From e18b9a008b1bb40427cbf62fd529c0577332cf019f94d30be3e2f5b00ab01cfe Mon Sep 17 00:00:00 2001 From: Alberto Planas Dominguez Date: Wed, 12 Apr 2023 15:20:32 +0000 Subject: [PATCH] Accepting request 1078761 from home:aplanas:branches:security - Add CVE-2023-26964.patch to upgrade hyper crate (CVE-2023-26964, bsc#1210344) - Update to version 0.2.0+git.1681223954.646cf61: * Allow setting measured boot log path for testing * build(deps): bump base64 from 0.13.1 to 0.21.0 * build(deps): bump wiremock from 0.5.14 to 0.5.18 * Build Fedora and CentOS packages on Copr using packit * build(deps): bump serde_json from 1.0.91 to 1.0.95 * build(deps): bump actix-rt from 2.7.0 to 2.8.0 * build(deps): bump base64 from 0.13.1 to 0.21.0 * build(deps): bump serde from 1.0.147 to 1.0.159 * build(deps): bump glob from 0.3.0 to 0.3.1 * Add missing test from keylime testsuite to e2e plan * Fix typo in name of test for generating coverage * build(deps): bump thiserror from 1.0.38 to 1.0.40 * build(deps): bump base64 from 0.13.1 to 0.21.0 * build(deps): bump actix-web from 4.2.1 to 4.3.1 * build(deps): bump serde from 1.0.145 to 1.0.147 * build(deps): bump libc from 0.2.139 to 0.2.140 * build(deps): bump futures from 0.3.25 to 0.3.27 * build(deps): bump reqwest from 0.11.12 to 0.11.15 * build(deps): bump config from 0.13.2 to 0.13.3 * build(deps): bump openssl from 0.10.45 to 0.10.48 * build(deps): bump tokio from 1.24.2 to 1.26.0 * Cargo: Update tempfile to 3.4.0 version OBS-URL: https://build.opensuse.org/request/show/1078761 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=46 --- CVE-2023-26964.patch | 56 +++++++++++++++++++ _servicedata | 2 +- ...eylime-0.2.0+git.1677691779.f7edd9a.tar.xz | 3 - ...eylime-0.2.0+git.1681223954.646cf61.tar.xz | 3 + rust-keylime.changes | 30 ++++++++++ rust-keylime.spec | 4 +- vendor.tar.xz | 4 +- 7 files changed, 95 insertions(+), 7 deletions(-) create mode 100644 CVE-2023-26964.patch delete mode 100644 rust-keylime-0.2.0+git.1677691779.f7edd9a.tar.xz create mode 100644 rust-keylime-0.2.0+git.1681223954.646cf61.tar.xz diff --git a/CVE-2023-26964.patch b/CVE-2023-26964.patch new file mode 100644 index 0000000..6739c98 --- /dev/null +++ b/CVE-2023-26964.patch @@ -0,0 +1,56 @@ +From 4dcb5fb4162665cad436a18e9cb6d1735203d3ac Mon Sep 17 00:00:00 2001 +From: Alberto Planas +Date: Wed, 12 Apr 2023 16:48:26 +0200 +Subject: [PATCH] Update hyper to v0.14.25 (CVE-2023-26964) + +Signed-off-by: Alberto Planas +--- + Cargo.lock | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/Cargo.lock b/Cargo.lock +index 70aeb97e..3fe2353c 100644 +--- a/Cargo.lock ++++ b/Cargo.lock +@@ -918,9 +918,9 @@ checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" + + [[package]] + name = "h2" +-version = "0.3.14" ++version = "0.3.16" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "5ca32592cf21ac7ccab1825cd87f6c9b3d9022c44d086172ed0966bec8af30be" ++checksum = "5be7b54589b581f624f566bf5d8eb2bab1db736c51528720b6bd36b96b55924d" + dependencies = [ + "bytes", + "fnv", +@@ -1037,9 +1037,9 @@ dependencies = [ + + [[package]] + name = "hyper" +-version = "0.14.20" ++version = "0.14.25" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "02c929dc5c39e335a03c405292728118860721b10190d98c2a0f0efd5baafbac" ++checksum = "cc5e554ff619822309ffd57d8734d77cd5ce6238bc956f037ea06c58238c9899" + dependencies = [ + "bytes", + "futures-channel", +@@ -1162,7 +1162,7 @@ dependencies = [ + name = "keylime" + version = "0.2.0" + dependencies = [ +- "base64 0.21.0", ++ "base64 0.13.1", + "hex", + "log", + "openssl", +@@ -1180,7 +1180,7 @@ version = "0.2.0" + dependencies = [ + "actix-rt", + "actix-web", +- "base64 0.21.0", ++ "base64 0.13.1", + "cfg-if", + "clap", + "compress-tools", diff --git a/_servicedata b/_servicedata index 6d50dab..377d62a 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/keylime/rust-keylime.git - f7edd9a5cd49ef09e95f34a35d0829a90e9d38ff \ No newline at end of file + 646cf6190192344c95983e3be3103861d9e22b51 \ No newline at end of file diff --git a/rust-keylime-0.2.0+git.1677691779.f7edd9a.tar.xz b/rust-keylime-0.2.0+git.1677691779.f7edd9a.tar.xz deleted file mode 100644 index c5c80b4..0000000 --- a/rust-keylime-0.2.0+git.1677691779.f7edd9a.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:be6e0450a2ec4adfa3f037b346e43347685b2c274e2c283eff7b6323f09335b1 -size 133336 diff --git a/rust-keylime-0.2.0+git.1681223954.646cf61.tar.xz b/rust-keylime-0.2.0+git.1681223954.646cf61.tar.xz new file mode 100644 index 0000000..91bb30e --- /dev/null +++ b/rust-keylime-0.2.0+git.1681223954.646cf61.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc55a4a76bd5373850d626941ab5bc22d745dc91ed2c50c76c8804a228997416 +size 136052 diff --git a/rust-keylime.changes b/rust-keylime.changes index 58b0b05..8fe24cb 100644 --- a/rust-keylime.changes +++ b/rust-keylime.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Wed Apr 12 14:52:38 UTC 2023 - aplanas@suse.com + +- Add CVE-2023-26964.patch to upgrade hyper crate (CVE-2023-26964, + bsc#1210344) + +- Update to version 0.2.0+git.1681223954.646cf61: + * Allow setting measured boot log path for testing + * build(deps): bump base64 from 0.13.1 to 0.21.0 + * build(deps): bump wiremock from 0.5.14 to 0.5.18 + * Build Fedora and CentOS packages on Copr using packit + * build(deps): bump serde_json from 1.0.91 to 1.0.95 + * build(deps): bump actix-rt from 2.7.0 to 2.8.0 + * build(deps): bump base64 from 0.13.1 to 0.21.0 + * build(deps): bump serde from 1.0.147 to 1.0.159 + * build(deps): bump glob from 0.3.0 to 0.3.1 + * Add missing test from keylime testsuite to e2e plan + * Fix typo in name of test for generating coverage + * build(deps): bump thiserror from 1.0.38 to 1.0.40 + * build(deps): bump base64 from 0.13.1 to 0.21.0 + * build(deps): bump actix-web from 4.2.1 to 4.3.1 + * build(deps): bump serde from 1.0.145 to 1.0.147 + * build(deps): bump libc from 0.2.139 to 0.2.140 + * build(deps): bump futures from 0.3.25 to 0.3.27 + * build(deps): bump reqwest from 0.11.12 to 0.11.15 + * build(deps): bump config from 0.13.2 to 0.13.3 + * build(deps): bump openssl from 0.10.45 to 0.10.48 + * build(deps): bump tokio from 1.24.2 to 1.26.0 + * Cargo: Update tempfile to 3.4.0 version + ------------------------------------------------------------------- Wed Mar 15 16:46:28 UTC 2023 - Alberto Planas Dominguez diff --git a/rust-keylime.spec b/rust-keylime.spec index 353c314..5cd96ee 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -25,7 +25,7 @@ %define _config_norepl %config(noreplace) %endif Name: rust-keylime -Version: 0.2.0+git.1677691779.f7edd9a +Version: 0.2.0+git.1681223954.646cf61 Release: 0 Summary: Rust implementation of the keylime agent License: Apache-2.0 AND MIT @@ -41,6 +41,8 @@ Source7: ima-policy.service Source8: README.suse # PATCH-FIX-OPENSUSE keylime-agent.conf.diff Patch1: keylime-agent.conf.diff +# PATCH-FIX-UPSTREAM CVE-2023-26964.patch https://github.com/keylime/rust-keylime/pull/560 +Patch2: CVE-2023-26964.patch BuildRequires: cargo-packaging BuildRequires: clang BuildRequires: firewall-macros diff --git a/vendor.tar.xz b/vendor.tar.xz index f02492a..84b1cc7 100644 --- a/vendor.tar.xz +++ b/vendor.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:bc42dfbbdb8fbd9a7885d6fbe22b845130515e9f3fbc43f9a470b8ebce069dd3 -size 25892084 +oid sha256:540c04c5cba0ca0b67ac0adbc5bc8af3ce1fa6e9b9d9a46f9913c781180aba98 +size 26584652