{"affected":[{"ecosystem_specific":{"binaries":[{"rust-keylime":"0.2.8+116-150500.3.11.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.5","name":"rust-keylime","purl":"pkg:rpm/suse/rust-keylime&distro=SUSE%20Linux%20Enterprise%20Micro%205.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.2.8+116-150500.3.11.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for rust-keylime fixes the following issues:\n\nUpdate to version 0.2.8+116.\n\nSecurity issues fixed:\n\n- CVE-2026-25727: time: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion\n  (bsc#1257908).\n\nOther updates and bugfixes:\n\n- Update vendored crates `time` to version 0.3.47.\n\n- Update to version 0.2.8+116:\n\n  * build(deps): bump bytes from 1.7.2 to 1.11.1\n  * api: Modify /version endpoint output in version 2.5\n  * Add API v2.5 with backward-compatible /v2.5/quotes/integrity\n  * tests: add unit test for resolve_agent_id (#1182)\n  * (pull-model): enable retry logic for registration\n  * rpm: Update specfiles to apply on master\n  * workflows: Add test to detect unused crates\n  * lib: Drop unused crates\n  * push-model: Drop unused crates\n  * keylime-agent: Drop unused crates\n  * build(deps): bump uuid from 1.18.1 to 1.19.0\n  * Update reqwest-retry to 0.8, retry-policies to 0.5\n  * rpm: Fix cargo_build macro usage on CentOS Stream\n  * fix(push-model): resolve hash_ek uuid to actual EK hash\n  * build(deps): bump thiserror from 2.0.16 to 2.0.17\n  * workflows: Separate upstream test suite from e2e coverage\n  * Send UEFI measured boot logs as raw bytes (#1173)\n  * auth: Add unit tests for SecretToken implementation\n  * packit: Enable push-attestation tests\n  * resilient_client: Prevent authentication token leakage in logs\n\n- Use tmpfiles.d for /var directories (PED-14736)\n  \n- Update to version 0.2.8+96:\n  \n  * build(deps): bump wiremock from 0.6.4 to 0.6.5\n  * build(deps): bump actions/checkout from 5 to 6\n  * build(deps): bump chrono from 0.4.41 to 0.4.42\n  * packit: Get coverage from Fedora 43 runs\n  * Fix issues pointed out by clippy\n  * Replace mutex unwraps with proper error handling in TPM library\n  * Remove unused session request methods from StructureFiller\n  * Fix config panic on missing ek_handle in push model agent\n  * build(deps): bump tempfile from 3.21.0 to 3.23.0\n  * build(deps): bump actions/upload-artifact from 4 to 6 (#1163)\n  * Fix clippy warnings project-wide\n  * Add KEYLIME_DIR support for verifier TLS certificates in push model agent\n  * Thread privileged resources and use MeasurementList for IMA reading\n  * Add privileged resource initialization and privilege dropping to push model agent\n  * Fix privilege dropping order in run_as()\n  * add documentation on FQDN hostnames\n  * Remove confusing logs for push mode agent\n  * Set correct default Verifier port (8891->8881) (#1159)\n  * Add verifier_url to reference configuration file (#1158)\n  * Add TLS support for Registrar communication (#1139)\n  * Fix agent handling of 403 registration responses (#1154)\n  * Add minor README.md rephrasing (#1151)\n  * build(deps): bump actions/checkout from 5 to 6 (#1153)\n  * ci: update spec files for packit COPR build\n  * docs: improve challenge encoding and async TPM documentation\n  * refactor: improve middleware and error handling\n  * feat: add authentication client with middleware integration\n  * docker: Include keylime_push_model_agent binary\n  * Include attestation_interval configuration (#1146)\n  * Persist payload keys to avoid attestation failure on restart\n  * crypto: Implement the load or generate pattern for keys\n  * Use simple algorithm specifiers in certification_keys object (#1140)\n  * tests: Enable more tests in CI\n  * Fix RSA2048 algorithm reporting in keylime agent\n  * Remove disabled_signing_algorithms configuration\n  * rpm: Fix metadata patches to apply to current code\n  * workflows/rpm.yml: Use more strict patching\n  * build(deps): bump uuid from 1.17.0 to 1.18.1\n  * Fix ECC algorithm selection and reporting for keylime agent\n  * Improve logging consistency and coherency\n  * Implement minimal RFC compliance for Location header and URI parsing (#1125)\n  * Use separate keys for payload mechanism and mTLS\n  * docker: update rust to 1.81 for distroless Dockerfile\n  * Ensure UEFI log capabilities are set to false\n  * build(deps): bump http from 1.1.0 to 1.3.1\n  * build(deps): bump log from 0.4.27 to 0.4.28\n  * build(deps): bump cfg-if from 1.0.1 to 1.0.3\n  * build(deps): bump actix-rt from 2.10.0 to 2.11.0\n  * build(deps): bump async-trait from 0.1.88 to 0.1.89\n  * build(deps): bump trybuild from 1.0.105 to 1.0.110\n  * Accept evidence handling structures null entries\n  * workflows: Add test to check if RPM patches still apply\n  * CI: Enable test add-agent-with-malformed-ek-cert\n  * config: Fix singleton tests\n  * FSM: Remove needless lifetime annotations (#1105)\n  * rpm: Do not remove wiremock which is now available in Fedora\n  * Use latest Fedora httpdate version (1.0.3)\n  * Enhance coverage with parse_retry_after test\n  * Fix issues reported by CI regarding unwrap() calls\n  * Reuse max retries indicated to the ResilientClient\n  * Include limit of retries to 5 for Retry-After\n  * Add policy to handle Retry-After response headers\n  * build(deps): bump wiremock from 0.6.3 to 0.6.4\n  * build(deps): bump serde_json from 1.0.140 to 1.0.143\n  * build(deps): bump pest_derive from 2.8.0 to 2.8.1\n  * build(deps): bump syn from 2.0.90 to 2.0.106\n  * build(deps): bump tempfile from 3.20.0 to 3.21.0\n  * build(deps): bump thiserror from 2.0.12 to 2.0.16\n  * rpm: Fix patches to apply to current master code\n  * build(deps): bump anyhow from 1.0.98 to 1.0.99\n  * state_machine: Automatically clean config override during tests\n  * config: Implement singleton and factory pattern\n  * testing: Support overriding configuration during tests\n  * feat: implement standalone challenge-response authentication module\n  * structures: rename session structs for clarity and fix typos\n  * tpm: refactor certify_credential_with_iak() into a more generic function\n  * Add Push Model Agent Mermaid FSM chart (#1095)\n  * Add state to avoid exiting on wrong attestation (#1093)\n  * Add 6 alphanumeric lowercase X-Request-ID header\n  * Enhance Evidence Handling response parsing\n  * build(deps): bump quote from 1.0.35 to 1.0.40\n  * build(deps): bump libc from 0.2.172 to 0.2.175\n  * build(deps): bump glob from 0.3.2 to 0.3.3\n  * build(deps): bump actix-web from 4.10.2 to 4.11.0\n","id":"SUSE-SU-2026:0470-1","modified":"2026-02-12T11:22:07Z","published":"2026-02-12T11:22:07Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-20260470-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1257908"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2026-25727"}],"related":["CVE-2026-25727"],"summary":"Security update for rust-keylime","upstream":["CVE-2026-25727"]}