<patchinfo incident="65">
  <!-- generated from request(s) 343500 -->
  <issue tracker="bnc" id="1223234">VUL-0: CVE-2024-32650: rust-keylime: rust-rustls: Infinite loop in rustls::conn::ConnectionCommon:complete_io() with proper client input</issue>
  <issue tracker="bnc" id="1229952">VUL-0: CVE-2024-43806: rust-keylime: rustix: rustix::fs::Dir iterator with the linux_raw backend can cause memory explosion</issue>
  <issue tracker="bnc" id="1230029">VUL-0: rust-keylime: rust-shlex: Multiple issues involving quote API ( RUSTSEC-2024-0006, GHSA-r7qv-8r2h-pg27)</issue>
  <issue tracker="cve" id="2024-32650"/>
  <issue tracker="cve" id="2024-43806"/>
  <packager>aplanas</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for rust-keylime</summary>
  <description>This update for rust-keylime fixes the following issues:

- Update vendored crates (CVE-2024-43806, bsc#1229952, bsc#1230029)
  * rustix 0.37.25
  * rustix 0.38.34
  * shlex  1.3.0

- Update to version 0.2.6+13:
  * Enable test functional/iak-idevid-persisted-and-protected
  * build(deps): bump uuid from 1.7.0 to 1.10.0
  * build(deps): bump openssl from 0.10.64 to 0.10.66
  * keylime-agent/src/revocation: Fix comment indentation
  * keylime/crypto: Fix indentation of documentation comment
  * build(deps): bump thiserror from 1.0.59 to 1.0.63
  * build(deps): bump serde_json from 1.0.116 to 1.0.120
  * dependabot: Extend to also monitor workflow actions
  * ci: Disable Packit CI on CentOS Stream 9
  * ci: use CODECOV_TOKEN when submitting coverage data
  * revocation: Use into() for unfallible transformation
  * secure_mount: Fix possible infinite loop
  * error: Rename enum variants to avoid clippy warning

- Update to version 0.2.6~0:
  * Bump version to 0.2.6
  * build(deps): bump libc from 0.2.153 to 0.2.155
  * build(deps): bump serde from 1.0.196 to 1.0.203
  * rpm/fedora: Update rust macro usage
  * config: Support hostnames in registrar_ip option
  * added use of persisted IAK and IDevID and authorisation values
  * config changes
  * Adding /agent/info API to agent
  * Fix leftover 'unnecessary qualification' warnings on tests

- Update to version 0.2.5~4:
  * Fix 'unnecessary qualification' warnings
  * fix IAK template to match IDevID
  * rpm: fix COPR RPMs build for centos-stream-10
  * Build COPR RPMs for centos-stream-10

- Update to version 0.2.5~0:
  * Bump version to 0.2.5
  * cargo: Relax required version for pest crate
  * build(deps): bump log from 0.4.20 to 0.4.21
  * build(deps): bump thiserror from 1.0.56 to 1.0.59

- actix-web update moves rustls as feature (bsc#1223234, CVE-2024-32650)

- Update to version 0.2.4~39:
  * build(deps): bump openssl from 0.10.63 to 0.10.64
  * build(deps): bump h2 from 0.3.24 to 0.3.26
  * build(deps): bump serde_json from 1.0.107 to 1.0.116
  * build(deps): bump actix-web from 4.4.1 to 4.5.1
  * crypto: Enable TLS 1.3
  * build(deps): bump tempfile from 3.9.0 to 3.10.1
  * build(deps): bump mio from 0.8.4 to 0.8.11
  * enable hex values to be used for tpm_ownerpassword
  * config: Support IPv6 with or without brackets
  * keylime: Implement a simple IP parser to remove brackets
  * crypto: Implement CertificateBuilder to generate certificates
  * tests: Fix coverage download by supporting arbitrary URL
  * cargo: Add testing feature to keylime library
  * Set X509 SAN with local DNSname/IP/IPv6
  * Include newest Node20 versions for Github actions
  * tpm: Add unit test for uncovered public functions
  * crypto: Implement ECC key generation support
  * crypto: Add test for match_cert_to_template()
  * Fix minor typo, format and remove end whitespaces
  * crypto: Make error types less specific
  * tests/run.sh: Run tarpaulin with a single thread
  * payloads: Remove explicit drop of channel transmitter
  * crypto: Move to keylime library
  * crypto: Add specific type for every possible error
  * tpm: Rename origin of error as source in structures
  * list_parser: Add source for error for backtrace
  * algorithms: Make errors more specific
  * typo fix for default path to measured boot log file
  * README: remove mentions of libarchive as a dependency
  * Dockerfile.wolfi: Update clang to version 17
  * docker: Remove libarchive as a dependency
  * rpm: Remove libarchive from dependencies
  * cargo: Replace compress-tools with zip crate
  * cargo: Bump ahash to version 0.8.7
  * build(deps): bump serde from 1.0.195 to 1.0.196
  * build(deps): bump libc from 0.2.152 to 0.2.153
  * build(deps): bump reqwest from 0.11.23 to 0.11.24
  * docker: Install configuration file in the correct path
  * config: Make IAK/IDevID disabled by default

- Update to version 0.2.4+git.1706692574.a744517:
  * Bump version to 0.2.4
  * build(deps): bump uuid from 1.4.1 to 1.7.0
  * keylime-agent.conf: Allow setting event logs paths
  * Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration.
  * workflows: Update checkout action to version 4
  * build(deps): bump serde from 1.0.188 to 1.0.195
  * build(deps): bump pest_derive from 2.7.0 to 2.7.6
  * build(deps): bump openssl from 0.10.62 to 0.10.63
  * build(deps): bump config from 0.13.3 to 0.13.4
  * build(deps): bump base64 from 0.21.4 to 0.21.7
  * build(deps): bump tempfile from 3.8.0 to 3.9.0
  * build(deps): bump pest from 2.7.0 to 2.7.6
  * build(deps): bump actix-web from 4.4.0 to 4.4.1
  * build(deps): bump reqwest from 0.11.22 to 0.11.23
  * build(deps): bump h2 from 0.3.17 to 0.3.24
  * build(deps): bump shlex from 1.1.0 to 1.3.0
  * cargo: Bump tss-esapi to version 7.4.0
  * workflows: Fix keylime-bot token usage
  * tpm: Add error context for every possible error
  * tpm: Add AlgorithmError to TpmError
  * detect idevid template from certificates
  * build(deps): bump wiremock from 0.5.18 to 0.5.22
  * build(deps): bump thiserror from 1.0.48 to 1.0.56
  * Make use of workspace dependencies
  * build(deps): bump openssl from 0.10.57 to 0.10.62
  * packit: Bump Fedora version used for code coverage

- Update to version 0.2.3+git.1701075380.a5dc985:
  * build(deps): bump actix-rt from 2.8.0 to 2.9.0
  * Bump version to 0.2.3
  * build(deps): bump reqwest from 0.11.20 to 0.11.22
  * Bump configuration version and fix enable_iak_idevid
  * Enable test functional/iak-idevid-register-with-certificates
  * Update packit plan with new tests
  * Add certificates and certificate checking for IDevID and IAK keys (#669)

- Update to version 0.2.2+git.1697658634.9c7c6fa:
  * build(deps): bump rustix from 0.37.11 to 0.37.25
  * build(deps): bump tempfile from 3.6.0 to 3.8.0
  * build(deps): bump base64 from 0.21.0 to 0.21.4
  * build(deps): bump serde_json from 1.0.96 to 1.0.107
  * build(deps): bump openssl from 0.10.55 to 0.10.57
  * cargo: Bump serde to version 1.0.188
  * tests: Fix tarpaulin issues with dropped -v option
  * build(deps): bump signal-hook from 0.3.15 to 0.3.17
  * build(deps): bump actix-web from 4.3.1 to 4.4.0
  * build(deps): bump thiserror from 1.0.40 to 1.0.48
  * Remove private_in_public
  * Initial PR to add support for IDevID and IAK
  * build(deps): bump uuid from 1.3.1 to 1.4.1
  * build(deps): bump log from 0.4.17 to 0.4.20
  * build(deps): bump reqwest from 0.11.16 to 0.11.20
  * Do not use too specific version on cargo audit workflow
  * Add workflow to run cargo-audit security audit
  * README: update dependencies for Debian and Ubuntu
  * Use latest versions of checkout/upload-artifacts
  * docker: Add 'keylime' system user
  * Use "currently" for swtpm emulator warning (#632)
  * Update container workflow actions versions
  * Build container image and push to quay.io
  * README: update requirements

- Update to version 0.2.2+git.1689256829.3d2b627:
  * Bump version to 0.2.2
  * build(deps): bump tempfile from 3.5.0 to 3.6.0
  * removing SIGINT stop signals from Dockerfiles and systemd service, as well as adding SIGTERM to IMA emulator as shutdown signal

- Update to version 0.2.1+git.1689167094.67ce0cf:
  * cargo: Bump serde to version 1.0.166
  * build(deps): bump libc from 0.2.142 to 0.2.147
  * adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi
  * hash: add more configurable hash algorithm for public key digest
  * cargo: Update clap to version 4.3.11
  * cargo: Bump tokio crate version to 1.28.2
  * Add an example of IMA policy
  * main: Gracefully shutdown on SIGTERM or SIGINT
  * cargo: Bump proc-macro2 crate version
  * revocation: Parse revocation actions flexibly
  * crypto: Add unit tests for x509 functions
  * crypto: Make internal functions private
  * config: Add unit test for the list to files mapping
  * config: Make trusted_client_ca to accept lists
  * lib: Implement parser for lists from config file
  * build(deps): bump openssl from 0.10.48 to 0.10.55
  * Add secure mount sanity test to packit testing.
  * [packit] Do not let COPR project expire

- Recommends the IMA Policy subpackage only if SELinux is configured

- Update to version 0.2.1+git.1685699835.3c9d17c:
  * Remove MOUNT_SECURE bool
  * rpm: Remove unused directory and add dependency for mount
  * keylime-agent/src: update API version to 2.1 to consistent with https://github.com/keylime/keylime/blob/master/docs/rest_apis.rst
  * docker/fedora/keylime_rust.Dockerfile: add the logic of cloning and compiling rust-keylime
  * [tests] Update test coverage task name regexp
  * [tests] Simply coverage file URL parsing

</description>
  <package>rust-keylime</package>
  <seperate_build_arch/>
</patchinfo>