{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"Security update for rust-keylime","title":"Title of the patch"},{"category":"description","text":"This update for rust-keylime fixes the following issues:\n\nUpdate to version 0.2.8+116.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n  (bsc#1257908).\n\nOther updates and bugfixes:\n\n- Update vendored crates `time` to version 0.3.47.\n\n- Update to version 0.2.8+116:\n  \n  * build(deps): bump bytes from 1.7.2 to 1.11.1\n  * api: Modify /version endpoint output in version 2.5\n  * Add API v2.5 with backward-compatible /v2.5/quotes/integrity\n  * tests: add unit test for resolve_agent_id (#1182)\n  * (pull-model): enable retry logic for registration\n  * rpm: Update specfiles to apply on master\n  * workflows: Add test to detect unused crates\n  * lib: Drop unused crates\n  * push-model: Drop unused crates\n  * keylime-agent: Drop unused crates\n  * build(deps): bump uuid from 1.18.1 to 1.19.0\n  * Update reqwest-retry to 0.8, retry-policies to 0.5\n  * rpm: Fix cargo_build macro usage on CentOS Stream\n  * fix(push-model): resolve hash_ek uuid to actual EK hash\n  * build(deps): bump thiserror from 2.0.16 to 2.0.17\n  * workflows: Separate upstream test suite from e2e coverage\n  * Send UEFI measured boot logs as raw bytes (#1173)\n  * auth: Add unit tests for SecretToken implementation\n  * packit: Enable push-attestation tests\n  * resilient_client: Prevent authentication token leakage in logs\n\n- Use tmpfiles.d for /var directories (PED-14736)\n  \n- Update to version 0.2.8+96:\n  \n  * build(deps): bump wiremock from 0.6.4 to 0.6.5\n  * build(deps): bump actions/checkout from 5 to 6\n  * build(deps): bump chrono from 0.4.41 to 0.4.42\n  * packit: Get coverage from Fedora 43 runs\n  * Fix issues pointed out by clippy\n  * Replace mutex unwraps with proper error handling in TPM library\n  * Remove unused session request methods from StructureFiller\n  * Fix config panic on missing ek_handle in push model agent\n  * build(deps): bump tempfile from 3.21.0 to 3.23.0\n  * build(deps): bump actions/upload-artifact from 4 to 6 (#1163)\n  * Fix clippy warnings project-wide\n  * Add KEYLIME_DIR support for verifier TLS certificates in push model agent\n  * Thread privileged resources and use MeasurementList for IMA reading\n  * Add privileged resource initialization and privilege dropping to push model agent\n  * Fix privilege dropping order in run_as()\n  * add documentation on FQDN hostnames\n  * Remove confusing logs for push mode agent\n  * Set correct default Verifier port (8891->8881) (#1159)\n  * Add verifier_url to reference configuration file (#1158)\n  * Add TLS support for Registrar communication (#1139)\n  * Fix agent handling of 403 registration responses (#1154)\n  * Add minor README.md rephrasing (#1151)\n  * build(deps): bump actions/checkout from 5 to 6 (#1153)\n  * ci: update spec files for packit COPR build\n  * docs: improve challenge encoding and async TPM documentation\n  * refactor: improve middleware and error handling\n  * feat: add authentication client with middleware integration\n  * docker: Include keylime_push_model_agent binary\n  * Include attestation_interval configuration (#1146)\n  * Persist payload keys to avoid attestation failure on restart\n  * crypto: Implement the load or generate pattern for keys\n  * Use simple algorithm specifiers in certification_keys object (#1140)\n  * tests: Enable more tests in CI\n  * Fix RSA2048 algorithm reporting in keylime agent\n  * Remove disabled_signing_algorithms configuration\n  * rpm: Fix metadata patches to apply to current code\n  * workflows/rpm.yml: Use more strict patching\n  * build(deps): bump uuid from 1.17.0 to 1.18.1\n  * Fix ECC algorithm selection and reporting for keylime agent\n  * Improve logging consistency and coherency\n  * Implement minimal RFC compliance for Location header and URI parsing (#1125)\n  * Use separate keys for payload mechanism and mTLS\n  * docker: update rust to 1.81 for distroless Dockerfile\n  * Ensure UEFI log capabilities are set to false\n  * build(deps): bump http from 1.1.0 to 1.3.1\n  * build(deps): bump log from 0.4.27 to 0.4.28\n  * build(deps): bump cfg-if from 1.0.1 to 1.0.3\n  * build(deps): bump actix-rt from 2.10.0 to 2.11.0\n  * build(deps): bump async-trait from 0.1.88 to 0.1.89\n  * build(deps): bump trybuild from 1.0.105 to 1.0.110\n  * Accept evidence handling structures null entries\n  * workflows: Add test to check if RPM patches still apply\n  * CI: Enable test add-agent-with-malformed-ek-cert\n  * config: Fix singleton tests\n  * FSM: Remove needless lifetime annotations (#1105)\n  * rpm: Do not remove wiremock which is now available in Fedora\n  * Use latest Fedora httpdate version (1.0.3)\n  * Enhance coverage with parse_retry_after test\n  * Fix issues reported by CI regarding unwrap() calls\n  * Reuse max retries indicated to the ResilientClient\n  * Include limit of retries to 5 for Retry-After\n  * Add policy to handle Retry-After response headers\n  * build(deps): bump wiremock from 0.6.3 to 0.6.4\n  * build(deps): bump serde_json from 1.0.140 to 1.0.143\n  * build(deps): bump pest_derive from 2.8.0 to 2.8.1\n  * build(deps): bump syn from 2.0.90 to 2.0.106\n  * build(deps): bump tempfile from 3.20.0 to 3.21.0\n  * build(deps): bump thiserror from 2.0.12 to 2.0.16\n  * rpm: Fix patches to apply to current master code\n  * build(deps): bump anyhow from 1.0.98 to 1.0.99\n  * state_machine: Automatically clean config override during tests\n  * config: Implement singleton and factory pattern\n  * testing: Support overriding configuration during tests\n  * feat: implement standalone challenge-response authentication module\n  * structures: rename session structs for clarity and fix typos\n  * tpm: refactor certify_credential_with_iak() into a more generic function\n  * Add Push Model Agent Mermaid FSM chart (#1095)\n  * Add state to avoid exiting on wrong attestation (#1093)\n  * Add 6 alphanumeric lowercase X-Request-ID header\n  * Enhance Evidence Handling response parsing\n  * build(deps): bump quote from 1.0.35 to 1.0.40\n  * build(deps): bump libc from 0.2.172 to 0.2.175\n  * build(deps): bump glob from 0.3.2 to 0.3.3\n  * build(deps): bump actix-web from 4.10.2 to 4.11.0\n","title":"Description of the patch"},{"category":"details","text":"SUSE-2026-453,SUSE-SLE-Micro-5.3-2026-453","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0453-1.json"},{"category":"self","summary":"URL for SUSE-SU-2026:0453-1","url":"https://www.suse.com/support/update/announcement/2026/suse-su-20260453-1/"},{"category":"self","summary":"E-Mail link for SUSE-SU-2026:0453-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2026-February/024128.html"},{"category":"self","summary":"SUSE Bug 1257908","url":"https://bugzilla.suse.com/1257908"},{"category":"self","summary":"SUSE CVE CVE-2026-25727 page","url":"https://www.suse.com/security/cve/CVE-2026-25727/"}],"title":"Security update for rust-keylime","tracking":{"current_release_date":"2026-02-11T16:17:25Z","generator":{"date":"2026-02-11T16:17:25Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"SUSE-SU-2026:0453-1","initial_release_date":"2026-02-11T16:17:25Z","revision_history":[{"date":"2026-02-11T16:17:25Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.aarch64","product":{"name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.aarch64","product_id":"keylime-ima-policy-0.2.8+116-150400.3.13.1.aarch64"}},{"category":"product_version","name":"rust-keylime-0.2.8+116-150400.3.13.1.aarch64","product":{"name":"rust-keylime-0.2.8+116-150400.3.13.1.aarch64","product_id":"rust-keylime-0.2.8+116-150400.3.13.1.aarch64"}}],"category":"architecture","name":"aarch64"},{"branches":[{"category":"product_version","name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.ppc64le","product":{"name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.ppc64le","product_id":"keylime-ima-policy-0.2.8+116-150400.3.13.1.ppc64le"}},{"category":"product_version","name":"rust-keylime-0.2.8+116-150400.3.13.1.ppc64le","product":{"name":"rust-keylime-0.2.8+116-150400.3.13.1.ppc64le","product_id":"rust-keylime-0.2.8+116-150400.3.13.1.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_version","name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.s390x","product":{"name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.s390x","product_id":"keylime-ima-policy-0.2.8+116-150400.3.13.1.s390x"}},{"category":"product_version","name":"rust-keylime-0.2.8+116-150400.3.13.1.s390x","product":{"name":"rust-keylime-0.2.8+116-150400.3.13.1.s390x","product_id":"rust-keylime-0.2.8+116-150400.3.13.1.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.x86_64","product":{"name":"keylime-ima-policy-0.2.8+116-150400.3.13.1.x86_64","product_id":"keylime-ima-policy-0.2.8+116-150400.3.13.1.x86_64"}},{"category":"product_version","name":"rust-keylime-0.2.8+116-150400.3.13.1.x86_64","product":{"name":"rust-keylime-0.2.8+116-150400.3.13.1.x86_64","product_id":"rust-keylime-0.2.8+116-150400.3.13.1.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Micro 5.3","product":{"name":"SUSE Linux Enterprise Micro 5.3","product_id":"SUSE Linux Enterprise Micro 5.3","product_identification_helper":{"cpe":"cpe:/o:suse:sle-micro:5.3"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"rust-keylime-0.2.8+116-150400.3.13.1.aarch64 as component of SUSE Linux Enterprise Micro 5.3","product_id":"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64"},"product_reference":"rust-keylime-0.2.8+116-150400.3.13.1.aarch64","relates_to_product_reference":"SUSE Linux Enterprise Micro 5.3"},{"category":"default_component_of","full_product_name":{"name":"rust-keylime-0.2.8+116-150400.3.13.1.s390x as component of SUSE Linux Enterprise Micro 5.3","product_id":"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x"},"product_reference":"rust-keylime-0.2.8+116-150400.3.13.1.s390x","relates_to_product_reference":"SUSE Linux Enterprise Micro 5.3"},{"category":"default_component_of","full_product_name":{"name":"rust-keylime-0.2.8+116-150400.3.13.1.x86_64 as component of SUSE Linux Enterprise Micro 5.3","product_id":"SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"},"product_reference":"rust-keylime-0.2.8+116-150400.3.13.1.x86_64","relates_to_product_reference":"SUSE Linux Enterprise Micro 5.3"}]},"vulnerabilities":[{"cve":"CVE-2026-25727","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2026-25727"}],"notes":[{"category":"general","text":"time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64","SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x","SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"]},"references":[{"category":"external","summary":"CVE-2026-25727","url":"https://www.suse.com/security/cve/CVE-2026-25727"},{"category":"external","summary":"SUSE Bug 1257901 for CVE-2026-25727","url":"https://bugzilla.suse.com/1257901"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64","SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x","SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"products":["SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.aarch64","SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.s390x","SUSE Linux Enterprise Micro 5.3:rust-keylime-0.2.8+116-150400.3.13.1.x86_64"]}],"threats":[{"category":"impact","date":"2026-02-11T16:17:25Z","details":"important"}],"title":"CVE-2026-25727"}]}