Detections
Analytics

openSUSE 16 Security Update : keylime (openSUSE-SU-2025:20159-1)

medium Nessus Plugin ID 278643

Language:

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2025:20159-1 advisory.

 Update to version 7.13.0+40.

 Security issues fixed:

 - CVE-2025-13609: possible agent identity takeover due to registrar allowing the registration of agents with duplicate UUIDs (bsc#1254199).
 - CVE-2025-1057: registrar denial-of-service due to backward incompatibility in database type handling (bsc#1237153).

 Other issues fixed and changes:

 - Version 7.13.0+40:
 * Include new attestation information fields (#1818)
 * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
 * push-model: require HTTPS for authentication and attestation endpoints
 * Fix operational_state tracking in push mode attestations
 * templates: add push model authentication config options to 2.5 templates
 * Security: Hash authentication tokens in logs
 * Fix stale IMA policy cache in verification
 * Fix authentication behavior on failed attestations for push mode
 * Add shared memory infrastructure for multiprocess communication
 * Add agent authentication (challenge/response) protocol for push mode
 * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
 * docs: Fix man page RST formatting for rst2man compatibility (#1813)
 * Apply limit on keylime-policy workers
 * tpm: fix ECC signature parsing to support variable-length coordinates
 * tpm: fix ECC P-521 credential activation with consistent marshaling
 * tpm: fix ECC P-521 coordinate validation
 * Remove deprecated disabled_signing_algorithms configuration option (#1804)
 * algorithms: add support for specific RSA algorithms
 * algorithms: add support for specific ECC curve algorithms
 * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
 * Manpage for keylime agent
 * Manpage for keylime verifier
 * Manpage for keylime registrar
 * Use constants for timeout and max retries defaults
 * verifier: Use timeout from `request_timeout` config option
 * revocation_notifier: Use timeout setting from config file
 * tenant: Set timeout when getting version from agent
 * verify/evidence: SEV-SNP evidence type/verifier
 * verify/evidence: Add evidence type to request JSON

 - Version v7.13.0:
 * Avoid re-encoding certificate stored in DB
 * Revert models: Do not re-encode certificate stored in DB
 * Revert registrar_agent: Use pyasn1 to parse PEM
 * policy/sign: use print() when writing to /dev/stdout
 * registrar_agent: Use pyasn1 to parse PEM
 * models: Do not re-encode certificate stored in DB
 * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
 * mb: support vendor_db as logged by newer shim versions
 * mb: support EV_EFI_HANDOFF_TABLES events on PCR1
 * Remove unnecessary configuration values
 * cloud_verifier_tornado: handle exception in notify_error()
 * requests_client: close the session at the end of the resource manager
 * Manpage for keylime_tenant (#1786)
 * Add 2.5 templates including Push Model changes
 * Initial version of verify evidence API
 * db: Do not read pool size and max overflow for sqlite
 * Use context managers to close DB sessions
 * revocations: Try to send notifications on shutdown
 * verifier: Gracefully shutdown on signal
 * Use `fork` as `multiprocessing` start method
 * Fix inaccuracy in threat model and add reference to SBAT
 * Explain TPM properties and expand vTPM discussion
 * Fix invalid RST and update TOC
 * Expand threat model page to include adversarial model
 * Add --push-model option to avoid requests to agents
 * templates: duplicate str_to_version() in the adjust script
 * policy: fix mypy issues with rpm_repo
 * revocation_notifier: fix mypy issue by replacing deprecated call
 * Fix create_runtime_policy in python < 3.12
 * Fix after review
 * fixed CONSTANT names C0103 errors
 * Extend meta_data field in verifierdb
 * docs: update issue templates
 * docs: add GitHub PR template with documentation reminders
 * tpm_util: fix quote signature extraction for ECDSA
 * registrar: Log API versions during startup
 * Remove excessive logging on exception
 * scripts: Fix coverage information downloading script

 - Version v7.12.1:
 * models: Add Base64Bytes type to read and write from the database
 * Simplify response check from registrar

 - Version v7.12.0:
 * API: Add /version endpoint to registrar
 * scripts: Download coverage data directly from Testing Farm
 * docs: Add separate documentation for each API version
 * scripts/create_runtime_policy.sh: fix path for the exclude list
 * docs: add documentation for keylime-policy
 * templates: Add the new agent.conf option 'api_versions'
 * Enable autocompletion using argcomplete
 * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
 * Configure EPEL-10 repo in packit-ci.fmf
 * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
 * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
 * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
 * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
 * keylime-policy: improve error handling when provided a bad key (sign)
 * keylime-policy: exit with status 1 when the commands failed
 * keylime-policy: use Certificate() from models.base to validate certs
 * keylime-policy: check for valid cert file when using x509 backend (sign)
 * keylime-policy: fix help for keylime-policy sign verb
 * tenant: Correctly log number of tries when deleting
 * update TCTI environment variable usage
 * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
 * keylime-policy: add `create measured-boot' subcommand
 * keylime-policy: add `sign runtime' subcommand
 * keylime-policy: add logger to use with the policy tool
 * installer.sh: Restore execution permission
 * installer: Fix string comparison
 * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
 * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
 * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
 * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
 * installer.sh: updated EPEL, PEP668 Fix, logic fix
 * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
 * build(deps): bump actions/checkout from 4.2.1 to 4.2.2
 * postgresql support for docker using psycopg2
 * installer.sh: update package list, add workaround for PEP 668
 * build(deps): bump actions/checkout from 4.2.0 to 4.2.1
 * keylime.conf: full removal
 * Drop pending SPDX-License-Identifier headers
 * create_runtime_policy: Validate algorithm from IMA measurement log
 * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
 * create_runtime_policy: drop commment with test data
 * create_runtime_policy: Use a common method to guess algorithm
 * keylime-policy: rename tool to keylime-policy instead of keylime_policy
 * keylime_policy: create runtime: remove --use-ima-measurement-list
 * keylime_policy: use consistent arg names for create_runtime_policy
 * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
 * build(deps): bump actions/checkout from 4.1.7 to 4.2.0
 * elchecking/example: workaround empty PK, KEK, db and dbx
 * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
 * create_runtime_policy: Fix log level for debug messages
 * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
 * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
 * pylintrc: Ignore too-many-positional-arguments check
 * keylime/web/base/controller: Move TypeAlias definition out of class
 * create_runtime_policy: Calculate digests in multiple threads
 * create_runtime_policy: Allow rootfs to be in any directory
 * keylime_policy: Calculate digests from each source separately
 * create_runtime_policy: Simplify boot_aggregate parsing
 * ima: Validate JSON when loading IMA Keyring from string
 * docs: include IDevID page also in the sidebar
 * docs: point to installation guide from RHEL and SLE Micro
 * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
 * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
 * change check_tpm_origin_check to a warning that does not prevent registration
 * docs: Fix Runtime Policy JSON schema to reflect the reality
 * Sets absolute path for files inside a rootfs dir
 * policy/create_runtime_policy: fix handling of empty lines in exclude list
 * keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
 * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
 * codestyle: convert bytearrays to bytes to get expected type (pyright)
 * codestyle: Use new variables after changing datatype (pyright)
 * cert_utils: add description why loading using cryptography might fail
 * ima: list names of the runtime policies
 * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
 * tox: Use python 3.10 instead of 3.6
 * revocation_notifier: Use web_util to generate TLS context
 * mba: Add a skip custom policies option when loading mba.
 * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
 * cmd/keylime_policy: add tool to handle keylime policies
 * cert_utils: add is_x509_cert()
 * common/algorithms: transform Encrypt and Sign class into enums
 * common/algorithms: add method to calculate digest of a file
 * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
 * build(deps): bump docker/login-action from 3.2.0 to 3.3.0
 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
 * build(deps): bump docker/login-action from 3.2.0 to 3.3.0
 * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
 * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
 * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
 * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
 * tpm: Replace KDFs and ECDH implementations with python-cryptography
 * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
 * build(deps): bump docker/login-action from 2.2.0 to 3.2.0
 * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
 * build(deps): bump actions/first-interaction
 * build(deps): bump actions/checkout from 2.7.0 to 4.1.7
 * revocation_notifier: Explicitly add CA certificate bundle
 * Introduce new REST API framework and refactor registrar implementation
 * mba: Support named measured boot policies
 * tenant: add friendlier error message if mTLS CA is wrongly configured
 * ca_impl_openssl: Mark extensions as critical following RFC 5280
 * Include Authority Key Identifier in KL-generated certs
 * verifier, tenant: make payload for agent completely optional

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1237153

https://bugzilla.suse.com/1254199

https://www.suse.com/security/cve/CVE-2025-1057

https://www.suse.com/security/cve/CVE-2025-13609

Plugin Details

Severity: Medium

ID: 278643

File Name: openSUSE-2025-20159-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 12/15/2025

Updated: 12/16/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-1057

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:keylime-tpm_cert_store, p-cpe:/a:novell:opensuse:keylime-config, p-cpe:/a:novell:opensuse:keylime-registrar, p-cpe:/a:novell:opensuse:keylime-verifier, p-cpe:/a:novell:opensuse:keylime-logrotate, p-cpe:/a:novell:opensuse:keylime-tenant, p-cpe:/a:novell:opensuse:keylime-firewalld, p-cpe:/a:novell:opensuse:python313-keylime

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/12/2025

Vulnerability Publication Date: 2/14/2025

Reference Information

CVE: CVE-2025-1057, CVE-2025-13609