Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-1057 (GCVE-0-2025-1057)
Vulnerability from cvelistv5
Published
2025-03-15 08:50
Modified
2025-11-20 20:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-704 - Incorrect Type Conversion or Cast
Summary
A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Version: 7.12.0 ≤ |
||||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T17:01:10.891516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T17:01:26.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/keylime/keylime",
"defaultStatus": "unaffected",
"packageName": "keylime",
"versions": [
{
"status": "affected",
"version": "7.12.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10"
],
"defaultStatus": "unaffected",
"packageName": "keylime",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:9"
],
"defaultStatus": "unaffected",
"packageName": "keylime",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Anderson Toshiyuki Sasaki for reporting this issue."
}
],
"datePublic": "2025-02-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-704",
"description": "Incorrect Type Conversion or Cast",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-20T20:00:38.850Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-1057"
},
{
"name": "RHBZ#2343894",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343894"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-05T09:47:52.149000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-05T00:00:00+00:00",
"value": "Made public."
}
],
"title": "Keylime: keylime registrar dos due to incompatible database entry handling",
"x_redhatCweChain": "CWE-704: Incorrect Type Conversion or Cast"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-1057",
"datePublished": "2025-03-15T08:50:48.649Z",
"dateReserved": "2025-02-05T09:57:50.746Z",
"dateUpdated": "2025-11-20T20:00:38.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-1057\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-03-15T09:15:10.770\",\"lastModified\":\"2025-03-15T09:15:10.770\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-704\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-1057\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2343894\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1057\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-17T17:01:10.891516Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-17T17:01:17.753Z\"}}], \"cna\": {\"title\": \"Keylime: keylime registrar dos due to incompatible database entry handling\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Anderson Toshiyuki Sasaki for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Moderate\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"7.12.0\", \"versionType\": \"semver\"}], \"packageName\": \"keylime\", \"collectionURL\": \"https://github.com/keylime/keylime\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"packageName\": \"keylime\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"packageName\": \"keylime\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-02-05T09:47:52.149000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-02-05T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-02-05T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2025-1057\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2343894\", \"name\": \"RHBZ#2343894\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-704\", \"description\": \"Incorrect Type Conversion or Cast\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-11-20T20:00:38.850Z\"}, \"x_redhatCweChain\": \"CWE-704: Incorrect Type Conversion or Cast\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-1057\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T20:00:38.850Z\", \"dateReserved\": \"2025-02-05T09:57:50.746Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-03-15T08:50:48.649Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
opensuse-su-2025:20159-1
Vulnerability from csaf_opensuse
Published
2025-12-12 09:46
Modified
2025-12-12 09:46
Summary
Security update for keylime
Notes
Title of the patch
Security update for keylime
Description of the patch
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
- Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
- Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
Patchnames
openSUSE-Leap-16.0-104
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for keylime fixes the following issues:\n\nUpdate to version 7.13.0+40.\n\nSecurity issues fixed:\n\n- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate\n UUIDs (bsc#1254199).\n- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).\n\nOther issues fixed and changes:\n\n- Version 7.13.0+40:\n * Include new attestation information fields (#1818)\n * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)\n * push-model: require HTTPS for authentication and attestation endpoints\n * Fix operational_state tracking in push mode attestations\n * templates: add push model authentication config options to 2.5 templates\n * Security: Hash authentication tokens in logs\n * Fix stale IMA policy cache in verification\n * Fix authentication behavior on failed attestations for push mode\n * Add shared memory infrastructure for multiprocess communication\n * Add agent authentication (challenge/response) protocol for push mode\n * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)\n * docs: Fix man page RST formatting for rst2man compatibility (#1813)\n * Apply limit on keylime-policy workers\n * tpm: fix ECC signature parsing to support variable-length coordinates\n * tpm: fix ECC P-521 credential activation with consistent marshaling\n * tpm: fix ECC P-521 coordinate validation\n * Remove deprecated disabled_signing_algorithms configuration option (#1804)\n * algorithms: add support for specific RSA algorithms\n * algorithms: add support for specific ECC curve algorithms\n * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent\n * Manpage for keylime agent\n * Manpage for keylime verifier\n * Manpage for keylime registrar\n * Use constants for timeout and max retries defaults\n * verifier: Use timeout from `request_timeout` config option\n * revocation_notifier: Use timeout setting from config file\n * tenant: Set timeout when getting version from agent\n * verify/evidence: SEV-SNP evidence type/verifier\n * verify/evidence: Add evidence type to request JSON\n\n- Version v7.13.0:\n * Avoid re-encoding certificate stored in DB\n * Revert \"models: Do not re-encode certificate stored in DB\"\n * Revert \"registrar_agent: Use pyasn1 to parse PEM\"\n * policy/sign: use print() when writing to /dev/stdout\n * registrar_agent: Use pyasn1 to parse PEM\n * models: Do not re-encode certificate stored in DB\n * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events\n * mb: support vendor_db as logged by newer shim versions\n * mb: support EV_EFI_HANDOFF_TABLES events on PCR1\n * Remove unnecessary configuration values\n * cloud_verifier_tornado: handle exception in notify_error()\n * requests_client: close the session at the end of the resource manager\n * Manpage for keylime_tenant (#1786)\n * Add 2.5 templates including Push Model changes\n * Initial version of verify evidence API\n * db: Do not read pool size and max overflow for sqlite\n * Use context managers to close DB sessions\n * revocations: Try to send notifications on shutdown\n * verifier: Gracefully shutdown on signal\n * Use `fork` as `multiprocessing` start method\n * Fix inaccuracy in threat model and add reference to SBAT\n * Explain TPM properties and expand vTPM discussion\n * Fix invalid RST and update TOC\n * Expand threat model page to include adversarial model\n * Add --push-model option to avoid requests to agents\n * templates: duplicate str_to_version() in the adjust script\n * policy: fix mypy issues with rpm_repo\n * revocation_notifier: fix mypy issue by replacing deprecated call\n * Fix create_runtime_policy in python \u003c 3.12\n * Fix after review\n * fixed CONSTANT names C0103 errors\n * Extend meta_data field in verifierdb\n * docs: update issue templates\n * docs: add GitHub PR template with documentation reminders\n * tpm_util: fix quote signature extraction for ECDSA\n * registrar: Log API versions during startup\n * Remove excessive logging on exception\n * scripts: Fix coverage information downloading script\n\n- Version v7.12.1:\n * models: Add Base64Bytes type to read and write from the database\n * Simplify response check from registrar\n\n- Version v7.12.0:\n * API: Add /version endpoint to registrar\n * scripts: Download coverage data directly from Testing Farm\n * docs: Add separate documentation for each API version\n * scripts/create_runtime_policy.sh: fix path for the exclude list\n * docs: add documentation for keylime-policy\n * templates: Add the new agent.conf option \u0027api_versions\u0027\n * Enable autocompletion using argcomplete\n * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2\n * Configure EPEL-10 repo in packit-ci.fmf\n * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1\n * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3\n * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1\n * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0\n * keylime-policy: improve error handling when provided a bad key (sign)\n * keylime-policy: exit with status 1 when the commands failed\n * keylime-policy: use Certificate() from models.base to validate certs\n * keylime-policy: check for valid cert file when using x509 backend (sign)\n * keylime-policy: fix help for \"keylime-policy sign\" verb\n * tenant: Correctly log number of tries when deleting\n * update TCTI environment variable usage\n * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2\n * keylime-policy: add `create measured-boot\u0027 subcommand\n * keylime-policy: add `sign runtime\u0027 subcommand\n * keylime-policy: add logger to use with the policy tool\n * installer.sh: Restore execution permission\n * installer: Fix string comparison\n * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0\n * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0\n * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0\n * installer.sh: updated EPEL, PEP668 Fix, logic fix\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0\n * build(deps): bump actions/checkout from 4.2.1 to 4.2.2\n * postgresql support for docker using psycopg2\n * installer.sh: update package list, add workaround for PEP 668\n * build(deps): bump actions/checkout from 4.2.0 to 4.2.1\n * keylime.conf: full removal\n * Drop pending SPDX-License-Identifier headers\n * create_runtime_policy: Validate algorithm from IMA measurement log\n * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity\n * create_runtime_policy: drop commment with test data\n * create_runtime_policy: Use a common method to guess algorithm\n * keylime-policy: rename tool to keylime-policy instead of keylime_policy\n * keylime_policy: create runtime: remove --use-ima-measurement-list\n * keylime_policy: use consistent arg names for create_runtime_policy\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3\n * build(deps): bump actions/checkout from 4.1.7 to 4.2.0\n * elchecking/example: workaround empty PK, KEK, db and dbx\n * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2\n * create_runtime_policy: Fix log level for debug messages\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2\n * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5\n * pylintrc: Ignore too-many-positional-arguments check\n * keylime/web/base/controller: Move TypeAlias definition out of class\n * create_runtime_policy: Calculate digests in multiple threads\n * create_runtime_policy: Allow rootfs to be in any directory\n * keylime_policy: Calculate digests from each source separately\n * create_runtime_policy: Simplify boot_aggregate parsing\n * ima: Validate JSON when loading IMA Keyring from string\n * docs: include IDevID page also in the sidebar\n * docs: point to installation guide from RHEL and SLE Micro\n * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1\n * change check_tpm_origin_check to a warning that does not prevent registration\n * docs: Fix Runtime Policy JSON schema to reflect the reality\n * Sets absolute path for files inside a rootfs dir\n * policy/create_runtime_policy: fix handling of empty lines in exclude list\n * keylime_policy: setting \u0027log_hash_alg\u0027 to \u0027sha1\u0027 (template-hash algo)\n * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)\n * codestyle: convert bytearrays to bytes to get expected type (pyright)\n * codestyle: Use new variables after changing datatype (pyright)\n * cert_utils: add description why loading using cryptography might fail\n * ima: list names of the runtime policies\n * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0\n * tox: Use python 3.10 instead of 3.6\n * revocation_notifier: Use web_util to generate TLS context\n * mba: Add a skip custom policies option when loading mba.\n * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * cmd/keylime_policy: add tool to handle keylime policies\n * cert_utils: add is_x509_cert()\n * common/algorithms: transform Encrypt and Sign class into enums\n * common/algorithms: add method to calculate digest of a file\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1\n * tpm: Replace KDFs and ECDH implementations with python-cryptography\n * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0\n * build(deps): bump docker/login-action from 2.2.0 to 3.2.0\n * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1\n * build(deps): bump actions/first-interaction\n * build(deps): bump actions/checkout from 2.7.0 to 4.1.7\n * revocation_notifier: Explicitly add CA certificate bundle\n * Introduce new REST API framework and refactor registrar implementation\n * mba: Support named measured boot policies\n * tenant: add friendlier error message if mTLS CA is wrongly configured\n * ca_impl_openssl: Mark extensions as critical following RFC 5280\n * Include Authority Key Identifier in KL-generated certs\n * verifier, tenant: make payload for agent completely optional\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-104",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20159-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1237153",
"url": "https://bugzilla.suse.com/1237153"
},
{
"category": "self",
"summary": "SUSE Bug 1254199",
"url": "https://bugzilla.suse.com/1254199"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1057 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1057/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13609 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13609/"
}
],
"title": "Security update for keylime",
"tracking": {
"current_release_date": "2025-12-12T09:46:01Z",
"generator": {
"date": "2025-12-12T09:46:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20159-1",
"initial_release_date": "2025-12-12T09:46:01Z",
"revision_history": [
{
"date": "2025-12-12T09:46:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-config-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-firewalld-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-logrotate-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-registrar-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tenant-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-verifier-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product_id": "python313-keylime-7.13.0+40-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1057",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1057"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1057",
"url": "https://www.suse.com/security/cve/CVE-2025-1057"
},
{
"category": "external",
"summary": "SUSE Bug 1237153 for CVE-2025-1057",
"url": "https://bugzilla.suse.com/1237153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "moderate"
}
],
"title": "CVE-2025-1057"
},
{
"cve": "CVE-2025-13609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13609"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13609",
"url": "https://www.suse.com/security/cve/CVE-2025-13609"
},
{
"category": "external",
"summary": "SUSE Bug 1254199 for CVE-2025-13609",
"url": "https://bugzilla.suse.com/1254199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "critical"
}
],
"title": "CVE-2025-13609"
}
]
}
opensuse-su-2025-20159-1
Vulnerability from csaf_opensuse
Published
2025-12-12 09:46
Modified
2025-12-12 09:46
Summary
Security update for keylime
Notes
Title of the patch
Security update for keylime
Description of the patch
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
- Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
- Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
Patchnames
openSUSE-Leap-16.0-104
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for keylime fixes the following issues:\n\nUpdate to version 7.13.0+40.\n\nSecurity issues fixed:\n\n- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate\n UUIDs (bsc#1254199).\n- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).\n\nOther issues fixed and changes:\n\n- Version 7.13.0+40:\n * Include new attestation information fields (#1818)\n * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)\n * push-model: require HTTPS for authentication and attestation endpoints\n * Fix operational_state tracking in push mode attestations\n * templates: add push model authentication config options to 2.5 templates\n * Security: Hash authentication tokens in logs\n * Fix stale IMA policy cache in verification\n * Fix authentication behavior on failed attestations for push mode\n * Add shared memory infrastructure for multiprocess communication\n * Add agent authentication (challenge/response) protocol for push mode\n * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)\n * docs: Fix man page RST formatting for rst2man compatibility (#1813)\n * Apply limit on keylime-policy workers\n * tpm: fix ECC signature parsing to support variable-length coordinates\n * tpm: fix ECC P-521 credential activation with consistent marshaling\n * tpm: fix ECC P-521 coordinate validation\n * Remove deprecated disabled_signing_algorithms configuration option (#1804)\n * algorithms: add support for specific RSA algorithms\n * algorithms: add support for specific ECC curve algorithms\n * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent\n * Manpage for keylime agent\n * Manpage for keylime verifier\n * Manpage for keylime registrar\n * Use constants for timeout and max retries defaults\n * verifier: Use timeout from `request_timeout` config option\n * revocation_notifier: Use timeout setting from config file\n * tenant: Set timeout when getting version from agent\n * verify/evidence: SEV-SNP evidence type/verifier\n * verify/evidence: Add evidence type to request JSON\n\n- Version v7.13.0:\n * Avoid re-encoding certificate stored in DB\n * Revert \"models: Do not re-encode certificate stored in DB\"\n * Revert \"registrar_agent: Use pyasn1 to parse PEM\"\n * policy/sign: use print() when writing to /dev/stdout\n * registrar_agent: Use pyasn1 to parse PEM\n * models: Do not re-encode certificate stored in DB\n * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events\n * mb: support vendor_db as logged by newer shim versions\n * mb: support EV_EFI_HANDOFF_TABLES events on PCR1\n * Remove unnecessary configuration values\n * cloud_verifier_tornado: handle exception in notify_error()\n * requests_client: close the session at the end of the resource manager\n * Manpage for keylime_tenant (#1786)\n * Add 2.5 templates including Push Model changes\n * Initial version of verify evidence API\n * db: Do not read pool size and max overflow for sqlite\n * Use context managers to close DB sessions\n * revocations: Try to send notifications on shutdown\n * verifier: Gracefully shutdown on signal\n * Use `fork` as `multiprocessing` start method\n * Fix inaccuracy in threat model and add reference to SBAT\n * Explain TPM properties and expand vTPM discussion\n * Fix invalid RST and update TOC\n * Expand threat model page to include adversarial model\n * Add --push-model option to avoid requests to agents\n * templates: duplicate str_to_version() in the adjust script\n * policy: fix mypy issues with rpm_repo\n * revocation_notifier: fix mypy issue by replacing deprecated call\n * Fix create_runtime_policy in python \u003c 3.12\n * Fix after review\n * fixed CONSTANT names C0103 errors\n * Extend meta_data field in verifierdb\n * docs: update issue templates\n * docs: add GitHub PR template with documentation reminders\n * tpm_util: fix quote signature extraction for ECDSA\n * registrar: Log API versions during startup\n * Remove excessive logging on exception\n * scripts: Fix coverage information downloading script\n\n- Version v7.12.1:\n * models: Add Base64Bytes type to read and write from the database\n * Simplify response check from registrar\n\n- Version v7.12.0:\n * API: Add /version endpoint to registrar\n * scripts: Download coverage data directly from Testing Farm\n * docs: Add separate documentation for each API version\n * scripts/create_runtime_policy.sh: fix path for the exclude list\n * docs: add documentation for keylime-policy\n * templates: Add the new agent.conf option \u0027api_versions\u0027\n * Enable autocompletion using argcomplete\n * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2\n * Configure EPEL-10 repo in packit-ci.fmf\n * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1\n * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3\n * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1\n * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0\n * keylime-policy: improve error handling when provided a bad key (sign)\n * keylime-policy: exit with status 1 when the commands failed\n * keylime-policy: use Certificate() from models.base to validate certs\n * keylime-policy: check for valid cert file when using x509 backend (sign)\n * keylime-policy: fix help for \"keylime-policy sign\" verb\n * tenant: Correctly log number of tries when deleting\n * update TCTI environment variable usage\n * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2\n * keylime-policy: add `create measured-boot\u0027 subcommand\n * keylime-policy: add `sign runtime\u0027 subcommand\n * keylime-policy: add logger to use with the policy tool\n * installer.sh: Restore execution permission\n * installer: Fix string comparison\n * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0\n * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0\n * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0\n * installer.sh: updated EPEL, PEP668 Fix, logic fix\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0\n * build(deps): bump actions/checkout from 4.2.1 to 4.2.2\n * postgresql support for docker using psycopg2\n * installer.sh: update package list, add workaround for PEP 668\n * build(deps): bump actions/checkout from 4.2.0 to 4.2.1\n * keylime.conf: full removal\n * Drop pending SPDX-License-Identifier headers\n * create_runtime_policy: Validate algorithm from IMA measurement log\n * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity\n * create_runtime_policy: drop commment with test data\n * create_runtime_policy: Use a common method to guess algorithm\n * keylime-policy: rename tool to keylime-policy instead of keylime_policy\n * keylime_policy: create runtime: remove --use-ima-measurement-list\n * keylime_policy: use consistent arg names for create_runtime_policy\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3\n * build(deps): bump actions/checkout from 4.1.7 to 4.2.0\n * elchecking/example: workaround empty PK, KEK, db and dbx\n * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2\n * create_runtime_policy: Fix log level for debug messages\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2\n * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5\n * pylintrc: Ignore too-many-positional-arguments check\n * keylime/web/base/controller: Move TypeAlias definition out of class\n * create_runtime_policy: Calculate digests in multiple threads\n * create_runtime_policy: Allow rootfs to be in any directory\n * keylime_policy: Calculate digests from each source separately\n * create_runtime_policy: Simplify boot_aggregate parsing\n * ima: Validate JSON when loading IMA Keyring from string\n * docs: include IDevID page also in the sidebar\n * docs: point to installation guide from RHEL and SLE Micro\n * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1\n * change check_tpm_origin_check to a warning that does not prevent registration\n * docs: Fix Runtime Policy JSON schema to reflect the reality\n * Sets absolute path for files inside a rootfs dir\n * policy/create_runtime_policy: fix handling of empty lines in exclude list\n * keylime_policy: setting \u0027log_hash_alg\u0027 to \u0027sha1\u0027 (template-hash algo)\n * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)\n * codestyle: convert bytearrays to bytes to get expected type (pyright)\n * codestyle: Use new variables after changing datatype (pyright)\n * cert_utils: add description why loading using cryptography might fail\n * ima: list names of the runtime policies\n * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0\n * tox: Use python 3.10 instead of 3.6\n * revocation_notifier: Use web_util to generate TLS context\n * mba: Add a skip custom policies option when loading mba.\n * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * cmd/keylime_policy: add tool to handle keylime policies\n * cert_utils: add is_x509_cert()\n * common/algorithms: transform Encrypt and Sign class into enums\n * common/algorithms: add method to calculate digest of a file\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1\n * tpm: Replace KDFs and ECDH implementations with python-cryptography\n * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0\n * build(deps): bump docker/login-action from 2.2.0 to 3.2.0\n * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1\n * build(deps): bump actions/first-interaction\n * build(deps): bump actions/checkout from 2.7.0 to 4.1.7\n * revocation_notifier: Explicitly add CA certificate bundle\n * Introduce new REST API framework and refactor registrar implementation\n * mba: Support named measured boot policies\n * tenant: add friendlier error message if mTLS CA is wrongly configured\n * ca_impl_openssl: Mark extensions as critical following RFC 5280\n * Include Authority Key Identifier in KL-generated certs\n * verifier, tenant: make payload for agent completely optional\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-104",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025-20159-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1237153",
"url": "https://bugzilla.suse.com/1237153"
},
{
"category": "self",
"summary": "SUSE Bug 1254199",
"url": "https://bugzilla.suse.com/1254199"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1057 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1057/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13609 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13609/"
}
],
"title": "Security update for keylime",
"tracking": {
"current_release_date": "2025-12-12T09:46:01Z",
"generator": {
"date": "2025-12-12T09:46:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025-20159-1",
"initial_release_date": "2025-12-12T09:46:01Z",
"revision_history": [
{
"date": "2025-12-12T09:46:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-config-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-firewalld-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-logrotate-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-registrar-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tenant-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-verifier-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product_id": "python313-keylime-7.13.0+40-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1057",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1057"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1057",
"url": "https://www.suse.com/security/cve/CVE-2025-1057"
},
{
"category": "external",
"summary": "SUSE Bug 1237153 for CVE-2025-1057",
"url": "https://bugzilla.suse.com/1237153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "moderate"
}
],
"title": "CVE-2025-1057"
},
{
"cve": "CVE-2025-13609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13609"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13609",
"url": "https://www.suse.com/security/cve/CVE-2025-13609"
},
{
"category": "external",
"summary": "SUSE Bug 1254199 for CVE-2025-13609",
"url": "https://bugzilla.suse.com/1254199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "critical"
}
],
"title": "CVE-2025-13609"
}
]
}
opensuse-su-2025:14813-1
Vulnerability from csaf_opensuse
Published
2025-02-16 00:00
Modified
2025-02-16 00:00
Summary
keylime-config-7.12.1-1.1 on GA media
Notes
Title of the patch
keylime-config-7.12.1-1.1 on GA media
Description of the patch
These are all security issues fixed in the keylime-config-7.12.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-14813
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "keylime-config-7.12.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the keylime-config-7.12.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-14813",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14813-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1057 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1057/"
}
],
"title": "keylime-config-7.12.1-1.1 on GA media",
"tracking": {
"current_release_date": "2025-02-16T00:00:00Z",
"generator": {
"date": "2025-02-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:14813-1",
"initial_release_date": "2025-02-16T00:00:00Z",
"revision_history": [
{
"date": "2025-02-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.12.1-1.1.aarch64",
"product": {
"name": "keylime-config-7.12.1-1.1.aarch64",
"product_id": "keylime-config-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.12.1-1.1.aarch64",
"product": {
"name": "keylime-firewalld-7.12.1-1.1.aarch64",
"product_id": "keylime-firewalld-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.12.1-1.1.aarch64",
"product": {
"name": "keylime-logrotate-7.12.1-1.1.aarch64",
"product_id": "keylime-logrotate-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.12.1-1.1.aarch64",
"product": {
"name": "keylime-registrar-7.12.1-1.1.aarch64",
"product_id": "keylime-registrar-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.12.1-1.1.aarch64",
"product": {
"name": "keylime-tenant-7.12.1-1.1.aarch64",
"product_id": "keylime-tenant-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.12.1-1.1.aarch64",
"product": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.aarch64",
"product_id": "keylime-tpm_cert_store-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.12.1-1.1.aarch64",
"product": {
"name": "keylime-verifier-7.12.1-1.1.aarch64",
"product_id": "keylime-verifier-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.12.1-1.1.aarch64",
"product": {
"name": "python311-keylime-7.12.1-1.1.aarch64",
"product_id": "python311-keylime-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.12.1-1.1.aarch64",
"product": {
"name": "python312-keylime-7.12.1-1.1.aarch64",
"product_id": "python312-keylime-7.12.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.12.1-1.1.aarch64",
"product": {
"name": "python313-keylime-7.12.1-1.1.aarch64",
"product_id": "python313-keylime-7.12.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.12.1-1.1.ppc64le",
"product": {
"name": "keylime-config-7.12.1-1.1.ppc64le",
"product_id": "keylime-config-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.12.1-1.1.ppc64le",
"product": {
"name": "keylime-firewalld-7.12.1-1.1.ppc64le",
"product_id": "keylime-firewalld-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.12.1-1.1.ppc64le",
"product": {
"name": "keylime-logrotate-7.12.1-1.1.ppc64le",
"product_id": "keylime-logrotate-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.12.1-1.1.ppc64le",
"product": {
"name": "keylime-registrar-7.12.1-1.1.ppc64le",
"product_id": "keylime-registrar-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.12.1-1.1.ppc64le",
"product": {
"name": "keylime-tenant-7.12.1-1.1.ppc64le",
"product_id": "keylime-tenant-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.12.1-1.1.ppc64le",
"product": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.ppc64le",
"product_id": "keylime-tpm_cert_store-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.12.1-1.1.ppc64le",
"product": {
"name": "keylime-verifier-7.12.1-1.1.ppc64le",
"product_id": "keylime-verifier-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.12.1-1.1.ppc64le",
"product": {
"name": "python311-keylime-7.12.1-1.1.ppc64le",
"product_id": "python311-keylime-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.12.1-1.1.ppc64le",
"product": {
"name": "python312-keylime-7.12.1-1.1.ppc64le",
"product_id": "python312-keylime-7.12.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.12.1-1.1.ppc64le",
"product": {
"name": "python313-keylime-7.12.1-1.1.ppc64le",
"product_id": "python313-keylime-7.12.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.12.1-1.1.s390x",
"product": {
"name": "keylime-config-7.12.1-1.1.s390x",
"product_id": "keylime-config-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.12.1-1.1.s390x",
"product": {
"name": "keylime-firewalld-7.12.1-1.1.s390x",
"product_id": "keylime-firewalld-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.12.1-1.1.s390x",
"product": {
"name": "keylime-logrotate-7.12.1-1.1.s390x",
"product_id": "keylime-logrotate-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.12.1-1.1.s390x",
"product": {
"name": "keylime-registrar-7.12.1-1.1.s390x",
"product_id": "keylime-registrar-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.12.1-1.1.s390x",
"product": {
"name": "keylime-tenant-7.12.1-1.1.s390x",
"product_id": "keylime-tenant-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.12.1-1.1.s390x",
"product": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.s390x",
"product_id": "keylime-tpm_cert_store-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.12.1-1.1.s390x",
"product": {
"name": "keylime-verifier-7.12.1-1.1.s390x",
"product_id": "keylime-verifier-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.12.1-1.1.s390x",
"product": {
"name": "python311-keylime-7.12.1-1.1.s390x",
"product_id": "python311-keylime-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.12.1-1.1.s390x",
"product": {
"name": "python312-keylime-7.12.1-1.1.s390x",
"product_id": "python312-keylime-7.12.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.12.1-1.1.s390x",
"product": {
"name": "python313-keylime-7.12.1-1.1.s390x",
"product_id": "python313-keylime-7.12.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.12.1-1.1.x86_64",
"product": {
"name": "keylime-config-7.12.1-1.1.x86_64",
"product_id": "keylime-config-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.12.1-1.1.x86_64",
"product": {
"name": "keylime-firewalld-7.12.1-1.1.x86_64",
"product_id": "keylime-firewalld-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.12.1-1.1.x86_64",
"product": {
"name": "keylime-logrotate-7.12.1-1.1.x86_64",
"product_id": "keylime-logrotate-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.12.1-1.1.x86_64",
"product": {
"name": "keylime-registrar-7.12.1-1.1.x86_64",
"product_id": "keylime-registrar-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.12.1-1.1.x86_64",
"product": {
"name": "keylime-tenant-7.12.1-1.1.x86_64",
"product_id": "keylime-tenant-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.12.1-1.1.x86_64",
"product": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.x86_64",
"product_id": "keylime-tpm_cert_store-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.12.1-1.1.x86_64",
"product": {
"name": "keylime-verifier-7.12.1-1.1.x86_64",
"product_id": "keylime-verifier-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.12.1-1.1.x86_64",
"product": {
"name": "python311-keylime-7.12.1-1.1.x86_64",
"product_id": "python311-keylime-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.12.1-1.1.x86_64",
"product": {
"name": "python312-keylime-7.12.1-1.1.x86_64",
"product_id": "python312-keylime-7.12.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.12.1-1.1.x86_64",
"product": {
"name": "python313-keylime-7.12.1-1.1.x86_64",
"product_id": "python313-keylime-7.12.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.12.1-1.1.aarch64"
},
"product_reference": "keylime-config-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.12.1-1.1.ppc64le"
},
"product_reference": "keylime-config-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.12.1-1.1.s390x"
},
"product_reference": "keylime-config-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.12.1-1.1.x86_64"
},
"product_reference": "keylime-config-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.aarch64"
},
"product_reference": "keylime-firewalld-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.ppc64le"
},
"product_reference": "keylime-firewalld-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.s390x"
},
"product_reference": "keylime-firewalld-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.x86_64"
},
"product_reference": "keylime-firewalld-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.aarch64"
},
"product_reference": "keylime-logrotate-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.ppc64le"
},
"product_reference": "keylime-logrotate-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.s390x"
},
"product_reference": "keylime-logrotate-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.x86_64"
},
"product_reference": "keylime-logrotate-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.aarch64"
},
"product_reference": "keylime-registrar-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.ppc64le"
},
"product_reference": "keylime-registrar-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.s390x"
},
"product_reference": "keylime-registrar-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.x86_64"
},
"product_reference": "keylime-registrar-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.aarch64"
},
"product_reference": "keylime-tenant-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.ppc64le"
},
"product_reference": "keylime-tenant-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.s390x"
},
"product_reference": "keylime-tenant-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.x86_64"
},
"product_reference": "keylime-tenant-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.aarch64"
},
"product_reference": "keylime-tpm_cert_store-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.ppc64le"
},
"product_reference": "keylime-tpm_cert_store-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.s390x"
},
"product_reference": "keylime-tpm_cert_store-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.x86_64"
},
"product_reference": "keylime-tpm_cert_store-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.aarch64"
},
"product_reference": "keylime-verifier-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.ppc64le"
},
"product_reference": "keylime-verifier-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.s390x"
},
"product_reference": "keylime-verifier-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.x86_64"
},
"product_reference": "keylime-verifier-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.aarch64"
},
"product_reference": "python311-keylime-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.ppc64le"
},
"product_reference": "python311-keylime-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.s390x"
},
"product_reference": "python311-keylime-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.x86_64"
},
"product_reference": "python311-keylime-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.aarch64"
},
"product_reference": "python312-keylime-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.ppc64le"
},
"product_reference": "python312-keylime-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.s390x"
},
"product_reference": "python312-keylime-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.x86_64"
},
"product_reference": "python312-keylime-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.aarch64"
},
"product_reference": "python313-keylime-7.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.ppc64le"
},
"product_reference": "python313-keylime-7.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.s390x"
},
"product_reference": "python313-keylime-7.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.x86_64"
},
"product_reference": "python313-keylime-7.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1057",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1057"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1057",
"url": "https://www.suse.com/security/cve/CVE-2025-1057"
},
{
"category": "external",
"summary": "SUSE Bug 1237153 for CVE-2025-1057",
"url": "https://bugzilla.suse.com/1237153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-config-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-firewalld-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-logrotate-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-registrar-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-tenant-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:keylime-verifier-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:python311-keylime-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:python312-keylime-7.12.1-1.1.x86_64",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.aarch64",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.s390x",
"openSUSE Tumbleweed:python313-keylime-7.12.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-16T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-1057"
}
]
}
ghsa-9jxq-5x44-gx23
Vulnerability from github
Published
2025-02-14 18:03
Modified
2025-03-15 20:47
Severity ?
VLAI Severity ?
Summary
Keylime registrar is vulnerable to Denial-of-Service attack when updated to version 7.12.0
Details
Impact
The Keylime registrar implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the registrar will not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception.
This makes the Keylime registrar vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the registrar database by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylime registrar is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure.
Patches
Users should upgrade to versions >= 7.12.1
Workarounds
- Remove the registrar database and re-register all agents
Credit
Reported by: Anderson Toshiyuki Sasaki/@ansasaki Patched by: Anderson Toshiyuki Sasaki/@ansasaki
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keylime"
},
"ranges": [
{
"events": [
{
"introduced": "7.12.0"
},
{
"fixed": "7.12.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"7.12.0"
]
}
],
"aliases": [
"CVE-2025-1057"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-704"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-14T18:03:14Z",
"nvd_published_at": "2025-03-15T09:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe Keylime `registrar` implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the `registrar` will not accept the format of the data previously stored in the database by versions \u003e= 7.8.0, raising an exception.\n\nThis makes the Keylime `registrar` vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the `registrar` database by creating multiple valid agent registrations with different UUIDs while the version is still \u003c 7.12.0. Then, when the Keylime `registrar` is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure.\n\n### Patches\nUsers should upgrade to versions \u003e= 7.12.1\n\n### Workarounds\n- Remove the registrar database and re-register all agents\n\n### Credit\n\nReported by: Anderson Toshiyuki Sasaki/@ansasaki\nPatched by: Anderson Toshiyuki Sasaki/@ansasaki",
"id": "GHSA-9jxq-5x44-gx23",
"modified": "2025-03-15T20:47:38Z",
"published": "2025-02-14T18:03:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keylime/keylime/security/advisories/GHSA-9jxq-5x44-gx23"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1057"
},
{
"type": "WEB",
"url": "https://github.com/keylime/keylime/commit/e08b10d86c3717006774e787542c190e2ba24fc7"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-1057"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343894"
},
{
"type": "PACKAGE",
"url": "https://github.com/keylime/keylime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Keylime registrar is vulnerable to Denial-of-Service attack when updated to version 7.12.0"
}
suse-su-2025:21194-1
Vulnerability from csaf_suse
Published
2025-12-12 09:45
Modified
2025-12-12 09:45
Summary
Security update for keylime
Notes
Title of the patch
Security update for keylime
Description of the patch
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
- Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
- Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
Patchnames
SUSE-SLES-16.0-104
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for keylime fixes the following issues:\n\nUpdate to version 7.13.0+40.\n\nSecurity issues fixed:\n\n- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate\n UUIDs (bsc#1254199).\n- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).\n\nOther issues fixed and changes:\n\n- Version 7.13.0+40:\n * Include new attestation information fields (#1818)\n * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)\n * push-model: require HTTPS for authentication and attestation endpoints\n * Fix operational_state tracking in push mode attestations\n * templates: add push model authentication config options to 2.5 templates\n * Security: Hash authentication tokens in logs\n * Fix stale IMA policy cache in verification\n * Fix authentication behavior on failed attestations for push mode\n * Add shared memory infrastructure for multiprocess communication\n * Add agent authentication (challenge/response) protocol for push mode\n * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)\n * docs: Fix man page RST formatting for rst2man compatibility (#1813)\n * Apply limit on keylime-policy workers\n * tpm: fix ECC signature parsing to support variable-length coordinates\n * tpm: fix ECC P-521 credential activation with consistent marshaling\n * tpm: fix ECC P-521 coordinate validation\n * Remove deprecated disabled_signing_algorithms configuration option (#1804)\n * algorithms: add support for specific RSA algorithms\n * algorithms: add support for specific ECC curve algorithms\n * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent\n * Manpage for keylime agent\n * Manpage for keylime verifier\n * Manpage for keylime registrar\n * Use constants for timeout and max retries defaults\n * verifier: Use timeout from `request_timeout` config option\n * revocation_notifier: Use timeout setting from config file\n * tenant: Set timeout when getting version from agent\n * verify/evidence: SEV-SNP evidence type/verifier\n * verify/evidence: Add evidence type to request JSON\n\n- Version v7.13.0:\n * Avoid re-encoding certificate stored in DB\n * Revert \"models: Do not re-encode certificate stored in DB\"\n * Revert \"registrar_agent: Use pyasn1 to parse PEM\"\n * policy/sign: use print() when writing to /dev/stdout\n * registrar_agent: Use pyasn1 to parse PEM\n * models: Do not re-encode certificate stored in DB\n * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events\n * mb: support vendor_db as logged by newer shim versions\n * mb: support EV_EFI_HANDOFF_TABLES events on PCR1\n * Remove unnecessary configuration values\n * cloud_verifier_tornado: handle exception in notify_error()\n * requests_client: close the session at the end of the resource manager\n * Manpage for keylime_tenant (#1786)\n * Add 2.5 templates including Push Model changes\n * Initial version of verify evidence API\n * db: Do not read pool size and max overflow for sqlite\n * Use context managers to close DB sessions\n * revocations: Try to send notifications on shutdown\n * verifier: Gracefully shutdown on signal\n * Use `fork` as `multiprocessing` start method\n * Fix inaccuracy in threat model and add reference to SBAT\n * Explain TPM properties and expand vTPM discussion\n * Fix invalid RST and update TOC\n * Expand threat model page to include adversarial model\n * Add --push-model option to avoid requests to agents\n * templates: duplicate str_to_version() in the adjust script\n * policy: fix mypy issues with rpm_repo\n * revocation_notifier: fix mypy issue by replacing deprecated call\n * Fix create_runtime_policy in python \u003c 3.12\n * Fix after review\n * fixed CONSTANT names C0103 errors\n * Extend meta_data field in verifierdb\n * docs: update issue templates\n * docs: add GitHub PR template with documentation reminders\n * tpm_util: fix quote signature extraction for ECDSA\n * registrar: Log API versions during startup\n * Remove excessive logging on exception\n * scripts: Fix coverage information downloading script\n\n- Version v7.12.1:\n * models: Add Base64Bytes type to read and write from the database\n * Simplify response check from registrar\n\n- Version v7.12.0:\n * API: Add /version endpoint to registrar\n * scripts: Download coverage data directly from Testing Farm\n * docs: Add separate documentation for each API version\n * scripts/create_runtime_policy.sh: fix path for the exclude list\n * docs: add documentation for keylime-policy\n * templates: Add the new agent.conf option \u0027api_versions\u0027\n * Enable autocompletion using argcomplete\n * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2\n * Configure EPEL-10 repo in packit-ci.fmf\n * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1\n * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3\n * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1\n * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0\n * keylime-policy: improve error handling when provided a bad key (sign)\n * keylime-policy: exit with status 1 when the commands failed\n * keylime-policy: use Certificate() from models.base to validate certs\n * keylime-policy: check for valid cert file when using x509 backend (sign)\n * keylime-policy: fix help for \"keylime-policy sign\" verb\n * tenant: Correctly log number of tries when deleting\n * update TCTI environment variable usage\n * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2\n * keylime-policy: add `create measured-boot\u0027 subcommand\n * keylime-policy: add `sign runtime\u0027 subcommand\n * keylime-policy: add logger to use with the policy tool\n * installer.sh: Restore execution permission\n * installer: Fix string comparison\n * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0\n * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0\n * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0\n * installer.sh: updated EPEL, PEP668 Fix, logic fix\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0\n * build(deps): bump actions/checkout from 4.2.1 to 4.2.2\n * postgresql support for docker using psycopg2\n * installer.sh: update package list, add workaround for PEP 668\n * build(deps): bump actions/checkout from 4.2.0 to 4.2.1\n * keylime.conf: full removal\n * Drop pending SPDX-License-Identifier headers\n * create_runtime_policy: Validate algorithm from IMA measurement log\n * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity\n * create_runtime_policy: drop commment with test data\n * create_runtime_policy: Use a common method to guess algorithm\n * keylime-policy: rename tool to keylime-policy instead of keylime_policy\n * keylime_policy: create runtime: remove --use-ima-measurement-list\n * keylime_policy: use consistent arg names for create_runtime_policy\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3\n * build(deps): bump actions/checkout from 4.1.7 to 4.2.0\n * elchecking/example: workaround empty PK, KEK, db and dbx\n * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2\n * create_runtime_policy: Fix log level for debug messages\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2\n * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5\n * pylintrc: Ignore too-many-positional-arguments check\n * keylime/web/base/controller: Move TypeAlias definition out of class\n * create_runtime_policy: Calculate digests in multiple threads\n * create_runtime_policy: Allow rootfs to be in any directory\n * keylime_policy: Calculate digests from each source separately\n * create_runtime_policy: Simplify boot_aggregate parsing\n * ima: Validate JSON when loading IMA Keyring from string\n * docs: include IDevID page also in the sidebar\n * docs: point to installation guide from RHEL and SLE Micro\n * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1\n * change check_tpm_origin_check to a warning that does not prevent registration\n * docs: Fix Runtime Policy JSON schema to reflect the reality\n * Sets absolute path for files inside a rootfs dir\n * policy/create_runtime_policy: fix handling of empty lines in exclude list\n * keylime_policy: setting \u0027log_hash_alg\u0027 to \u0027sha1\u0027 (template-hash algo)\n * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)\n * codestyle: convert bytearrays to bytes to get expected type (pyright)\n * codestyle: Use new variables after changing datatype (pyright)\n * cert_utils: add description why loading using cryptography might fail\n * ima: list names of the runtime policies\n * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0\n * tox: Use python 3.10 instead of 3.6\n * revocation_notifier: Use web_util to generate TLS context\n * mba: Add a skip custom policies option when loading mba.\n * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * cmd/keylime_policy: add tool to handle keylime policies\n * cert_utils: add is_x509_cert()\n * common/algorithms: transform Encrypt and Sign class into enums\n * common/algorithms: add method to calculate digest of a file\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1\n * tpm: Replace KDFs and ECDH implementations with python-cryptography\n * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0\n * build(deps): bump docker/login-action from 2.2.0 to 3.2.0\n * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1\n * build(deps): bump actions/first-interaction\n * build(deps): bump actions/checkout from 2.7.0 to 4.1.7\n * revocation_notifier: Explicitly add CA certificate bundle\n * Introduce new REST API framework and refactor registrar implementation\n * mba: Support named measured boot policies\n * tenant: add friendlier error message if mTLS CA is wrongly configured\n * ca_impl_openssl: Mark extensions as critical following RFC 5280\n * Include Authority Key Identifier in KL-generated certs\n * verifier, tenant: make payload for agent completely optional\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-104",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_21194-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:21194-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521194-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:21194-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023547.html"
},
{
"category": "self",
"summary": "SUSE Bug 1237153",
"url": "https://bugzilla.suse.com/1237153"
},
{
"category": "self",
"summary": "SUSE Bug 1254199",
"url": "https://bugzilla.suse.com/1254199"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1057 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1057/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13609 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13609/"
}
],
"title": "Security update for keylime",
"tracking": {
"current_release_date": "2025-12-12T09:45:03Z",
"generator": {
"date": "2025-12-12T09:45:03Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:21194-1",
"initial_release_date": "2025-12-12T09:45:03Z",
"revision_history": [
{
"date": "2025-12-12T09:45:03Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-config-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-firewalld-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-logrotate-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-registrar-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tenant-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-verifier-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product_id": "python313-keylime-7.13.0+40-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1057",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1057"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1057",
"url": "https://www.suse.com/security/cve/CVE-2025-1057"
},
{
"category": "external",
"summary": "SUSE Bug 1237153 for CVE-2025-1057",
"url": "https://bugzilla.suse.com/1237153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:45:03Z",
"details": "moderate"
}
],
"title": "CVE-2025-1057"
},
{
"cve": "CVE-2025-13609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13609"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13609",
"url": "https://www.suse.com/security/cve/CVE-2025-13609"
},
{
"category": "external",
"summary": "SUSE Bug 1254199 for CVE-2025-13609",
"url": "https://bugzilla.suse.com/1254199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:45:03Z",
"details": "critical"
}
],
"title": "CVE-2025-13609"
}
]
}
fkie_cve-2025-1057
Vulnerability from fkie_nvd
Published
2025-03-15 09:15
Modified
2025-03-15 09:15
Severity ?
Summary
A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail."
},
{
"lang": "es",
"value": "Se detect\u00f3 una falla en Keylime, una soluci\u00f3n de atestaci\u00f3n remota, donde la comprobaci\u00f3n estricta de tipos introducida en la versi\u00f3n 7.12.0 impide que el registrador lea las entradas de la base de datos creadas por versiones anteriores, por ejemplo, la 7.11.0. En concreto, las versiones anteriores almacenan los datos de registro del agente como bytes, mientras que el registrador actualizado espera str. Este problema genera una excepci\u00f3n al procesar las solicitudes de registro del agente, lo que provoca un fallo en el agente."
}
],
"id": "CVE-2025-1057",
"lastModified": "2025-03-15T09:15:10.770",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
},
"published": "2025-03-15T09:15:10.770",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2025-1057"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343894"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-704"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…