201 lines
9.3 KiB
Plaintext
201 lines
9.3 KiB
Plaintext
<patchinfo incident="65">
|
|
<!-- generated from request(s) 343500 -->
|
|
<issue tracker="bnc" id="1223234">VUL-0: CVE-2024-32650: rust-keylime: rust-rustls: Infinite loop in rustls::conn::ConnectionCommon:complete_io() with proper client input</issue>
|
|
<issue tracker="bnc" id="1229952">VUL-0: CVE-2024-43806: rust-keylime: rustix: rustix::fs::Dir iterator with the linux_raw backend can cause memory explosion</issue>
|
|
<issue tracker="bnc" id="1230029">VUL-0: rust-keylime: rust-shlex: Multiple issues involving quote API ( RUSTSEC-2024-0006, GHSA-r7qv-8r2h-pg27)</issue>
|
|
<issue tracker="cve" id="2024-32650"/>
|
|
<issue tracker="cve" id="2024-43806"/>
|
|
<packager>aplanas</packager>
|
|
<rating>moderate</rating>
|
|
<category>security</category>
|
|
<summary>Security update for rust-keylime</summary>
|
|
<description>This update for rust-keylime fixes the following issues:
|
|
|
|
- Update vendored crates (CVE-2024-43806, bsc#1229952, bsc#1230029)
|
|
* rustix 0.37.25
|
|
* rustix 0.38.34
|
|
* shlex 1.3.0
|
|
|
|
- Update to version 0.2.6+13:
|
|
* Enable test functional/iak-idevid-persisted-and-protected
|
|
* build(deps): bump uuid from 1.7.0 to 1.10.0
|
|
* build(deps): bump openssl from 0.10.64 to 0.10.66
|
|
* keylime-agent/src/revocation: Fix comment indentation
|
|
* keylime/crypto: Fix indentation of documentation comment
|
|
* build(deps): bump thiserror from 1.0.59 to 1.0.63
|
|
* build(deps): bump serde_json from 1.0.116 to 1.0.120
|
|
* dependabot: Extend to also monitor workflow actions
|
|
* ci: Disable Packit CI on CentOS Stream 9
|
|
* ci: use CODECOV_TOKEN when submitting coverage data
|
|
* revocation: Use into() for unfallible transformation
|
|
* secure_mount: Fix possible infinite loop
|
|
* error: Rename enum variants to avoid clippy warning
|
|
|
|
- Update to version 0.2.6~0:
|
|
* Bump version to 0.2.6
|
|
* build(deps): bump libc from 0.2.153 to 0.2.155
|
|
* build(deps): bump serde from 1.0.196 to 1.0.203
|
|
* rpm/fedora: Update rust macro usage
|
|
* config: Support hostnames in registrar_ip option
|
|
* added use of persisted IAK and IDevID and authorisation values
|
|
* config changes
|
|
* Adding /agent/info API to agent
|
|
* Fix leftover 'unnecessary qualification' warnings on tests
|
|
|
|
- Update to version 0.2.5~4:
|
|
* Fix 'unnecessary qualification' warnings
|
|
* fix IAK template to match IDevID
|
|
* rpm: fix COPR RPMs build for centos-stream-10
|
|
* Build COPR RPMs for centos-stream-10
|
|
|
|
- Update to version 0.2.5~0:
|
|
* Bump version to 0.2.5
|
|
* cargo: Relax required version for pest crate
|
|
* build(deps): bump log from 0.4.20 to 0.4.21
|
|
* build(deps): bump thiserror from 1.0.56 to 1.0.59
|
|
|
|
- actix-web update moves rustls as feature (bsc#1223234, CVE-2024-32650)
|
|
|
|
- Update to version 0.2.4~39:
|
|
* build(deps): bump openssl from 0.10.63 to 0.10.64
|
|
* build(deps): bump h2 from 0.3.24 to 0.3.26
|
|
* build(deps): bump serde_json from 1.0.107 to 1.0.116
|
|
* build(deps): bump actix-web from 4.4.1 to 4.5.1
|
|
* crypto: Enable TLS 1.3
|
|
* build(deps): bump tempfile from 3.9.0 to 3.10.1
|
|
* build(deps): bump mio from 0.8.4 to 0.8.11
|
|
* enable hex values to be used for tpm_ownerpassword
|
|
* config: Support IPv6 with or without brackets
|
|
* keylime: Implement a simple IP parser to remove brackets
|
|
* crypto: Implement CertificateBuilder to generate certificates
|
|
* tests: Fix coverage download by supporting arbitrary URL
|
|
* cargo: Add testing feature to keylime library
|
|
* Set X509 SAN with local DNSname/IP/IPv6
|
|
* Include newest Node20 versions for Github actions
|
|
* tpm: Add unit test for uncovered public functions
|
|
* crypto: Implement ECC key generation support
|
|
* crypto: Add test for match_cert_to_template()
|
|
* Fix minor typo, format and remove end whitespaces
|
|
* crypto: Make error types less specific
|
|
* tests/run.sh: Run tarpaulin with a single thread
|
|
* payloads: Remove explicit drop of channel transmitter
|
|
* crypto: Move to keylime library
|
|
* crypto: Add specific type for every possible error
|
|
* tpm: Rename origin of error as source in structures
|
|
* list_parser: Add source for error for backtrace
|
|
* algorithms: Make errors more specific
|
|
* typo fix for default path to measured boot log file
|
|
* README: remove mentions of libarchive as a dependency
|
|
* Dockerfile.wolfi: Update clang to version 17
|
|
* docker: Remove libarchive as a dependency
|
|
* rpm: Remove libarchive from dependencies
|
|
* cargo: Replace compress-tools with zip crate
|
|
* cargo: Bump ahash to version 0.8.7
|
|
* build(deps): bump serde from 1.0.195 to 1.0.196
|
|
* build(deps): bump libc from 0.2.152 to 0.2.153
|
|
* build(deps): bump reqwest from 0.11.23 to 0.11.24
|
|
* docker: Install configuration file in the correct path
|
|
* config: Make IAK/IDevID disabled by default
|
|
|
|
- Update to version 0.2.4+git.1706692574.a744517:
|
|
* Bump version to 0.2.4
|
|
* build(deps): bump uuid from 1.4.1 to 1.7.0
|
|
* keylime-agent.conf: Allow setting event logs paths
|
|
* Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration.
|
|
* workflows: Update checkout action to version 4
|
|
* build(deps): bump serde from 1.0.188 to 1.0.195
|
|
* build(deps): bump pest_derive from 2.7.0 to 2.7.6
|
|
* build(deps): bump openssl from 0.10.62 to 0.10.63
|
|
* build(deps): bump config from 0.13.3 to 0.13.4
|
|
* build(deps): bump base64 from 0.21.4 to 0.21.7
|
|
* build(deps): bump tempfile from 3.8.0 to 3.9.0
|
|
* build(deps): bump pest from 2.7.0 to 2.7.6
|
|
* build(deps): bump actix-web from 4.4.0 to 4.4.1
|
|
* build(deps): bump reqwest from 0.11.22 to 0.11.23
|
|
* build(deps): bump h2 from 0.3.17 to 0.3.24
|
|
* build(deps): bump shlex from 1.1.0 to 1.3.0
|
|
* cargo: Bump tss-esapi to version 7.4.0
|
|
* workflows: Fix keylime-bot token usage
|
|
* tpm: Add error context for every possible error
|
|
* tpm: Add AlgorithmError to TpmError
|
|
* detect idevid template from certificates
|
|
* build(deps): bump wiremock from 0.5.18 to 0.5.22
|
|
* build(deps): bump thiserror from 1.0.48 to 1.0.56
|
|
* Make use of workspace dependencies
|
|
* build(deps): bump openssl from 0.10.57 to 0.10.62
|
|
* packit: Bump Fedora version used for code coverage
|
|
|
|
- Update to version 0.2.3+git.1701075380.a5dc985:
|
|
* build(deps): bump actix-rt from 2.8.0 to 2.9.0
|
|
* Bump version to 0.2.3
|
|
* build(deps): bump reqwest from 0.11.20 to 0.11.22
|
|
* Bump configuration version and fix enable_iak_idevid
|
|
* Enable test functional/iak-idevid-register-with-certificates
|
|
* Update packit plan with new tests
|
|
* Add certificates and certificate checking for IDevID and IAK keys (#669)
|
|
|
|
- Update to version 0.2.2+git.1697658634.9c7c6fa:
|
|
* build(deps): bump rustix from 0.37.11 to 0.37.25
|
|
* build(deps): bump tempfile from 3.6.0 to 3.8.0
|
|
* build(deps): bump base64 from 0.21.0 to 0.21.4
|
|
* build(deps): bump serde_json from 1.0.96 to 1.0.107
|
|
* build(deps): bump openssl from 0.10.55 to 0.10.57
|
|
* cargo: Bump serde to version 1.0.188
|
|
* tests: Fix tarpaulin issues with dropped -v option
|
|
* build(deps): bump signal-hook from 0.3.15 to 0.3.17
|
|
* build(deps): bump actix-web from 4.3.1 to 4.4.0
|
|
* build(deps): bump thiserror from 1.0.40 to 1.0.48
|
|
* Remove private_in_public
|
|
* Initial PR to add support for IDevID and IAK
|
|
* build(deps): bump uuid from 1.3.1 to 1.4.1
|
|
* build(deps): bump log from 0.4.17 to 0.4.20
|
|
* build(deps): bump reqwest from 0.11.16 to 0.11.20
|
|
* Do not use too specific version on cargo audit workflow
|
|
* Add workflow to run cargo-audit security audit
|
|
* README: update dependencies for Debian and Ubuntu
|
|
* Use latest versions of checkout/upload-artifacts
|
|
* docker: Add 'keylime' system user
|
|
* Use "currently" for swtpm emulator warning (#632)
|
|
* Update container workflow actions versions
|
|
* Build container image and push to quay.io
|
|
* README: update requirements
|
|
|
|
- Update to version 0.2.2+git.1689256829.3d2b627:
|
|
* Bump version to 0.2.2
|
|
* build(deps): bump tempfile from 3.5.0 to 3.6.0
|
|
* removing SIGINT stop signals from Dockerfiles and systemd service, as well as adding SIGTERM to IMA emulator as shutdown signal
|
|
|
|
- Update to version 0.2.1+git.1689167094.67ce0cf:
|
|
* cargo: Bump serde to version 1.0.166
|
|
* build(deps): bump libc from 0.2.142 to 0.2.147
|
|
* adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi
|
|
* hash: add more configurable hash algorithm for public key digest
|
|
* cargo: Update clap to version 4.3.11
|
|
* cargo: Bump tokio crate version to 1.28.2
|
|
* Add an example of IMA policy
|
|
* main: Gracefully shutdown on SIGTERM or SIGINT
|
|
* cargo: Bump proc-macro2 crate version
|
|
* revocation: Parse revocation actions flexibly
|
|
* crypto: Add unit tests for x509 functions
|
|
* crypto: Make internal functions private
|
|
* config: Add unit test for the list to files mapping
|
|
* config: Make trusted_client_ca to accept lists
|
|
* lib: Implement parser for lists from config file
|
|
* build(deps): bump openssl from 0.10.48 to 0.10.55
|
|
* Add secure mount sanity test to packit testing.
|
|
* [packit] Do not let COPR project expire
|
|
|
|
- Recommends the IMA Policy subpackage only if SELinux is configured
|
|
|
|
- Update to version 0.2.1+git.1685699835.3c9d17c:
|
|
* Remove MOUNT_SECURE bool
|
|
* rpm: Remove unused directory and add dependency for mount
|
|
* keylime-agent/src: update API version to 2.1 to consistent with https://github.com/keylime/keylime/blob/master/docs/rest_apis.rst
|
|
* docker/fedora/keylime_rust.Dockerfile: add the logic of cloning and compiling rust-keylime
|
|
* [tests] Update test coverage task name regexp
|
|
* [tests] Simply coverage file URL parsing
|
|
|
|
</description>
|
|
<package>rust-keylime</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo> |