Fedora 27: Security Update for Keycloak-Httpd-Client-Install - Log Risk

Keycloak is a federated Identity Provider (IdP). Apache HTTPD supports

a variety of authentication modules which can be configured to utilize

a Keycloak IdP to perform authentication. This package contains

libraries and tools which can automate and simplify configuring an

Apache HTTPD authentication module and registering as a client of a

Keycloak IdP.

Security fix for CVE-2017-15111, CVE-2017-15112 Two minor security issues were

discovered and were assigned CVE's. CVE-2017-15112 concerns the ability to pass

a password on the command line where it could be exposed. That option has been

deprecated. See the man page for multiple ways to pass the password.

CVE-2017-15111 corrects the default location of a log file when running the low

level utilities directly, it had placed the log file in /tmp where a symbolic

link could be created pointing to another file. The risk with CVE-2017-15111 is

very low as this feature is seldom used, it's mostly for developers.

[ 1 ] Bug #1511626 - CVE-2017-15112 keycloak-httpd-client-install: unsafe use of -p/--admin-password on command line

https://bugzilla.redhat.com/show_bug.cgi?id=1511626

[ 2 ] Bug #1511623 - CVE-2017-15111 keycloak-httpd-client-install: unsafe /tmp log file in --log-file option in keycloak_cli.py

https://bugzilla.redhat.com/show_bug.cgi?id=1511623

su -c 'dnf upgrade keycloak-httpd-client-install' at the command line.

For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org