FEDORA-2018-2299cfb708

security update in Fedora 27 for keycloak-httpd-client-install

Status: stable 2 years ago

Security fix for CVE-2017-15111, CVE-2017-15112

Two minor security issues were discovered and were assigned CVE's. CVE-2017-15112 concerns the ability to pass a password on the command line where it could be exposed. That option has been deprecated. See the man page for multiple ways to pass the password. CVE-2017-15111 corrects the default location of a log file when running the low level utilities directly, it had placed the log file in /tmp where a symbolic link could be created pointing to another file. The risk with CVE-2017-15111 is very low as this feature is seldom used, it's mostly for developers.

Comments 7

This update has been submitted for testing by jdennis.

This update has been pushed to testing.

jdennis edited this update.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for batched by jdennis.

This update has been submitted for stable by jdennis.

This update has been pushed to stable.

Add Comment & Feedback

Please login to add feedback.

Content Type
RPM
Status
stable
Test Gating
Submitted by
Update Type
security
Update Severity
low
Karma
0
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Enabled
Autopush (time)
Disabled
Dates
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Related Bugs 4

00 #1511623 CVE-2017-15111 keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py
00 #1511626 CVE-2017-15112 keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line
00 #1531296 CVE-2017-15111 keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py [fedora-all]
00 #1531307 CVE-2017-15112 keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line [fedora-all]

Automated Test Results