: Do not read pool size and max overflow for sqlite
  • Use context managers to close DB sessions
  • revocations: Try to send notifications on shutdown
  • verifier: Gracefully shutdown on signal
  • Use fork as multiprocessing start method
  • Fix inaccuracy in threat model and add reference to SBAT
  • Explain TPM properties and expand vTPM discussion
  • Fix invalid RST and update TOC
  • Expand threat model page to include adversarial model
  • Add --push-model option to avoid requests to agents
  • templates: duplicate str_to_version() in the adjust script
  • policy: fix mypy issues with rpm_repo
  • revocation_notifier: fix mypy issue by replacing deprecated call
  • Fix create_runtime_policy in python < 3.12
  • Fix after review
  • fixed CONSTANT names C0103 errors
  • Extend meta_data field in verifierdb
  • docs: update issue templates
  • docs: add GitHub PR template with documentation reminders
  • tpm_util: fix quote signature extraction for ECDSA
  • registrar: Log API versions during startup
  • Remove excessive logging on exception
  • scripts: Fix coverage information downloading script

• Version v7.12.1:

  • models: Add Base64Bytes type to read and write from the database
  • Simplify response check from registrar

• Version v7.12.0:

  • API: Add /version endpoint to registrar
  • scripts: Download coverage data directly from Testing Farm
  • docs: Add separate documentation for each API version
  • scripts/create_runtime_policy.sh: fix path for the exclude list
  • docs: add documentation for keylime-policy
  • templates: Add the new agent.conf option 'api_versions'
  • Enable autocompletion using argcomplete
  • build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
  • Configure EPEL-10 repo in packit-ci.fmf
  • build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
  • build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
  • build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
  • build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
  • keylime-policy: improve error handling when provided a bad key (sign)
  • keylime-policy: exit with status 1 when the commands failed
  • keylime-policy: use Certificate() from models.base to validate certs
  • keylime-policy: check for valid cert file when using x509 backend (sign)
  • keylime-policy: fix help for "keylime-policy sign" verb
  • tenant: Correctly log number of tries when deleting
  • update TCTI environment variable usage
  • build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
  • keylime-policy: add `create measured-boot' subcommand
  • keylime-policy: add `sign runtime' subcommand
  • keylime-policy: add logger to use with the policy tool
  • installer.sh: Restore execution permission
  • installer: Fix string comparison
  • build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
  • build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
  • build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
  • build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
  • installer.sh: updated EPEL, PEP668 Fix, logic fix
  • build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
  • build(deps): bump actions/checkout from 4.2.1 to 4.2.2
  • postgresql support for docker using psycopg2
  • installer.sh: update package list, add workaround for PEP 668
  • build(deps): bump actions/checkout from 4.2.0 to 4.2.1
  • keylime.conf: full removal
  • Drop pending SPDX-License-Identifier headers
  • create_runtime_policy: Validate algorithm from IMA measurement log
  • create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
  • create_runtime_policy: drop commment with test data
  • create_runtime_policy: Use a common method to guess algorithm
  • keylime-policy: rename tool to keylime-policy instead of keylime_policy
  • keylime_policy: create runtime: remove --use-ima-measurement-list
  • keylime_policy: use consistent arg names for create_runtime_policy
  • build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
  • build(deps): bump actions/checkout from 4.1.7 to 4.2.0
  • elchecking/example: workaround empty PK, KEK, db and dbx
  • elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
  • create_runtime_policy: Fix log level for debug messages
  • build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
  • build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
  • pylintrc: Ignore too-many-positional-arguments check
  • keylime/web/base/controller: Move TypeAlias definition out of class
  • create_runtime_policy: Calculate digests in multiple threads
  • create_runtime_policy: Allow rootfs to be in any directory
  • keylime_policy: Calculate digests from each source separately
  • create_runtime_policy: Simplify boot_aggregate parsing
  • ima: Validate JSON when loading IMA Keyring from string
  • docs: include IDevID page also in the sidebar
  • docs: point to installation guide from RHEL and SLE Micro
  • build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
  • build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
  • change check_tpm_origin_check to a warning that does not prevent registration
  • docs: Fix Runtime Policy JSON schema to reflect the reality
  • Sets absolute path for files inside a rootfs dir
  • policy/create_runtime_policy: fix handling of empty lines in exclude list
  • keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
  • codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
  • codestyle: convert bytearrays to bytes to get expected type (pyright)
  • codestyle: Use new variables after changing datatype (pyright)
  • cert_utils: add description why loading using cryptography might fail
  • ima: list names of the runtime policies
  • build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
  • tox: Use python 3.10 instead of 3.6
  • revocation_notifier: Use web_util to generate TLS context
  • mba: Add a skip custom policies option when loading mba.
  • build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
  • build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
  • cmd/keylime_policy: add tool to handle keylime policies
  • cert_utils: add is_x509_cert()
  • common/algorithms: transform Encrypt and Sign class into enums
  • common/algorithms: add method to calculate digest of a file
  • build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
  • build(deps): bump docker/login-action from 3.2.0 to 3.3.0
  • build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
  • build(deps): bump docker/login-action from 3.2.0 to 3.3.0
  • build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
  • build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
  • build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
  • build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
  • tpm: Replace KDFs and ECDH implementations with python-cryptography
  • build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
  • build(deps): bump docker/login-action from 2.2.0 to 3.2.0
  • build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
  • build(deps): bump actions/first-interaction
  • build(deps): bump actions/checkout from 2.7.0 to 4.1.7
  • revocation_notifier: Explicitly add CA certificate bundle
  • Introduce new REST API framework and refactor registrar implementation
  • mba: Support named measured boot policies
  • tenant: add friendlier error message if mTLS CA is wrongly configured
  • ca_impl_openssl: Mark extensions as critical following RFC 5280
  • Include Authority Key Identifier in KL-generated certs
  • verifier, tenant: make payload for agent completely optional