Accepting request 1078761 from home:aplanas:branches:security

- Add CVE-2023-26964.patch to upgrade hyper crate (CVE-2023-26964, bsc#1210344) - Update to version 0.2.0+git.1681223954.646cf61: * Allow setting measured boot log path for testing * build(deps): bump base64 from 0.13.1 to 0.21.0 * build(deps): bump wiremock from 0.5.14 to 0.5.18 * Build Fedora and CentOS packages on Copr using packit * build(deps): bump serde_json from 1.0.91 to 1.0.95 * build(deps): bump actix-rt from 2.7.0 to 2.8.0 * build(deps): bump base64 from 0.13.1 to 0.21.0 * build(deps): bump serde from 1.0.147 to 1.0.159 * build(deps): bump glob from 0.3.0 to 0.3.1 * Add missing test from keylime testsuite to e2e plan * Fix typo in name of test for generating coverage * build(deps): bump thiserror from 1.0.38 to 1.0.40 * build(deps): bump base64 from 0.13.1 to 0.21.0 * build(deps): bump actix-web from 4.2.1 to 4.3.1 * build(deps): bump serde from 1.0.145 to 1.0.147 * build(deps): bump libc from 0.2.139 to 0.2.140 * build(deps): bump futures from 0.3.25 to 0.3.27 * build(deps): bump reqwest from 0.11.12 to 0.11.15 * build(deps): bump config from 0.13.2 to 0.13.3 * build(deps): bump openssl from 0.10.45 to 0.10.48 * build(deps): bump tokio from 1.24.2 to 1.26.0 * Cargo: Update tempfile to 3.4.0 version OBS-URL: https://build.opensuse.org/request/show/1078761 OBS-URL: https://build.opensuse.org/package/show/security/rust-keylime?expand=0&rev=46
2023-04-12 15:20:32 +00:00 · 2023-04-12 15:20:32 +00:00 · e18b9a008b
commit e18b9a008b
parent 5c4b047874
7 changed files with 95 additions and 7 deletions
--- a/CVE-2023-26964.patch
+++ b/CVE-2023-26964.patch
@ -0,0 +1,56 @@
+From 4dcb5fb4162665cad436a18e9cb6d1735203d3ac Mon Sep 17 00:00:00 2001
+From: Alberto Planas <aplanas@suse.com>
+Date: Wed, 12 Apr 2023 16:48:26 +0200
+Subject: [PATCH] Update hyper to v0.14.25 (CVE-2023-26964)
+
+Signed-off-by: Alberto Planas <aplanas@suse.com>
+---
+ Cargo.lock | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/Cargo.lock b/Cargo.lock
+index 70aeb97e..3fe2353c 100644
+--- a/Cargo.lock
+++ b/Cargo.lock
+@@ -918,9 +918,9 @@ checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
+ 
+ [[package]]
+ name = "h2"
+-version = "0.3.14"
+version = "0.3.16"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "5ca32592cf21ac7ccab1825cd87f6c9b3d9022c44d086172ed0966bec8af30be"
+checksum = "5be7b54589b581f624f566bf5d8eb2bab1db736c51528720b6bd36b96b55924d"
+ dependencies = [
+  "bytes",
+  "fnv",
+@@ -1037,9 +1037,9 @@ dependencies = [
+ 
+ [[package]]
+ name = "hyper"
+-version = "0.14.20"
+version = "0.14.25"
+ source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "02c929dc5c39e335a03c405292728118860721b10190d98c2a0f0efd5baafbac"
+checksum = "cc5e554ff619822309ffd57d8734d77cd5ce6238bc956f037ea06c58238c9899"
+ dependencies = [
+  "bytes",
+  "futures-channel",
+@@ -1162,7 +1162,7 @@ dependencies = [
+ name = "keylime"
+ version = "0.2.0"
+ dependencies = [
+- "base64 0.21.0",
+ "base64 0.13.1",
+  "hex",
+  "log",
+  "openssl",
+@@ -1180,7 +1180,7 @@ version = "0.2.0"
+ dependencies = [
+  "actix-rt",
+  "actix-web",
+- "base64 0.21.0",
+ "base64 0.13.1",
+  "cfg-if",
+  "clap",
+  "compress-tools",
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">f7edd9a5cd49ef09e95f34a35d0829a90e9d38ff</param></service></servicedata>
+              <param name="changesrevision">646cf6190192344c95983e3be3103861d9e22b51</param></service></servicedata>
--- a/rust-keylime-0.2.0+git.1677691779.f7edd9a.tar.xz
+++ b/rust-keylime-0.2.0+git.1677691779.f7edd9a.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:be6e0450a2ec4adfa3f037b346e43347685b2c274e2c283eff7b6323f09335b1
-size 133336
--- a/rust-keylime-0.2.0+git.1681223954.646cf61.tar.xz
+++ b/rust-keylime-0.2.0+git.1681223954.646cf61.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cc55a4a76bd5373850d626941ab5bc22d745dc91ed2c50c76c8804a228997416
+size 136052
--- a/rust-keylime.changes
+++ b/rust-keylime.changes
@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Wed Apr 12 14:52:38 UTC 2023 - aplanas@suse.com
+
+- Add CVE-2023-26964.patch to upgrade hyper crate (CVE-2023-26964,
+  bsc#1210344)
+
+- Update to version 0.2.0+git.1681223954.646cf61:
+  * Allow setting measured boot log path for testing
+  * build(deps): bump base64 from 0.13.1 to 0.21.0
+  * build(deps): bump wiremock from 0.5.14 to 0.5.18
+  * Build Fedora and CentOS packages on Copr using packit
+  * build(deps): bump serde_json from 1.0.91 to 1.0.95
+  * build(deps): bump actix-rt from 2.7.0 to 2.8.0
+  * build(deps): bump base64 from 0.13.1 to 0.21.0
+  * build(deps): bump serde from 1.0.147 to 1.0.159
+  * build(deps): bump glob from 0.3.0 to 0.3.1
+  * Add missing test from keylime testsuite to e2e plan
+  * Fix typo in name of test for generating coverage
+  * build(deps): bump thiserror from 1.0.38 to 1.0.40
+  * build(deps): bump base64 from 0.13.1 to 0.21.0
+  * build(deps): bump actix-web from 4.2.1 to 4.3.1
+  * build(deps): bump serde from 1.0.145 to 1.0.147
+  * build(deps): bump libc from 0.2.139 to 0.2.140
+  * build(deps): bump futures from 0.3.25 to 0.3.27
+  * build(deps): bump reqwest from 0.11.12 to 0.11.15
+  * build(deps): bump config from 0.13.2 to 0.13.3
+  * build(deps): bump openssl from 0.10.45 to 0.10.48
+  * build(deps): bump tokio from 1.24.2 to 1.26.0
+  * Cargo: Update tempfile to 3.4.0 version
+
 -------------------------------------------------------------------
 Wed Mar 15 16:46:28 UTC 2023 - Alberto Planas Dominguez <aplanas@suse.com>

--- a/rust-keylime.spec
+++ b/rust-keylime.spec
@ -25,7 +25,7 @@
  %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.2.0+git.1677691779.f7edd9a
+Version:        0.2.0+git.1681223954.646cf61
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        Apache-2.0 AND MIT
@ -41,6 +41,8 @@ Source7:        ima-policy.service
 Source8:        README.suse
 # PATCH-FIX-OPENSUSE keylime-agent.conf.diff
 Patch1:         keylime-agent.conf.diff
+# PATCH-FIX-UPSTREAM CVE-2023-26964.patch https://github.com/keylime/rust-keylime/pull/560
+Patch2:         CVE-2023-26964.patch
 BuildRequires:  cargo-packaging
 BuildRequires:  clang
 BuildRequires:  firewall-macros
--- a/vendor.tar.xz
+++ b/vendor.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:bc42dfbbdb8fbd9a7885d6fbe22b845130515e9f3fbc43f9a470b8ebce069dd3
-size 25892084
+oid sha256:540c04c5cba0ca0b67ac0adbc5bc8af3ce1fa6e9b9d9a46f9913c781180aba98
+size 26584652