Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2026-05-14 21:42:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Thu May 14 21:42:13 2026 rev:54 rq:1353040 version:7.14.2 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2026-02-19 14:19:47.753825123 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.1966/keylime.changes 2026-05-14 21:42:53.482438338 +0200 @@ -1,0 +2,73 @@ +Wed May 13 12:38:53 UTC 2026 - [email protected] + +- Update to version 7.14.2 (CVE-2026-6420, bsc#1264265): + * Bump to version 7.14.2 + * verifier: Fix hardcoded attestation challenge nonce (CVE-2026-6420) + * verifier: Extend TOCTOU race guard to TENANT_FAILED state + * test: Add unit tests for _complete_deletion_if_terminated + * verifier: Fix pyright reportArgumentType for mtls_cert + * verifier: Fix TOCTOU race in process_agent state writes + * docs: address wildcard bind feedback, document 0.0.0.0 / :: instead of * + * Document verifier wildcard bind address + * Place attestation fields in correct API version docs + * Add attestation_status, attestation_period, maximum_attestation_interval + * verifier: Fix type error in mtls_cert guard + * ci: Replace /var/run/dbus with /run/dbus in test wrapper + * installer: Replace /var/run/keylime with /run/keylime + * Replace /var/run/keylime with /run/keylime in Python code + * shared_data: Remove log calls from cleanup + * shared_data: Use temp dir when /var/run/keylime/ is not usable + * [Automatic] Update Keylime base image 2026-05-04 + * [Automatic] Update Keylime base image 2026-05-01 + * installer: Add tmpfiles.d config for all keylime directories + * shared_data: Move SyncManager socket to /var/run/keylime/ + * test: Support test execution for installed package + * timestamp: Fix timezone handling in Unix timestamp conversion + * shared_data: Ignore SIGTERM and SIGINT on Manager and parent processes + * verifier: Cancel pending poll timer on agent stop + * test: Add tests for pending-event and attestation storage + * verifier: Prevent race condition when deleting agent + * verifier: Replace assert with proper error handling + * json: Suppress mypy call-overload false positive + * Switch from CA organization of MITLL to Keylime + * [Automatic] Update Keylime base image 2026-04-01 + * Add unit tests for shutdown coordination and drain logic + * Add graceful shutdown and lifecycle hooks to new Server architecture + * Cancel pending retries and drain in-flight work on verifier shutdown + * Add shutdown coordination module + * Fix SharedDataManager cleanup crash in forked worker processes + * docs: Add tables with push-attestation configuration options + * templates: Sync agent config options with keylime-agent.conf + * templates: Remove unused ima_ml_count_file option + * Remove enable_authentication agent config option + * fix(mem leak) - remove unbounded functools.cache from latest_attestation + * fix: Add fork-safety to DBManager via dispose() + * fix: Check active flag in _extract_identity and guard receive_pop + * db: Clean up scoped session after each request + * refactor: Remove dead code AuthSession.authenticate_agent() + * Align black configuration between tox and pre-commit + * Fix linter errors in PersistableModel.get() and .all() + * Fix race condition on in SessionManager + * Address some improvements from code review + * Include thread-safe session management + * Close DB sessions to prevent connection exhaustion + * docs: Add v3.0 registrar API reference and changelog entry + * tests: Add unit tests for v3 registrar routes and VersionController + * registrar: Add routes for API version 3.0 + * [Automatic] Update Keylime base image 2026-03-02 + * [Automatic] Update Keylime base image 2026-03-01 + * Document agent-driven (push) attestation + * fix misspelling of overridden (#1856) + * web: fix typo in base/route.py + * Bump to version 7.14.1 + * ca: Add Subject Alternative Names to the certificates + * config: move push-mode options to [verifier] section in template + * packit: Add missing tests + * Fix session_lifetime default to prevent immediate token expiry + * migrations: Fix migration to drop invalid sessions + * tenant: Only negotiate API version v2.x + * Fix leftover formatting issues + * tests: fix measured boot tests to skip when efivarlibs is missing + * tests: fix setup-rpm-tests to define _topdir + +------------------------------------------------------------------- Old: ---- keylime-7.14.0.tar.xz New: ---- keylime-7.14.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.er36gh/_old 2026-05-14 21:42:54.190467381 +0200 +++ /var/tmp/diff_new_pack.er36gh/_new 2026-05-14 21:42:54.194467545 +0200 @@ -31,7 +31,7 @@ %endif %{?sle15_python_module_pythons} Name: keylime -Version: 7.14.0 +Version: 7.14.2 Release: 0 Summary: Open source TPM software for Bootstrapping and Maintaining Trust License: Apache-2.0 AND MIT AND BSD-3-Clause ++++++ _service ++++++ --- /var/tmp/diff_new_pack.er36gh/_old 2026-05-14 21:42:54.242469515 +0200 +++ /var/tmp/diff_new_pack.er36gh/_new 2026-05-14 21:42:54.246469679 +0200 @@ -4,7 +4,7 @@ <!-- <param name="versionformat">@PARENT_TAG@</param> --> <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param> <param name="scm">git</param> - <param name="revision">v7.14.0</param> + <param name="revision">v7.14.2</param> <param name="match-tag">*</param> <param name="versionrewrite-pattern">(v)?([^+]+)(\+0)?(\+[1-9][0-9]*)?</param> <param name="versionrewrite-replacement">\2\4</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.er36gh/_old 2026-05-14 21:42:54.270470663 +0200 +++ /var/tmp/diff_new_pack.er36gh/_new 2026-05-14 21:42:54.274470827 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/keylime/keylime.git</param> - <param name="changesrevision">fc5f04c145beb9c57b12862fd22e8d3bf47fb501</param></service></servicedata> + <param name="changesrevision">9ecfa74ae10953d33e0cd88c4752232b1eca7202</param></service></servicedata> (No newline at EOF) ++++++ keylime-7.14.0.tar.xz -> keylime-7.14.2.tar.xz ++++++ /work/SRC/openSUSE:Factory/keylime/keylime-7.14.0.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1966/keylime-7.14.2.tar.xz differ: char 15, line 1 ++++++ keylime.obsinfo ++++++ --- /var/tmp/diff_new_pack.er36gh/_old 2026-05-14 21:42:54.346473781 +0200 +++ /var/tmp/diff_new_pack.er36gh/_new 2026-05-14 21:42:54.350473945 +0200 @@ -1,5 +1,5 @@ name: keylime -version: 7.14.0 -mtime: 1770414231 -commit: fc5f04c145beb9c57b12862fd22e8d3bf47fb501 +version: 7.14.2 +mtime: 1778082075 +commit: 9ecfa74ae10953d33e0cd88c4752232b1eca7202 ++++++ registrar.conf.diff ++++++ --- /var/tmp/diff_new_pack.er36gh/_old 2026-05-14 21:42:54.386475422 +0200 +++ /var/tmp/diff_new_pack.er36gh/_new 2026-05-14 21:42:54.390475586 +0200 @@ -1,9 +1,7 @@ -diff --git i/registrar.conf w/registrar.conf -index 19348f6..683cc40 100644 ---- i/registrar.conf -+++ w/registrar.conf +--- registrar.conf.ORIG 2026-05-13 15:15:01.358923479 +0200 ++++ registrar.conf 2026-05-13 15:16:51.193706632 +0200 @@ -5,7 +5,8 @@ - version = 2.5 + version = 2.6 # The binding address and port for the registrar server -ip = "127.0.0.1" ++++++ tenant.conf.diff ++++++ --- /var/tmp/diff_new_pack.er36gh/_old 2026-05-14 21:42:54.402476078 +0200 +++ /var/tmp/diff_new_pack.er36gh/_new 2026-05-14 21:42:54.406476242 +0200 @@ -1,8 +1,6 @@ -diff --git a/config/tenant.conf b/config/tenant.conf -index 717f686..7cf5a49 100644 ---- a/config/tenant.conf -+++ b/config/tenant.conf -@@ -106,7 +106,8 @@ request_timeout = 60 +--- tenant.conf.ORIG 2026-05-13 15:15:10.299081972 +0200 ++++ tenant.conf 2026-05-13 15:18:47.490002713 +0200 +@@ -106,7 +106,8 @@ # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. ++++++ verifier.conf.diff ++++++ --- /var/tmp/diff_new_pack.er36gh/_old 2026-05-14 21:42:54.430477227 +0200 +++ /var/tmp/diff_new_pack.er36gh/_new 2026-05-14 21:42:54.434477390 +0200 @@ -1,18 +1,16 @@ -diff --git a/config/verifier.conf b/config/verifier.conf -index b1655f5..1c1b12b 100644 ---- a/config/verifier.conf -+++ b/config/verifier.conf -@@ -8,7 +8,8 @@ version = 2.4 - uuid = default - - # The binding address and port for the verifier server +--- verifier.conf.ORIG 2026-05-13 15:15:20.416693445 +0200 ++++ verifier.conf 2026-05-13 15:18:06.361780870 +0200 +@@ -10,7 +10,8 @@ + # The binding address and port for the verifier server. Use a specific address + # to bind one interface, "0.0.0.0" to listen on all IPv4 interfaces, or "::" + # to listen on all IPv6 interfaces (also accepts IPv4 on dual-stack hosts). -ip = "127.0.0.1" +# ip = "127.0.0.1" +ip = "0.0.0.0" port = 8881 # The address and port of registrar server that the verifier communicates with -@@ -245,7 +246,8 @@ require_allow_list_signatures = False +@@ -345,7 +346,8 @@ enabled_revocation_notifications = ['agent'] # The binding address and port of the revocation notifier service via ZeroMQ.
