stable

keycloak-httpd-client-install-0.8-1.fc27

FEDORA-2018-2299cfb708 created by jdennis 7 years ago for Fedora 27

Security fix for CVE-2017-15111, CVE-2017-15112

Two minor security issues were discovered and were assigned CVE's. CVE-2017-15112 concerns the ability to pass a password on the command line where it could be exposed. That option has been deprecated. See the man page for multiple ways to pass the password. CVE-2017-15111 corrects the default location of a log file when running the low level utilities directly, it had placed the log file in /tmp where a symbolic link could be created pointing to another file. The risk with CVE-2017-15111 is very low as this feature is seldom used, it's mostly for developers.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2018-2299cfb708

This update has been submitted for testing by jdennis.

7 years ago

This update has been pushed to testing.

7 years ago

jdennis edited this update.

7 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

7 years ago

This update has been submitted for batched by jdennis.

7 years ago

This update has been submitted for stable by jdennis.

7 years ago

This update has been pushed to stable.

7 years ago

Please login to add feedback.

Metadata
Type
security
Severity
low
Karma
0
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
7 years ago
in testing
7 years ago
in stable
7 years ago
modified
7 years ago
BZ#1511623 CVE-2017-15111 keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py
0
0
BZ#1511626 CVE-2017-15112 keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line
0
0
BZ#1531296 CVE-2017-15111 keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py [fedora-all]
0
0
BZ#1531307 CVE-2017-15112 keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line [fedora-all]
0
0

Automated Test Results