diff --git a/keylime-agent-rust.spec b/keylime-agent-rust.spec index f902f3e..bc2b6df 100644 --- a/keylime-agent-rust.spec +++ b/keylime-agent-rust.spec @@ -59,6 +59,9 @@ Source1: rust-keylime-%{version}-vendor.tar.xz Patch0: rust-keylime-enable-logging-keylime-lib.patch # Drop completely the legacy-python-actions feature Patch1: rust-keylime-metadata.patch +# Update to openssl 0.10.70 to fix CVE-2025-24898 +# Patch from https://github.com/keylime/rust-keylime/pull/926 +Patch2: rust-keylime-openssl-0.10.70.patch ## (100-199) Patches for building from system Rust libraries (Fedora) ## (200+) Patches for building from vendored Rust libraries (RHEL) diff --git a/rust-keylime-openssl-0.10.70.patch b/rust-keylime-openssl-0.10.70.patch new file mode 100644 index 0000000..3e695f7 --- /dev/null +++ b/rust-keylime-openssl-0.10.70.patch @@ -0,0 +1,62 @@ +From 6087804c15b16a1456a191ccea25acec7a3f7fc0 Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Tue, 4 Feb 2025 09:55:03 +0000 +Subject: [PATCH] build(deps): bump openssl from 0.10.68 to 0.10.70 + +Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.68 to 0.10.70. +- [Release notes](https://github.com/sfackler/rust-openssl/releases) +- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.68...openssl-v0.10.70) + +--- +updated-dependencies: +- dependency-name: openssl + dependency-type: direct:production +... + +Signed-off-by: dependabot[bot] +--- + Cargo.lock | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/Cargo.lock b/Cargo.lock +index 6cf79ea7..4c0ac1e6 100644 +--- a/Cargo.lock ++++ b/Cargo.lock +@@ -1387,9 +1387,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" + + [[package]] + name = "openssl" +-version = "0.10.68" ++version = "0.10.70" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" ++checksum = "61cfb4e166a8bb8c9b55c500bc2308550148ece889be90f609377e58140f42c6" + dependencies = [ + "bitflags 2.4.0", + "cfg-if", +@@ -1402,20 +1402,20 @@ dependencies = [ + + [[package]] + name = "openssl-macros" +-version = "0.1.0" ++version = "0.1.1" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c" ++checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" + dependencies = [ + "proc-macro2", + "quote", +- "syn 1.0.100", ++ "syn 2.0.90", + ] + + [[package]] + name = "openssl-sys" +-version = "0.9.104" ++version = "0.9.105" + source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" ++checksum = "8b22d5b84be05a8d6947c7cb71f7c849aa0f112acd4bf51c2a7c1c988ac0a9dc" + dependencies = [ + "cc", + "libc", diff --git a/sources b/sources index 35b1662..685f51a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (rust-keylime-0.2.7-vendor.tar.xz) = 0359a2f95b6325f1cdcf24b54efb26d3cadff31e0a83c065cbca09cdfb5877a836364d68e9208eee498f41bc609b7312ff487fee923593e6af07201084a2b3e7 +SHA512 (rust-keylime-0.2.7-vendor.tar.xz) = 1b014fdede3e945ab37e38de62737d90d1a4f7e95379e00d039bbfc68b73e1bcedccea37d81326bd02b18a43bff150f378d090639047bcea88f3689472942512 SHA512 (v0.2.7.tar.gz) = 6a9f4e581aa49c8be1599d235a54c6a65d0f45340ef37c3d08124b75c4c5ca2b8467dc00cac8dfae5402b5690bb90fe69a994770fe2715de6e9d4070dabebb7d