Security fix for CVE-2017-15111, CVE-2017-15112

Two minor security issues were discovered and were assigned CVE's. CVE-2017-15112 concerns the ability to pass a password on the command line where it could be exposed. That option has been deprecated. See the man page for multiple ways to pass the password. CVE-2017-15111 corrects the default location of a log file when running the low level utilities directly, it had placed the log file in /tmp where a symbolic link could be created pointing to another file. The risk with CVE-2017-15111 is very low as this feature is seldom used, it's mostly for developers.

How to install

sudo dnf upgrade --advisory=FEDORA-2018-2299cfb708

This update has been submitted for testing by jdennis.

2 years ago

This update has been pushed to testing.

2 years ago

jdennis edited this update.

2 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago

This update has been submitted for batched by jdennis.

2 years ago

This update has been submitted for stable by jdennis.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
low
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
modified
2 years ago
BZ#1511623 CVE-2017-15111 keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py
0
0
BZ#1511626 CVE-2017-15112 keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line
0
0
BZ#1531296 CVE-2017-15111 keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py [fedora-all]
0
0
BZ#1531307 CVE-2017-15112 keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line [fedora-all]
0
0

Automated Test Results