Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-13609 (GCVE-0-2025-13609)
Vulnerability from cvelistv5
Published
2025-11-24 18:08
Modified
2025-12-18 10:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-694 - Use of Multiple Resources with Duplicate Identifier
Summary
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 |
Unaffected: 0:7.12.1-11.el10_1.3 < * cpe:/o:redhat:enterprise_linux:10.1 |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13609",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T19:00:14.018523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T19:00:31.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.1"
],
"defaultStatus": "affected",
"packageName": "keylime",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.12.1-11.el10_1.3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream"
],
"defaultStatus": "affected",
"packageName": "keylime",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.12.1-11.el9_7.3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream"
],
"defaultStatus": "affected",
"packageName": "keylime",
"product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.3.0-15.el9_6.1",
"versionType": "rpm"
}
]
}
],
"datePublic": "2025-11-24T16:00:06.761Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-694",
"description": "Use of Multiple Resources with Duplicate Identifier",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T10:20:50.418Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:23201",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:23201"
},
{
"name": "RHSA-2025:23210",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:23210"
},
{
"name": "RHSA-2025:23628",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:23628"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-13609"
},
{
"name": "RHBZ#2416761",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416761"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-24T14:53:54.188000+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-11-24T16:00:06.761000+00:00",
"value": "Made public."
}
],
"title": "Keylime: keylime: registrar allows identity takeover via duplicate uuid registration",
"workarounds": [
{
"lang": "en",
"value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-694: Use of Multiple Resources with Duplicate Identifier"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-13609",
"datePublished": "2025-11-24T18:08:56.048Z",
"dateReserved": "2025-11-24T15:47:12.935Z",
"dateUpdated": "2025-12-18T10:20:50.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-13609\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2025-11-24T18:15:49.830\",\"lastModified\":\"2025-12-18T11:15:45.500\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.3,\"impactScore\":5.3}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-694\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2025:23201\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:23210\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2025:23628\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2025-13609\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2416761\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-13609\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-24T19:00:14.018523Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-24T19:00:24.300Z\"}}], \"cna\": {\"title\": \"Keylime: keylime: registrar allows identity takeover via duplicate uuid registration\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10.1\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:7.12.1-11.el10_1.3\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"keylime\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:enterprise_linux:9::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:7.12.1-11.el9_7.3\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"keylime\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:rhel_eus:9.6::appstream\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9.6 Extended Update Support\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"0:7.3.0-15.el9_6.1\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"keylime\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"affected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-11-24T14:53:54.188000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-11-24T16:00:06.761000+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-11-24T16:00:06.761Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2025:23201\", \"name\": \"RHSA-2025:23201\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:23210\", \"name\": \"RHSA-2025:23210\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2025:23628\", \"name\": \"RHSA-2025:23628\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2025-13609\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2416761\", \"name\": \"RHBZ#2416761\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-694\", \"description\": \"Use of Multiple Resources with Duplicate Identifier\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-12-18T10:20:50.418Z\"}, \"x_redhatCweChain\": \"CWE-694: Use of Multiple Resources with Duplicate Identifier\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-13609\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-18T10:20:50.418Z\", \"dateReserved\": \"2025-11-24T15:47:12.935Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-11-24T18:08:56.048Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
ghsa-xh5w-g8gq-r3v9
Vulnerability from github
Published
2025-11-24 18:31
Modified
2025-12-18 12:30
Severity ?
VLAI Severity ?
Summary
Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices
Details
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keylime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-13609"
],
"database_specific": {
"cwe_ids": [
"CWE-694"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-26T19:32:37Z",
"nvd_published_at": "2025-11-24T18:15:49Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"id": "GHSA-xh5w-g8gq-r3v9",
"modified": "2025-12-18T12:30:27Z",
"published": "2025-11-24T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13609"
},
{
"type": "WEB",
"url": "https://github.com/keylime/keylime/pull/1785"
},
{
"type": "WEB",
"url": "https://github.com/keylime/keylime/commit/e1ae8de1f7b1385eaeec66572a92ff1338e6e157"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23210"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23628"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-13609"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416761"
},
{
"type": "PACKAGE",
"url": "https://github.com/keylime/keylime"
},
{
"type": "WEB",
"url": "https://github.com/keylime/keylime/releases/tag/v7.13.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices"
}
opensuse-su-2025:20159-1
Vulnerability from csaf_opensuse
Published
2025-12-12 09:46
Modified
2025-12-12 09:46
Summary
Security update for keylime
Notes
Title of the patch
Security update for keylime
Description of the patch
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
- Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
- Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
Patchnames
openSUSE-Leap-16.0-104
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for keylime fixes the following issues:\n\nUpdate to version 7.13.0+40.\n\nSecurity issues fixed:\n\n- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate\n UUIDs (bsc#1254199).\n- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).\n\nOther issues fixed and changes:\n\n- Version 7.13.0+40:\n * Include new attestation information fields (#1818)\n * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)\n * push-model: require HTTPS for authentication and attestation endpoints\n * Fix operational_state tracking in push mode attestations\n * templates: add push model authentication config options to 2.5 templates\n * Security: Hash authentication tokens in logs\n * Fix stale IMA policy cache in verification\n * Fix authentication behavior on failed attestations for push mode\n * Add shared memory infrastructure for multiprocess communication\n * Add agent authentication (challenge/response) protocol for push mode\n * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)\n * docs: Fix man page RST formatting for rst2man compatibility (#1813)\n * Apply limit on keylime-policy workers\n * tpm: fix ECC signature parsing to support variable-length coordinates\n * tpm: fix ECC P-521 credential activation with consistent marshaling\n * tpm: fix ECC P-521 coordinate validation\n * Remove deprecated disabled_signing_algorithms configuration option (#1804)\n * algorithms: add support for specific RSA algorithms\n * algorithms: add support for specific ECC curve algorithms\n * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent\n * Manpage for keylime agent\n * Manpage for keylime verifier\n * Manpage for keylime registrar\n * Use constants for timeout and max retries defaults\n * verifier: Use timeout from `request_timeout` config option\n * revocation_notifier: Use timeout setting from config file\n * tenant: Set timeout when getting version from agent\n * verify/evidence: SEV-SNP evidence type/verifier\n * verify/evidence: Add evidence type to request JSON\n\n- Version v7.13.0:\n * Avoid re-encoding certificate stored in DB\n * Revert \"models: Do not re-encode certificate stored in DB\"\n * Revert \"registrar_agent: Use pyasn1 to parse PEM\"\n * policy/sign: use print() when writing to /dev/stdout\n * registrar_agent: Use pyasn1 to parse PEM\n * models: Do not re-encode certificate stored in DB\n * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events\n * mb: support vendor_db as logged by newer shim versions\n * mb: support EV_EFI_HANDOFF_TABLES events on PCR1\n * Remove unnecessary configuration values\n * cloud_verifier_tornado: handle exception in notify_error()\n * requests_client: close the session at the end of the resource manager\n * Manpage for keylime_tenant (#1786)\n * Add 2.5 templates including Push Model changes\n * Initial version of verify evidence API\n * db: Do not read pool size and max overflow for sqlite\n * Use context managers to close DB sessions\n * revocations: Try to send notifications on shutdown\n * verifier: Gracefully shutdown on signal\n * Use `fork` as `multiprocessing` start method\n * Fix inaccuracy in threat model and add reference to SBAT\n * Explain TPM properties and expand vTPM discussion\n * Fix invalid RST and update TOC\n * Expand threat model page to include adversarial model\n * Add --push-model option to avoid requests to agents\n * templates: duplicate str_to_version() in the adjust script\n * policy: fix mypy issues with rpm_repo\n * revocation_notifier: fix mypy issue by replacing deprecated call\n * Fix create_runtime_policy in python \u003c 3.12\n * Fix after review\n * fixed CONSTANT names C0103 errors\n * Extend meta_data field in verifierdb\n * docs: update issue templates\n * docs: add GitHub PR template with documentation reminders\n * tpm_util: fix quote signature extraction for ECDSA\n * registrar: Log API versions during startup\n * Remove excessive logging on exception\n * scripts: Fix coverage information downloading script\n\n- Version v7.12.1:\n * models: Add Base64Bytes type to read and write from the database\n * Simplify response check from registrar\n\n- Version v7.12.0:\n * API: Add /version endpoint to registrar\n * scripts: Download coverage data directly from Testing Farm\n * docs: Add separate documentation for each API version\n * scripts/create_runtime_policy.sh: fix path for the exclude list\n * docs: add documentation for keylime-policy\n * templates: Add the new agent.conf option \u0027api_versions\u0027\n * Enable autocompletion using argcomplete\n * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2\n * Configure EPEL-10 repo in packit-ci.fmf\n * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1\n * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3\n * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1\n * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0\n * keylime-policy: improve error handling when provided a bad key (sign)\n * keylime-policy: exit with status 1 when the commands failed\n * keylime-policy: use Certificate() from models.base to validate certs\n * keylime-policy: check for valid cert file when using x509 backend (sign)\n * keylime-policy: fix help for \"keylime-policy sign\" verb\n * tenant: Correctly log number of tries when deleting\n * update TCTI environment variable usage\n * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2\n * keylime-policy: add `create measured-boot\u0027 subcommand\n * keylime-policy: add `sign runtime\u0027 subcommand\n * keylime-policy: add logger to use with the policy tool\n * installer.sh: Restore execution permission\n * installer: Fix string comparison\n * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0\n * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0\n * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0\n * installer.sh: updated EPEL, PEP668 Fix, logic fix\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0\n * build(deps): bump actions/checkout from 4.2.1 to 4.2.2\n * postgresql support for docker using psycopg2\n * installer.sh: update package list, add workaround for PEP 668\n * build(deps): bump actions/checkout from 4.2.0 to 4.2.1\n * keylime.conf: full removal\n * Drop pending SPDX-License-Identifier headers\n * create_runtime_policy: Validate algorithm from IMA measurement log\n * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity\n * create_runtime_policy: drop commment with test data\n * create_runtime_policy: Use a common method to guess algorithm\n * keylime-policy: rename tool to keylime-policy instead of keylime_policy\n * keylime_policy: create runtime: remove --use-ima-measurement-list\n * keylime_policy: use consistent arg names for create_runtime_policy\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3\n * build(deps): bump actions/checkout from 4.1.7 to 4.2.0\n * elchecking/example: workaround empty PK, KEK, db and dbx\n * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2\n * create_runtime_policy: Fix log level for debug messages\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2\n * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5\n * pylintrc: Ignore too-many-positional-arguments check\n * keylime/web/base/controller: Move TypeAlias definition out of class\n * create_runtime_policy: Calculate digests in multiple threads\n * create_runtime_policy: Allow rootfs to be in any directory\n * keylime_policy: Calculate digests from each source separately\n * create_runtime_policy: Simplify boot_aggregate parsing\n * ima: Validate JSON when loading IMA Keyring from string\n * docs: include IDevID page also in the sidebar\n * docs: point to installation guide from RHEL and SLE Micro\n * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1\n * change check_tpm_origin_check to a warning that does not prevent registration\n * docs: Fix Runtime Policy JSON schema to reflect the reality\n * Sets absolute path for files inside a rootfs dir\n * policy/create_runtime_policy: fix handling of empty lines in exclude list\n * keylime_policy: setting \u0027log_hash_alg\u0027 to \u0027sha1\u0027 (template-hash algo)\n * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)\n * codestyle: convert bytearrays to bytes to get expected type (pyright)\n * codestyle: Use new variables after changing datatype (pyright)\n * cert_utils: add description why loading using cryptography might fail\n * ima: list names of the runtime policies\n * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0\n * tox: Use python 3.10 instead of 3.6\n * revocation_notifier: Use web_util to generate TLS context\n * mba: Add a skip custom policies option when loading mba.\n * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * cmd/keylime_policy: add tool to handle keylime policies\n * cert_utils: add is_x509_cert()\n * common/algorithms: transform Encrypt and Sign class into enums\n * common/algorithms: add method to calculate digest of a file\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1\n * tpm: Replace KDFs and ECDH implementations with python-cryptography\n * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0\n * build(deps): bump docker/login-action from 2.2.0 to 3.2.0\n * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1\n * build(deps): bump actions/first-interaction\n * build(deps): bump actions/checkout from 2.7.0 to 4.1.7\n * revocation_notifier: Explicitly add CA certificate bundle\n * Introduce new REST API framework and refactor registrar implementation\n * mba: Support named measured boot policies\n * tenant: add friendlier error message if mTLS CA is wrongly configured\n * ca_impl_openssl: Mark extensions as critical following RFC 5280\n * Include Authority Key Identifier in KL-generated certs\n * verifier, tenant: make payload for agent completely optional\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-104",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_20159-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1237153",
"url": "https://bugzilla.suse.com/1237153"
},
{
"category": "self",
"summary": "SUSE Bug 1254199",
"url": "https://bugzilla.suse.com/1254199"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1057 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1057/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13609 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13609/"
}
],
"title": "Security update for keylime",
"tracking": {
"current_release_date": "2025-12-12T09:46:01Z",
"generator": {
"date": "2025-12-12T09:46:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:20159-1",
"initial_release_date": "2025-12-12T09:46:01Z",
"revision_history": [
{
"date": "2025-12-12T09:46:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-config-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-firewalld-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-logrotate-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-registrar-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tenant-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-verifier-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product_id": "python313-keylime-7.13.0+40-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1057",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1057"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1057",
"url": "https://www.suse.com/security/cve/CVE-2025-1057"
},
{
"category": "external",
"summary": "SUSE Bug 1237153 for CVE-2025-1057",
"url": "https://bugzilla.suse.com/1237153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "moderate"
}
],
"title": "CVE-2025-1057"
},
{
"cve": "CVE-2025-13609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13609"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13609",
"url": "https://www.suse.com/security/cve/CVE-2025-13609"
},
{
"category": "external",
"summary": "SUSE Bug 1254199 for CVE-2025-13609",
"url": "https://bugzilla.suse.com/1254199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "critical"
}
],
"title": "CVE-2025-13609"
}
]
}
opensuse-su-2025-20159-1
Vulnerability from csaf_opensuse
Published
2025-12-12 09:46
Modified
2025-12-12 09:46
Summary
Security update for keylime
Notes
Title of the patch
Security update for keylime
Description of the patch
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
- Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
- Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
Patchnames
openSUSE-Leap-16.0-104
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for keylime fixes the following issues:\n\nUpdate to version 7.13.0+40.\n\nSecurity issues fixed:\n\n- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate\n UUIDs (bsc#1254199).\n- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).\n\nOther issues fixed and changes:\n\n- Version 7.13.0+40:\n * Include new attestation information fields (#1818)\n * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)\n * push-model: require HTTPS for authentication and attestation endpoints\n * Fix operational_state tracking in push mode attestations\n * templates: add push model authentication config options to 2.5 templates\n * Security: Hash authentication tokens in logs\n * Fix stale IMA policy cache in verification\n * Fix authentication behavior on failed attestations for push mode\n * Add shared memory infrastructure for multiprocess communication\n * Add agent authentication (challenge/response) protocol for push mode\n * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)\n * docs: Fix man page RST formatting for rst2man compatibility (#1813)\n * Apply limit on keylime-policy workers\n * tpm: fix ECC signature parsing to support variable-length coordinates\n * tpm: fix ECC P-521 credential activation with consistent marshaling\n * tpm: fix ECC P-521 coordinate validation\n * Remove deprecated disabled_signing_algorithms configuration option (#1804)\n * algorithms: add support for specific RSA algorithms\n * algorithms: add support for specific ECC curve algorithms\n * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent\n * Manpage for keylime agent\n * Manpage for keylime verifier\n * Manpage for keylime registrar\n * Use constants for timeout and max retries defaults\n * verifier: Use timeout from `request_timeout` config option\n * revocation_notifier: Use timeout setting from config file\n * tenant: Set timeout when getting version from agent\n * verify/evidence: SEV-SNP evidence type/verifier\n * verify/evidence: Add evidence type to request JSON\n\n- Version v7.13.0:\n * Avoid re-encoding certificate stored in DB\n * Revert \"models: Do not re-encode certificate stored in DB\"\n * Revert \"registrar_agent: Use pyasn1 to parse PEM\"\n * policy/sign: use print() when writing to /dev/stdout\n * registrar_agent: Use pyasn1 to parse PEM\n * models: Do not re-encode certificate stored in DB\n * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events\n * mb: support vendor_db as logged by newer shim versions\n * mb: support EV_EFI_HANDOFF_TABLES events on PCR1\n * Remove unnecessary configuration values\n * cloud_verifier_tornado: handle exception in notify_error()\n * requests_client: close the session at the end of the resource manager\n * Manpage for keylime_tenant (#1786)\n * Add 2.5 templates including Push Model changes\n * Initial version of verify evidence API\n * db: Do not read pool size and max overflow for sqlite\n * Use context managers to close DB sessions\n * revocations: Try to send notifications on shutdown\n * verifier: Gracefully shutdown on signal\n * Use `fork` as `multiprocessing` start method\n * Fix inaccuracy in threat model and add reference to SBAT\n * Explain TPM properties and expand vTPM discussion\n * Fix invalid RST and update TOC\n * Expand threat model page to include adversarial model\n * Add --push-model option to avoid requests to agents\n * templates: duplicate str_to_version() in the adjust script\n * policy: fix mypy issues with rpm_repo\n * revocation_notifier: fix mypy issue by replacing deprecated call\n * Fix create_runtime_policy in python \u003c 3.12\n * Fix after review\n * fixed CONSTANT names C0103 errors\n * Extend meta_data field in verifierdb\n * docs: update issue templates\n * docs: add GitHub PR template with documentation reminders\n * tpm_util: fix quote signature extraction for ECDSA\n * registrar: Log API versions during startup\n * Remove excessive logging on exception\n * scripts: Fix coverage information downloading script\n\n- Version v7.12.1:\n * models: Add Base64Bytes type to read and write from the database\n * Simplify response check from registrar\n\n- Version v7.12.0:\n * API: Add /version endpoint to registrar\n * scripts: Download coverage data directly from Testing Farm\n * docs: Add separate documentation for each API version\n * scripts/create_runtime_policy.sh: fix path for the exclude list\n * docs: add documentation for keylime-policy\n * templates: Add the new agent.conf option \u0027api_versions\u0027\n * Enable autocompletion using argcomplete\n * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2\n * Configure EPEL-10 repo in packit-ci.fmf\n * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1\n * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3\n * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1\n * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0\n * keylime-policy: improve error handling when provided a bad key (sign)\n * keylime-policy: exit with status 1 when the commands failed\n * keylime-policy: use Certificate() from models.base to validate certs\n * keylime-policy: check for valid cert file when using x509 backend (sign)\n * keylime-policy: fix help for \"keylime-policy sign\" verb\n * tenant: Correctly log number of tries when deleting\n * update TCTI environment variable usage\n * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2\n * keylime-policy: add `create measured-boot\u0027 subcommand\n * keylime-policy: add `sign runtime\u0027 subcommand\n * keylime-policy: add logger to use with the policy tool\n * installer.sh: Restore execution permission\n * installer: Fix string comparison\n * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0\n * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0\n * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0\n * installer.sh: updated EPEL, PEP668 Fix, logic fix\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0\n * build(deps): bump actions/checkout from 4.2.1 to 4.2.2\n * postgresql support for docker using psycopg2\n * installer.sh: update package list, add workaround for PEP 668\n * build(deps): bump actions/checkout from 4.2.0 to 4.2.1\n * keylime.conf: full removal\n * Drop pending SPDX-License-Identifier headers\n * create_runtime_policy: Validate algorithm from IMA measurement log\n * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity\n * create_runtime_policy: drop commment with test data\n * create_runtime_policy: Use a common method to guess algorithm\n * keylime-policy: rename tool to keylime-policy instead of keylime_policy\n * keylime_policy: create runtime: remove --use-ima-measurement-list\n * keylime_policy: use consistent arg names for create_runtime_policy\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3\n * build(deps): bump actions/checkout from 4.1.7 to 4.2.0\n * elchecking/example: workaround empty PK, KEK, db and dbx\n * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2\n * create_runtime_policy: Fix log level for debug messages\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2\n * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5\n * pylintrc: Ignore too-many-positional-arguments check\n * keylime/web/base/controller: Move TypeAlias definition out of class\n * create_runtime_policy: Calculate digests in multiple threads\n * create_runtime_policy: Allow rootfs to be in any directory\n * keylime_policy: Calculate digests from each source separately\n * create_runtime_policy: Simplify boot_aggregate parsing\n * ima: Validate JSON when loading IMA Keyring from string\n * docs: include IDevID page also in the sidebar\n * docs: point to installation guide from RHEL and SLE Micro\n * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1\n * change check_tpm_origin_check to a warning that does not prevent registration\n * docs: Fix Runtime Policy JSON schema to reflect the reality\n * Sets absolute path for files inside a rootfs dir\n * policy/create_runtime_policy: fix handling of empty lines in exclude list\n * keylime_policy: setting \u0027log_hash_alg\u0027 to \u0027sha1\u0027 (template-hash algo)\n * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)\n * codestyle: convert bytearrays to bytes to get expected type (pyright)\n * codestyle: Use new variables after changing datatype (pyright)\n * cert_utils: add description why loading using cryptography might fail\n * ima: list names of the runtime policies\n * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0\n * tox: Use python 3.10 instead of 3.6\n * revocation_notifier: Use web_util to generate TLS context\n * mba: Add a skip custom policies option when loading mba.\n * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * cmd/keylime_policy: add tool to handle keylime policies\n * cert_utils: add is_x509_cert()\n * common/algorithms: transform Encrypt and Sign class into enums\n * common/algorithms: add method to calculate digest of a file\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1\n * tpm: Replace KDFs and ECDH implementations with python-cryptography\n * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0\n * build(deps): bump docker/login-action from 2.2.0 to 3.2.0\n * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1\n * build(deps): bump actions/first-interaction\n * build(deps): bump actions/checkout from 2.7.0 to 4.1.7\n * revocation_notifier: Explicitly add CA certificate bundle\n * Introduce new REST API framework and refactor registrar implementation\n * mba: Support named measured boot policies\n * tenant: add friendlier error message if mTLS CA is wrongly configured\n * ca_impl_openssl: Mark extensions as critical following RFC 5280\n * Include Authority Key Identifier in KL-generated certs\n * verifier, tenant: make payload for agent completely optional\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Leap-16.0-104",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025-20159-1.json"
},
{
"category": "self",
"summary": "SUSE Bug 1237153",
"url": "https://bugzilla.suse.com/1237153"
},
{
"category": "self",
"summary": "SUSE Bug 1254199",
"url": "https://bugzilla.suse.com/1254199"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1057 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1057/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13609 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13609/"
}
],
"title": "Security update for keylime",
"tracking": {
"current_release_date": "2025-12-12T09:46:01Z",
"generator": {
"date": "2025-12-12T09:46:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025-20159-1",
"initial_release_date": "2025-12-12T09:46:01Z",
"revision_history": [
{
"date": "2025-12-12T09:46:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-config-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-firewalld-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-logrotate-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-registrar-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tenant-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-verifier-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product_id": "python313-keylime-7.13.0+40-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 16.0",
"product": {
"name": "openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of openSUSE Leap 16.0",
"product_id": "openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "openSUSE Leap 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1057",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1057"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1057",
"url": "https://www.suse.com/security/cve/CVE-2025-1057"
},
{
"category": "external",
"summary": "SUSE Bug 1237153 for CVE-2025-1057",
"url": "https://bugzilla.suse.com/1237153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "moderate"
}
],
"title": "CVE-2025-1057"
},
{
"cve": "CVE-2025-13609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13609"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13609",
"url": "https://www.suse.com/security/cve/CVE-2025-13609"
},
{
"category": "external",
"summary": "SUSE Bug 1254199 for CVE-2025-13609",
"url": "https://bugzilla.suse.com/1254199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"openSUSE Leap 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:46:01Z",
"details": "critical"
}
],
"title": "CVE-2025-13609"
}
]
}
opensuse-su-2025:15811-1
Vulnerability from csaf_opensuse
Published
2025-12-10 00:00
Modified
2025-12-10 00:00
Summary
keylime-config-7.13.0+40-1.1 on GA media
Notes
Title of the patch
keylime-config-7.13.0+40-1.1 on GA media
Description of the patch
These are all security issues fixed in the keylime-config-7.13.0+40-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15811
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "keylime-config-7.13.0+40-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the keylime-config-7.13.0+40-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15811",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15811-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13609 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13609/"
}
],
"title": "keylime-config-7.13.0+40-1.1 on GA media",
"tracking": {
"current_release_date": "2025-12-10T00:00:00Z",
"generator": {
"date": "2025-12-10T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15811-1",
"initial_release_date": "2025-12-10T00:00:00Z",
"revision_history": [
{
"date": "2025-12-10T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-1.1.aarch64",
"product": {
"name": "keylime-config-7.13.0+40-1.1.aarch64",
"product_id": "keylime-config-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-1.1.aarch64",
"product": {
"name": "keylime-firewalld-7.13.0+40-1.1.aarch64",
"product_id": "keylime-firewalld-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-1.1.aarch64",
"product": {
"name": "keylime-logrotate-7.13.0+40-1.1.aarch64",
"product_id": "keylime-logrotate-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-1.1.aarch64",
"product": {
"name": "keylime-registrar-7.13.0+40-1.1.aarch64",
"product_id": "keylime-registrar-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-1.1.aarch64",
"product": {
"name": "keylime-tenant-7.13.0+40-1.1.aarch64",
"product_id": "keylime-tenant-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.aarch64",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.aarch64",
"product_id": "keylime-tpm_cert_store-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-1.1.aarch64",
"product": {
"name": "keylime-verifier-7.13.0+40-1.1.aarch64",
"product_id": "keylime-verifier-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.13.0+40-1.1.aarch64",
"product": {
"name": "python311-keylime-7.13.0+40-1.1.aarch64",
"product_id": "python311-keylime-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.13.0+40-1.1.aarch64",
"product": {
"name": "python312-keylime-7.13.0+40-1.1.aarch64",
"product_id": "python312-keylime-7.13.0+40-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-1.1.aarch64",
"product": {
"name": "python313-keylime-7.13.0+40-1.1.aarch64",
"product_id": "python313-keylime-7.13.0+40-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-1.1.ppc64le",
"product": {
"name": "keylime-config-7.13.0+40-1.1.ppc64le",
"product_id": "keylime-config-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-1.1.ppc64le",
"product": {
"name": "keylime-firewalld-7.13.0+40-1.1.ppc64le",
"product_id": "keylime-firewalld-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-1.1.ppc64le",
"product": {
"name": "keylime-logrotate-7.13.0+40-1.1.ppc64le",
"product_id": "keylime-logrotate-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-1.1.ppc64le",
"product": {
"name": "keylime-registrar-7.13.0+40-1.1.ppc64le",
"product_id": "keylime-registrar-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-1.1.ppc64le",
"product": {
"name": "keylime-tenant-7.13.0+40-1.1.ppc64le",
"product_id": "keylime-tenant-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le",
"product_id": "keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-1.1.ppc64le",
"product": {
"name": "keylime-verifier-7.13.0+40-1.1.ppc64le",
"product_id": "keylime-verifier-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.13.0+40-1.1.ppc64le",
"product": {
"name": "python311-keylime-7.13.0+40-1.1.ppc64le",
"product_id": "python311-keylime-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.13.0+40-1.1.ppc64le",
"product": {
"name": "python312-keylime-7.13.0+40-1.1.ppc64le",
"product_id": "python312-keylime-7.13.0+40-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-1.1.ppc64le",
"product": {
"name": "python313-keylime-7.13.0+40-1.1.ppc64le",
"product_id": "python313-keylime-7.13.0+40-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-1.1.s390x",
"product": {
"name": "keylime-config-7.13.0+40-1.1.s390x",
"product_id": "keylime-config-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-1.1.s390x",
"product": {
"name": "keylime-firewalld-7.13.0+40-1.1.s390x",
"product_id": "keylime-firewalld-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-1.1.s390x",
"product": {
"name": "keylime-logrotate-7.13.0+40-1.1.s390x",
"product_id": "keylime-logrotate-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-1.1.s390x",
"product": {
"name": "keylime-registrar-7.13.0+40-1.1.s390x",
"product_id": "keylime-registrar-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-1.1.s390x",
"product": {
"name": "keylime-tenant-7.13.0+40-1.1.s390x",
"product_id": "keylime-tenant-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.s390x",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.s390x",
"product_id": "keylime-tpm_cert_store-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-1.1.s390x",
"product": {
"name": "keylime-verifier-7.13.0+40-1.1.s390x",
"product_id": "keylime-verifier-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.13.0+40-1.1.s390x",
"product": {
"name": "python311-keylime-7.13.0+40-1.1.s390x",
"product_id": "python311-keylime-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.13.0+40-1.1.s390x",
"product": {
"name": "python312-keylime-7.13.0+40-1.1.s390x",
"product_id": "python312-keylime-7.13.0+40-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-1.1.s390x",
"product": {
"name": "python313-keylime-7.13.0+40-1.1.s390x",
"product_id": "python313-keylime-7.13.0+40-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-1.1.x86_64",
"product": {
"name": "keylime-config-7.13.0+40-1.1.x86_64",
"product_id": "keylime-config-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-1.1.x86_64",
"product": {
"name": "keylime-firewalld-7.13.0+40-1.1.x86_64",
"product_id": "keylime-firewalld-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-1.1.x86_64",
"product": {
"name": "keylime-logrotate-7.13.0+40-1.1.x86_64",
"product_id": "keylime-logrotate-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-1.1.x86_64",
"product": {
"name": "keylime-registrar-7.13.0+40-1.1.x86_64",
"product_id": "keylime-registrar-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-1.1.x86_64",
"product": {
"name": "keylime-tenant-7.13.0+40-1.1.x86_64",
"product_id": "keylime-tenant-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.x86_64",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.x86_64",
"product_id": "keylime-tpm_cert_store-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-1.1.x86_64",
"product": {
"name": "keylime-verifier-7.13.0+40-1.1.x86_64",
"product_id": "keylime-verifier-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-keylime-7.13.0+40-1.1.x86_64",
"product": {
"name": "python311-keylime-7.13.0+40-1.1.x86_64",
"product_id": "python311-keylime-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python312-keylime-7.13.0+40-1.1.x86_64",
"product": {
"name": "python312-keylime-7.13.0+40-1.1.x86_64",
"product_id": "python312-keylime-7.13.0+40-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-1.1.x86_64",
"product": {
"name": "python313-keylime-7.13.0+40-1.1.x86_64",
"product_id": "python313-keylime-7.13.0+40-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.aarch64"
},
"product_reference": "keylime-config-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.ppc64le"
},
"product_reference": "keylime-config-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.s390x"
},
"product_reference": "keylime-config-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.x86_64"
},
"product_reference": "keylime-config-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.aarch64"
},
"product_reference": "keylime-firewalld-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.ppc64le"
},
"product_reference": "keylime-firewalld-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.s390x"
},
"product_reference": "keylime-firewalld-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.x86_64"
},
"product_reference": "keylime-firewalld-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.aarch64"
},
"product_reference": "keylime-logrotate-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.ppc64le"
},
"product_reference": "keylime-logrotate-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.s390x"
},
"product_reference": "keylime-logrotate-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.x86_64"
},
"product_reference": "keylime-logrotate-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.aarch64"
},
"product_reference": "keylime-registrar-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.ppc64le"
},
"product_reference": "keylime-registrar-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.s390x"
},
"product_reference": "keylime-registrar-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.x86_64"
},
"product_reference": "keylime-registrar-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.aarch64"
},
"product_reference": "keylime-tenant-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.ppc64le"
},
"product_reference": "keylime-tenant-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.s390x"
},
"product_reference": "keylime-tenant-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.x86_64"
},
"product_reference": "keylime-tenant-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.aarch64"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.s390x"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.x86_64"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.aarch64"
},
"product_reference": "keylime-verifier-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.ppc64le"
},
"product_reference": "keylime-verifier-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.s390x"
},
"product_reference": "keylime-verifier-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.x86_64"
},
"product_reference": "keylime-verifier-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.aarch64"
},
"product_reference": "python311-keylime-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.ppc64le"
},
"product_reference": "python311-keylime-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.s390x"
},
"product_reference": "python311-keylime-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-keylime-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.x86_64"
},
"product_reference": "python311-keylime-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.aarch64"
},
"product_reference": "python312-keylime-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.ppc64le"
},
"product_reference": "python312-keylime-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.s390x"
},
"product_reference": "python312-keylime-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python312-keylime-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.x86_64"
},
"product_reference": "python312-keylime-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.aarch64"
},
"product_reference": "python313-keylime-7.13.0+40-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.ppc64le"
},
"product_reference": "python313-keylime-7.13.0+40-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.s390x"
},
"product_reference": "python313-keylime-7.13.0+40-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.x86_64"
},
"product_reference": "python313-keylime-7.13.0+40-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13609"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13609",
"url": "https://www.suse.com/security/cve/CVE-2025-13609"
},
{
"category": "external",
"summary": "SUSE Bug 1254199 for CVE-2025-13609",
"url": "https://bugzilla.suse.com/1254199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-config-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-firewalld-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-logrotate-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-registrar-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-tenant-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-tpm_cert_store-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:keylime-verifier-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python311-keylime-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python312-keylime-7.13.0+40-1.1.x86_64",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.aarch64",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.ppc64le",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.s390x",
"openSUSE Tumbleweed:python313-keylime-7.13.0+40-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-10T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2025-13609"
}
]
}
suse-su-2025:21194-1
Vulnerability from csaf_suse
Published
2025-12-12 09:45
Modified
2025-12-12 09:45
Summary
Security update for keylime
Notes
Title of the patch
Security update for keylime
Description of the patch
This update for keylime fixes the following issues:
Update to version 7.13.0+40.
Security issues fixed:
- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate
UUIDs (bsc#1254199).
- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).
Other issues fixed and changes:
- Version 7.13.0+40:
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Version v7.13.0:
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* Initial version of verify evidence API
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* Add --push-model option to avoid requests to agents
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* Fix after review
* fixed CONSTANT names C0103 errors
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* tpm_util: fix quote signature extraction for ECDSA
* registrar: Log API versions during startup
* Remove excessive logging on exception
* scripts: Fix coverage information downloading script
- Version v7.12.1:
* models: Add Base64Bytes type to read and write from the database
* Simplify response check from registrar
- Version v7.12.0:
* API: Add /version endpoint to registrar
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* Configure EPEL-10 repo in packit-ci.fmf
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* cert_utils: add description why loading using cryptography might fail
* ima: list names of the runtime policies
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
Patchnames
SUSE-SLES-16.0-104
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for keylime",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for keylime fixes the following issues:\n\nUpdate to version 7.13.0+40.\n\nSecurity issues fixed:\n\n- CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate\n UUIDs (bsc#1254199).\n- CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).\n\nOther issues fixed and changes:\n\n- Version 7.13.0+40:\n * Include new attestation information fields (#1818)\n * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)\n * push-model: require HTTPS for authentication and attestation endpoints\n * Fix operational_state tracking in push mode attestations\n * templates: add push model authentication config options to 2.5 templates\n * Security: Hash authentication tokens in logs\n * Fix stale IMA policy cache in verification\n * Fix authentication behavior on failed attestations for push mode\n * Add shared memory infrastructure for multiprocess communication\n * Add agent authentication (challenge/response) protocol for push mode\n * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)\n * docs: Fix man page RST formatting for rst2man compatibility (#1813)\n * Apply limit on keylime-policy workers\n * tpm: fix ECC signature parsing to support variable-length coordinates\n * tpm: fix ECC P-521 credential activation with consistent marshaling\n * tpm: fix ECC P-521 coordinate validation\n * Remove deprecated disabled_signing_algorithms configuration option (#1804)\n * algorithms: add support for specific RSA algorithms\n * algorithms: add support for specific ECC curve algorithms\n * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent\n * Manpage for keylime agent\n * Manpage for keylime verifier\n * Manpage for keylime registrar\n * Use constants for timeout and max retries defaults\n * verifier: Use timeout from `request_timeout` config option\n * revocation_notifier: Use timeout setting from config file\n * tenant: Set timeout when getting version from agent\n * verify/evidence: SEV-SNP evidence type/verifier\n * verify/evidence: Add evidence type to request JSON\n\n- Version v7.13.0:\n * Avoid re-encoding certificate stored in DB\n * Revert \"models: Do not re-encode certificate stored in DB\"\n * Revert \"registrar_agent: Use pyasn1 to parse PEM\"\n * policy/sign: use print() when writing to /dev/stdout\n * registrar_agent: Use pyasn1 to parse PEM\n * models: Do not re-encode certificate stored in DB\n * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events\n * mb: support vendor_db as logged by newer shim versions\n * mb: support EV_EFI_HANDOFF_TABLES events on PCR1\n * Remove unnecessary configuration values\n * cloud_verifier_tornado: handle exception in notify_error()\n * requests_client: close the session at the end of the resource manager\n * Manpage for keylime_tenant (#1786)\n * Add 2.5 templates including Push Model changes\n * Initial version of verify evidence API\n * db: Do not read pool size and max overflow for sqlite\n * Use context managers to close DB sessions\n * revocations: Try to send notifications on shutdown\n * verifier: Gracefully shutdown on signal\n * Use `fork` as `multiprocessing` start method\n * Fix inaccuracy in threat model and add reference to SBAT\n * Explain TPM properties and expand vTPM discussion\n * Fix invalid RST and update TOC\n * Expand threat model page to include adversarial model\n * Add --push-model option to avoid requests to agents\n * templates: duplicate str_to_version() in the adjust script\n * policy: fix mypy issues with rpm_repo\n * revocation_notifier: fix mypy issue by replacing deprecated call\n * Fix create_runtime_policy in python \u003c 3.12\n * Fix after review\n * fixed CONSTANT names C0103 errors\n * Extend meta_data field in verifierdb\n * docs: update issue templates\n * docs: add GitHub PR template with documentation reminders\n * tpm_util: fix quote signature extraction for ECDSA\n * registrar: Log API versions during startup\n * Remove excessive logging on exception\n * scripts: Fix coverage information downloading script\n\n- Version v7.12.1:\n * models: Add Base64Bytes type to read and write from the database\n * Simplify response check from registrar\n\n- Version v7.12.0:\n * API: Add /version endpoint to registrar\n * scripts: Download coverage data directly from Testing Farm\n * docs: Add separate documentation for each API version\n * scripts/create_runtime_policy.sh: fix path for the exclude list\n * docs: add documentation for keylime-policy\n * templates: Add the new agent.conf option \u0027api_versions\u0027\n * Enable autocompletion using argcomplete\n * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2\n * Configure EPEL-10 repo in packit-ci.fmf\n * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1\n * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3\n * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1\n * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0\n * keylime-policy: improve error handling when provided a bad key (sign)\n * keylime-policy: exit with status 1 when the commands failed\n * keylime-policy: use Certificate() from models.base to validate certs\n * keylime-policy: check for valid cert file when using x509 backend (sign)\n * keylime-policy: fix help for \"keylime-policy sign\" verb\n * tenant: Correctly log number of tries when deleting\n * update TCTI environment variable usage\n * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2\n * keylime-policy: add `create measured-boot\u0027 subcommand\n * keylime-policy: add `sign runtime\u0027 subcommand\n * keylime-policy: add logger to use with the policy tool\n * installer.sh: Restore execution permission\n * installer: Fix string comparison\n * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0\n * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0\n * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0\n * installer.sh: updated EPEL, PEP668 Fix, logic fix\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0\n * build(deps): bump actions/checkout from 4.2.1 to 4.2.2\n * postgresql support for docker using psycopg2\n * installer.sh: update package list, add workaround for PEP 668\n * build(deps): bump actions/checkout from 4.2.0 to 4.2.1\n * keylime.conf: full removal\n * Drop pending SPDX-License-Identifier headers\n * create_runtime_policy: Validate algorithm from IMA measurement log\n * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity\n * create_runtime_policy: drop commment with test data\n * create_runtime_policy: Use a common method to guess algorithm\n * keylime-policy: rename tool to keylime-policy instead of keylime_policy\n * keylime_policy: create runtime: remove --use-ima-measurement-list\n * keylime_policy: use consistent arg names for create_runtime_policy\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3\n * build(deps): bump actions/checkout from 4.1.7 to 4.2.0\n * elchecking/example: workaround empty PK, KEK, db and dbx\n * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2\n * create_runtime_policy: Fix log level for debug messages\n * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2\n * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5\n * pylintrc: Ignore too-many-positional-arguments check\n * keylime/web/base/controller: Move TypeAlias definition out of class\n * create_runtime_policy: Calculate digests in multiple threads\n * create_runtime_policy: Allow rootfs to be in any directory\n * keylime_policy: Calculate digests from each source separately\n * create_runtime_policy: Simplify boot_aggregate parsing\n * ima: Validate JSON when loading IMA Keyring from string\n * docs: include IDevID page also in the sidebar\n * docs: point to installation guide from RHEL and SLE Micro\n * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0\n * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1\n * change check_tpm_origin_check to a warning that does not prevent registration\n * docs: Fix Runtime Policy JSON schema to reflect the reality\n * Sets absolute path for files inside a rootfs dir\n * policy/create_runtime_policy: fix handling of empty lines in exclude list\n * keylime_policy: setting \u0027log_hash_alg\u0027 to \u0027sha1\u0027 (template-hash algo)\n * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)\n * codestyle: convert bytearrays to bytes to get expected type (pyright)\n * codestyle: Use new variables after changing datatype (pyright)\n * cert_utils: add description why loading using cryptography might fail\n * ima: list names of the runtime policies\n * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0\n * tox: Use python 3.10 instead of 3.6\n * revocation_notifier: Use web_util to generate TLS context\n * mba: Add a skip custom policies option when loading mba.\n * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * cmd/keylime_policy: add tool to handle keylime policies\n * cert_utils: add is_x509_cert()\n * common/algorithms: transform Encrypt and Sign class into enums\n * common/algorithms: add method to calculate digest of a file\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump docker/login-action from 3.2.0 to 3.3.0\n * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0\n * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1\n * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1\n * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1\n * tpm: Replace KDFs and ECDH implementations with python-cryptography\n * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0\n * build(deps): bump docker/login-action from 2.2.0 to 3.2.0\n * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1\n * build(deps): bump actions/first-interaction\n * build(deps): bump actions/checkout from 2.7.0 to 4.1.7\n * revocation_notifier: Explicitly add CA certificate bundle\n * Introduce new REST API framework and refactor registrar implementation\n * mba: Support named measured boot policies\n * tenant: add friendlier error message if mTLS CA is wrongly configured\n * ca_impl_openssl: Mark extensions as critical following RFC 5280\n * Include Authority Key Identifier in KL-generated certs\n * verifier, tenant: make payload for agent completely optional\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-104",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_21194-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:21194-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202521194-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:21194-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-December/023547.html"
},
{
"category": "self",
"summary": "SUSE Bug 1237153",
"url": "https://bugzilla.suse.com/1237153"
},
{
"category": "self",
"summary": "SUSE Bug 1254199",
"url": "https://bugzilla.suse.com/1254199"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-1057 page",
"url": "https://www.suse.com/security/cve/CVE-2025-1057/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-13609 page",
"url": "https://www.suse.com/security/cve/CVE-2025-13609/"
}
],
"title": "Security update for keylime",
"tracking": {
"current_release_date": "2025-12-12T09:45:03Z",
"generator": {
"date": "2025-12-12T09:45:03Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:21194-1",
"initial_release_date": "2025-12-12T09:45:03Z",
"revision_history": [
{
"date": "2025-12-12T09:45:03Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-config-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-firewalld-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-logrotate-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-registrar-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tenant-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"product_id": "keylime-verifier-7.13.0+40-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"product_id": "python313-keylime-7.13.0+40-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16.0"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-config-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-config-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-firewalld-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-logrotate-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-registrar-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-registrar-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tenant-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tenant-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "keylime-verifier-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "keylime-verifier-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-keylime-7.13.0+40-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
},
"product_reference": "python313-keylime-7.13.0+40-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-1057",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-1057"
}
],
"notes": [
{
"category": "general",
"text": "A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-1057",
"url": "https://www.suse.com/security/cve/CVE-2025-1057"
},
{
"category": "external",
"summary": "SUSE Bug 1237153 for CVE-2025-1057",
"url": "https://bugzilla.suse.com/1237153"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:45:03Z",
"details": "moderate"
}
],
"title": "CVE-2025-1057"
},
{
"cve": "CVE-2025-13609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-13609"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-13609",
"url": "https://www.suse.com/security/cve/CVE-2025-13609"
},
{
"category": "external",
"summary": "SUSE Bug 1254199 for CVE-2025-13609",
"url": "https://bugzilla.suse.com/1254199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-config-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-firewalld-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-logrotate-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-registrar-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tenant-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-tpm_cert_store-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:keylime-verifier-7.13.0+40-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-keylime-7.13.0+40-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-12-12T09:45:03Z",
"details": "critical"
}
],
"title": "CVE-2025-13609"
}
]
}
fkie_cve-2025-13609
Vulnerability from fkie_nvd
Published
2025-11-24 18:15
Modified
2025-12-18 11:15
Severity ?
Summary
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2025:23201 | ||
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2025:23210 | ||
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2025:23628 | ||
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2025-13609 | ||
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2416761 |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent\u0027s unique identifier (UUID). This action overwrites the legitimate agent\u0027s identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls."
}
],
"id": "CVE-2025-13609",
"lastModified": "2025-12-18T11:15:45.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 5.3,
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
},
"published": "2025-11-24T18:15:49.830",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:23201"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:23210"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2025:23628"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2025-13609"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416761"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-694"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
wid-sec-w-2025-2849
Vulnerability from csaf_certbund
Published
2025-12-15 23:00
Modified
2025-12-16 23:00
Summary
Red Hat Enterprise Linux (Keylime): Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um Sicherheitsvorkehrungen zu umgehen und sich als der kompromittierte Agent auszugeben.
Betroffene Betriebssysteme
- UNIX
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um Sicherheitsvorkehrungen zu umgehen und sich als der kompromittierte Agent auszugeben.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-2849 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2849.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-2849 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2849"
},
{
"category": "external",
"summary": "Red Hat Security Advisory vom 2025-12-15",
"url": "https://access.redhat.com/errata/RHSA-2025:23201"
},
{
"category": "external",
"summary": "Rocky Linux Security Advisory RLSA-2025:23210 vom 2025-12-17",
"url": "https://errata.build.resf.org/RLSA-2025:23210"
},
{
"category": "external",
"summary": "Oracle Linux Security Advisory ELSA-2025-23210 vom 2025-12-17",
"url": "https://linux.oracle.com/errata/ELSA-2025-23210.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:23210 vom 2025-12-16",
"url": "https://access.redhat.com/errata/RHSA-2025:23210"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux (Keylime): Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
"tracking": {
"current_release_date": "2025-12-16T23:00:00.000+00:00",
"generator": {
"date": "2025-12-17T09:35:32.850+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-2849",
"initial_release_date": "2025-12-15T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-12-15T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-12-16T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Rocky Enterprise Software Foundation, Oracle Linux und Red Hat aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Linux",
"product": {
"name": "Oracle Linux",
"product_id": "T004914",
"product_identification_helper": {
"cpe": "cpe:/o:oracle:linux:-"
}
}
}
],
"category": "vendor",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_name",
"name": "RESF Rocky Linux",
"product": {
"name": "RESF Rocky Linux",
"product_id": "T032255",
"product_identification_helper": {
"cpe": "cpe:/o:resf:rocky_linux:-"
}
}
}
],
"category": "vendor",
"name": "RESF"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"category": "product_version",
"name": "10",
"product": {
"name": "Red Hat Enterprise Linux 10",
"product_id": "T049439",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:10"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-13609",
"product_status": {
"known_affected": [
"T049439",
"67646",
"T004914",
"T032255"
]
},
"release_date": "2025-12-15T23:00:00.000+00:00",
"title": "CVE-2025-13609"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…