CVE-2023-38200

Advisory

Keylime 7.4.0 resolves the CVE-2023-38200 vulnerability. This vulnerability, rated as moderate, allowed for a remote denial of service attack against Keylime's SSL connections due to their blocking nature. An attacker could exhaust all available connections, leading to potential service disruption.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

New features and significant changes:
* (Fix for [CVE-2023-38200](https://www.cvedetails.com/cve/CVE-2023-38200/), details on this [Security Advisory](https://github.com/keylime/keylime/security/advisories/GHSA-pg75-v6fp-8q59) ) Non-blocking Registrar SSL socket by flozilla in https://github.com/keylime/keylime/pull/1421
* mba: making MBA policy parser and checker pluggable by galmasi in https://github.com/keylime/keylime/pull/1410
* Several improvements for the "create_runtime_policy.sh" script by maugustosilva in https://github.com/keylime/keylime/pull/1419
* installer.sh: support Anolis OS whose ID is anolis by Jingshui1037 in https://github.com/keylime/keylime/pull/1431

Bugfixes:
* registrar_common: fix missing select and sock by aplanas in https://github.com/keylime/keylime/pull/1430
* create_runtime_policy: fix bash typo by aplanas in https://github.com/keylime/keylime/pull/1425
* tenant: non-zero exit code in case of error by maugustosilva in https://github.com/keylime/keylime/pull/1414
* Changes to script create_runtime_policy.sh, fixes 1426 by maugustosilva in https://github.com/keylime/keylime/pull/1427

Testing/CI:
* tests: Disable Packit CI on Rawhide due to infra issues by kkaarreell in https://github.com/keylime/keylime/pull/1420

Code cleanup
* tpm_util: Remove useless comparison of always identical hashes by stefanberger in https://github.com/keylime/keylime/pull/1422
* tpm_util: Replace a logger.error with an Exception in case of invalid… by stefanberger in https://github.com/keylime/keylime/pull/1423
* codestyle: Have pyright check mba/elchecking/ except for example.py by stefanberger in https://github.com/keylime/keylime/pull/1436
* codestyle: Have pyright check keylime/da directory by stefanberger in https://github.com/keylime/keylime/pull/1437
* codestyle: Fix tsa_rfc3161.py and have it pyright checked by stefanberger in https://github.com/keylime/keylime/pull/1438

Documentation
* docs: add missing options for verifier, remove vactivate by THS-on in https://github.com/keylime/keylime/pull/1432

Administrative
* tpm_util: Add the BSD license to the file due to functions from TPM 2 code by stefanberger in https://github.com/keylime/keylime/pull/1434
* Monthly release (7.4.0) by maugustosilva in https://github.com/keylime/keylime/pull/1440

New Contributors
* mheese made their first contribution in https://github.com/keylime/keylime/pull/1412
* flozilla made their first contribution in https://github.com/keylime/keylime/pull/1421
* Jingshui1037 made their first contribution in https://github.com/keylime/keylime/pull/1431

**Full Changelog**: https://github.com/keylime/keylime/compare/v7.3.0...v7.4.0

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38200
• https://access.redhat.com/security/cve/CVE-2023-38200
• https://github.com/keylime/keylime/pull/1421
• https://bugzilla.redhat.com/show_bug.cgi?id=2222692
• https://access.redhat.com/errata/RHSA-2023:5080
• https://lists.fedoraproject.org/archives/list/[email protected]/message/ZIZZB5NHNCS5D2AEH3ZAO6OQC72IK7WS/