Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-01-29 20:57:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Sat Jan 29 20:57:31 2022 rev:13 rq:949635 version:6.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-27 23:16:40.827096907 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.1898/keylime.changes 2022-01-29 20:57:40.936424405 +0100 @@ -1,0 +2,106 @@ +Thu Jan 27 16:16:19 UTC 2022 - apla...@suse.com + +- Drop patches beacuse merged upstream: + * 0001-Drop-dataclasses-module-usage.patch + * 0001-config-support-merge-multiple-config-files.patch + * 0001-ca-support-back-old-cyptography-API.patch +- Update to version v6.3.0: + * Coordinated update to fix: + + bsc#1193997 (CVE-2022-23948) + + bsc#1193998 (CVE-2021-43310) + + bsc#1194000 (CVE-2022-23949) + + bsc#1194002 (CVE-2022-23950) + + bsc#1194004 (CVE-2022-23951) + + bsc#1194005 (CVE-2022-23952) + * secure_mount: add umount function + * secure_mount: use /proc/self/mountinfo + * Validate user ID in all public interfaces + * validators: add uuid and agent_id validators + * validators: create validators module + * revocation_notifier: move zmq socket to /var/run/keylime + * Update API version from 1.0 to 2.0 + * tpm: do not compress quote with zlib by default + * verifier: persist AK and mTLS certificate to DB + * verifier: use "supported_version" for agent connections + * tenant: add support for "supported_version" option for the verifier + * api_version: add the option for basic validation + * verifier: add supported_version field to DB and API + * agent: add /version to REST API + * verifier, tenant: allow agents to not use mTLS + * tenant, verifier: allow manual configuration of agent mTLS + * tests: migrate to mTLS + * tenant: connect to the agent via mTLS + * verifier: connect to the agent via mTLS + * tornado_requests: handle SSLError + * web_util: add mTLS context generation for agent + * agent: Enable mTLS for agent REST API + * crypto: add helper function for creating self signed certs + * registrar: Allow the agent to registrar with a mTLS certificate + * request_client: add workaround for handling certificates + * request_client: add the option to ignore hostname validation + * Better docs and errors about IMA hash mismatches + * tests: use JSON instead Python string for IMA tests + * verifier: use json.loads(..) instead of ast.literal_eval(..) + * Adding Nuvoton certificate for a post 2020 TPM device. The EK cert + of the device directs to the following download site: + 'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root + CA 1111.cer' (yes, including the spaces) + * Improve revocation notifier IP description in keylime.conf + * tornado_requests: set Content-Type header correctly for JSON + * tenant: post U key to agent with correct Content-Type header + * Explicitly set permissions on new keylime.conf files installed + * tpm_main: close file descriptor for aik handle + * verifier: do not call finish() twice + * agent: fix payload execution + * tests: add initial tests for web_util module + * config, web_util: move get_restful_params(..) to web_util + * verifier: Also retry on HTTP 500 status code + * agent: improve startup and shutdown + * registrar: cleanup start function + * web_util: move echo_json_response(..) out of config.py + * verifier: fix failure generation for V key + * tornado_requests: cleanup TornadoResponse class + * web_util, verifier: move mTLS SSLContext generation into separate module + * ca: support back old cyptography API + * Fix test branch reference in packit.yaml + * ci: disable DeprecationWarning from pylint in tox + * Enable new test in Packit CI + * tenant: fix reactivate command + * config: support merge multiple config files + * ci: use only fedora-stable for packit + * elchecking: harden example policy against event type manipulation + * elchecking: add new tests + * tests: fix stdout formatting for agent and verifier + * Drop dataclasses module usage + * revocation notifier: handle shutdown of process gracefully + * verifier: handle SIGINT and SIGTERM correctly + * ima_emulator: fix IMA hash validation and add more options + * ima_ast: fix handling ToMToU errors + * Remove leftovers of TPM 1.2 support + * agent: improved validation for post function + * agent: better validation for mask and nonce + * config: add function to validate hex strings + * agent: keys/verify check if challenge was provided + * tpm_main: do not append /usr/local/{bin,lib} to default env + * db: only set length on Text type if supported + * json: do not make sqlalchemy a hard requirement + * Enable functional testing with Packit CI + * ima_emulator: specify sys.argv as the named parameter argv in main() + * elchecking example policy: make it work with Fedora 34 + * elchecking example policy: initrd* might be also called initramfs* + * scripts: add mb_refstate generator for example policy + * config: change tpm_hash_alg to SHA1 by default + * parse_mb_bootlog: specify the used hash algorithm used for PCRs + * agent: add warning that on kernels <5.10 IMA only works with SHA1 + * tpm: explicitly pass hash alg to sim_extend(..) + * ima emulator: use IMA AST and support multiple hash algorithms + * tests: update IMA allowlist version number + * ima: add option 'log_hash_alg' to IMA allowlist + * ima: remove hard requirement for SHA1 PCR 10 + * algorithms: extend Hash class to simplify computing hash values + * config, tpm_main: explicitly handle YAML load errors + * config: private_key must be set to -private.pem not -public.pem + * agent: add UUID option environment + * agent: drop openstack uuid option + +------------------------------------------------------------------- Old: ---- 0001-Drop-dataclasses-module-usage.patch 0001-ca-support-back-old-cyptography-API.patch 0001-config-support-merge-multiple-config-files.patch keylime-v6.2.1.tar.xz New: ---- keylime-v6.3.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.khUJbc/_old 2022-01-29 20:57:41.576420255 +0100 +++ /var/tmp/diff_new_pack.khUJbc/_new 2022-01-29 20:57:41.580420229 +0100 @@ -25,7 +25,7 @@ %bcond_with cfssl %endif Name: keylime -Version: 6.2.1 +Version: 6.3.0 Release: 0 Summary: Open source TPM software for Bootstrapping and Maintaining Trust License: Apache-2.0 AND MIT @@ -38,12 +38,6 @@ Patch2: keylime.conf.diff # PATCH-FIX-OPENSUSE config-libefivars.diff Patch3: config-libefivars.diff -# PATCH-FIX-UPSTREAM 0001-Drop-dataclasses-module-usage.patch (gh#keylime/keylime!827) -Patch4: 0001-Drop-dataclasses-module-usage.patch -# PATCH-FIX-UPSTREAM 0001-config-support-merge-multiple-config-files.patch (gh#keylime/keylime!829) -Patch5: 0001-config-support-merge-multiple-config-files.patch -# PATCH-FIX-UPSTREAM 0001-ca-support-back-old-cyptography-API.patch (gh#keylime/keylime!839) -Patch6: 0001-ca-support-back-old-cyptography-API.patch BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: firewall-macros ++++++ _service ++++++ --- /var/tmp/diff_new_pack.khUJbc/_old 2022-01-29 20:57:41.620419970 +0100 +++ /var/tmp/diff_new_pack.khUJbc/_new 2022-01-29 20:57:41.624419944 +0100 @@ -1,7 +1,7 @@ <services> <service name="tar_scm" mode="disabled"> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/v6.2.1</param> + <param name="revision">refs/tags/v6.3.0</param> <param name="url">https://github.com/keylime/keylime.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.khUJbc/_old 2022-01-29 20:57:41.644419815 +0100 +++ /var/tmp/diff_new_pack.khUJbc/_new 2022-01-29 20:57:41.648419788 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/keylime/keylime.git</param> - <param name="changesrevision">53b47c5cfa29023138abe24e5464a3a7e24089d6</param></service></servicedata> + <param name="changesrevision">d37c406e69cb6689baa2fb7964bad75209703724</param></service></servicedata> (No newline at EOF) ++++++ config-libefivars.diff ++++++ --- /var/tmp/diff_new_pack.khUJbc/_old 2022-01-29 20:57:41.656419737 +0100 +++ /var/tmp/diff_new_pack.khUJbc/_new 2022-01-29 20:57:41.660419710 +0100 @@ -1,8 +1,8 @@ -Index: keylime-v6.2.1/keylime/config.py +Index: keylime-v6.3.0/keylime/config.py =================================================================== ---- keylime-v6.2.1.orig/keylime/config.py -+++ keylime-v6.2.1/keylime/config.py -@@ -310,7 +310,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/ +--- keylime-v6.3.0.orig/keylime/config.py ++++ keylime-v6.3.0/keylime/config.py +@@ -194,7 +194,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/ MEASUREDBOOT_IMPORTS = get_config().get('cloud_verifier', 'measured_boot_imports', fallback='').split(',') MEASUREDBOOT_POLICYNAME = get_config().get('cloud_verifier', 'measured_boot_policy_name', fallback='accept-all') ++++++ keylime-v6.2.1.tar.xz -> keylime-v6.3.0.tar.xz ++++++ /work/SRC/openSUSE:Factory/keylime/keylime-v6.2.1.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1898/keylime-v6.3.0.tar.xz differ: char 15, line 1 ++++++ keylime.conf.diff ++++++ --- /var/tmp/diff_new_pack.khUJbc/_old 2022-01-29 20:57:41.696419477 +0100 +++ /var/tmp/diff_new_pack.khUJbc/_new 2022-01-29 20:57:41.700419451 +0100 @@ -1,7 +1,7 @@ -Index: keylime-v6.2.1/keylime.conf +Index: keylime-v6.3.0/keylime.conf =================================================================== ---- keylime-v6.2.1.orig/keylime.conf -+++ keylime-v6.2.1/keylime.conf +--- keylime-v6.3.0.orig/keylime.conf ++++ keylime-v6.3.0/keylime.conf @@ -12,11 +12,13 @@ tls_check_hostnames = False # Valid values are "cfssl" or "openssl". For cfssl to work, you must have the # go binary installed in your path or in /usr/local/. @@ -10,8 +10,8 @@ +# ca_implementation = openssl +ca_implementation = cfssl - # Revocation IP & Port used by either the cloud_agent or keylime_ca to receive - # revocation events from the verifier. + # The address and port of the revocation notifier service on the verifier from + # which either the cloud_agent or keylime_ca receive revocation events. -receive_revocation_ip = 127.0.0.1 +# receive_revocation_ip = 127.0.0.1 +receive_revocation_ip = <REMOTE_IP> @@ -38,17 +38,7 @@ registrar_port = 8890 # The name of the RSA key that Keylime should use for protecting shares of U/V. -@@ -62,7 +66,8 @@ tpm_ownerpassword = keylime - # After decryption, the archive will be unzipped to a directory in /var/lib/keylime/secure. - # Note: the limits on the size of the tmpfs partition set above with the 'secure_size' - # option will affect this. --extract_payload_zip = True -+# extract_payload_zip = True -+extract_payload_zip = False - - # The agent's UUID. - # Set to "openstack", it will try to get the UUID from the metadata service. -@@ -73,7 +78,8 @@ extract_payload_zip = True +@@ -81,7 +85,8 @@ extract_payload_zip = True # 'dmidecode -s system-uuid'. # If you set this to "hostname", Keylime will use the full qualified domain # name of current host as the agent id. @@ -58,7 +48,7 @@ # Whether to listen for revocation notifications from the verifier or not. listen_notfications = True -@@ -137,7 +143,8 @@ ek_handle = generate +@@ -147,7 +152,8 @@ ek_handle = generate cloudverifier_id = default # The IP address and port of verifier server binds to @@ -68,8 +58,8 @@ cloudverifier_port = 8881 # The address and port of registrar server that verifier communicates with -@@ -250,7 +257,8 @@ revocation_notifier = True - # The revocation notifier IP address and port used to start the revocation service. +@@ -266,7 +272,8 @@ revocation_notifier = True + # The binding address and port of the revocation notifier service. # If the 'revocation_notifier' option is set to "true", then the verifier # automatically starts the revocation service. -revocation_notifier_ip = 127.0.0.1 @@ -78,7 +68,7 @@ revocation_notifier_port = 8992 # Enable revocation notifications via webhook. This can be used to notify other -@@ -377,10 +385,12 @@ max_payload_size = 1048576 +@@ -400,10 +407,12 @@ max_payload_size = 1048576 # and SHA-512). # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses # them internally. @@ -93,7 +83,7 @@ # Specify the file containing allowlists for processing Linux IMA measurements # this file is used if tenant provides "default" as the allowlist file -@@ -432,7 +442,8 @@ max_retries = 10 +@@ -455,7 +464,8 @@ max_retries = 10 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. @@ -103,7 +93,7 @@ # Optional script to execute to check the EK and/or EK certificate against a # allowlist or any other additional EK processing you want to do. Runs in -@@ -458,7 +469,8 @@ ek_check_script= +@@ -481,7 +491,8 @@ ek_check_script= # The registrar's IP address and port used to communicate with other services # as well as the bind address for the registrar server. ++++++ version.diff ++++++ --- /var/tmp/diff_new_pack.khUJbc/_old 2022-01-29 20:57:41.716419348 +0100 +++ /var/tmp/diff_new_pack.khUJbc/_new 2022-01-29 20:57:41.720419321 +0100 @@ -1,7 +1,7 @@ -Index: keylime-v6.2.1/setup.py +Index: keylime-v6.3.0/setup.py =================================================================== ---- keylime-v6.2.1.orig/setup.py -+++ keylime-v6.2.1/setup.py +--- keylime-v6.3.0.orig/setup.py ++++ keylime-v6.3.0/setup.py @@ -13,6 +13,7 @@ setuptools.setup( description=( 'TPM-based key bootstrapping and system '